Ukuba sengozini okusha kulungisiwe kubahleli bombhalo abafakwe ngaphambili ekusatshalalisweni okuhlukahlukene I-Linux itholakele kubahleli bombhalo weVim neNeovim (I-CVE-2019-12735).
Isiphazamisi esitholwe kulaba bahleli ivumela abaduni ukulawula amakhompyutha lapho abasebenzisi bevula ifayela lombhalo elibi. Inkinga ibonakaliswa ngomsebenzi womodeli ovunyelwe ngokuzenzakalela (": set modeline"), ekuvumela ukuthi uchaze izinketho zokuhlela kufayela elicutshungulwayo.
IVim nemfoloko yayo yeNeoVim yayiqukethe iphutha elalihlala kumamodeli. Lesi sici sivumela abasebenzisi ukuthi bacacise ubukhulu bewindi nezinye izinketho ngokwezifiso eduze nasekuqaleni noma ekugcineni kwefayela lombhalo.
Lesi sici sinikwe amandla ngokuzenzakalela kuzinguqulo ngaphambi kwe-Vim 8.1.1365 Neovim 0.3.6 futhi sisebenza kuzo zonke izinhlobo zamafayela, kufaka phakathi amafayela we-.txt.
Mayelana nokuba sengozini kuVim
Nge-Modeline, kuvunyelwe kuphela inani elilinganiselwe lezinketho. SUma isisho sichazwa njengenani lokukhethwa kukho, sisebenza ngemodi ye-sandbox, evumela kuphela imisebenzi elula ephephile ukuthi isetshenziswe.
Ngesikhathi esifanayo, umyalo ": umthombo" ungomunye walabo abavunyelwe, lapho ungasebenzisa khona i-modifier "!" ukusebenzisa imiyalo ngokungqubuzana nefayela elicacisiwe.
Ngakho-ke, ukwenza ikhodi, kwanele ukukhombisa kulayini we-modeli ukwakhiwa kwefomu "set foldexpr = execute ('\: source! Some_file'):". KwaNeovim, ucingo lokwenziwa aluvunyelwe, kepha i-assert_fails ingasetshenziswa esikhundleni salokho.
Ngakolunye uhlangothi, ku-sandbox, yakhelwe ukuvikela imiphumela emibi:
Izinketho 'foldexpr', 'formatexpr', 'excludeexpr', 'indentexpr', 'statusline' kanye 'foldtext' konke kungahlolwa kubhokisi le-sandbox. Lokhu kusho ukuthi uvikelekile kulezi zinkulumo ezinemiphumela engemihle. Lokhu kunikeza ukuphepha okuthile lapho lezi zinketho zichazwa kusuka kumodeli.
Ngenkathi amamodeli anciphisa imiyalo etholakalayo futhi ayenze endaweni ehlukaniswe nohlelo lokusebenza, umcwaningi u-Armin Razmjou uqaphele ukuthi umyalo: ifonti! weqe lokhu kuvikela:
"Ufunda futhi asebenzise imiyalo efayeleni alinikiwe kube sengathi lifakwe ngesandla, alisebenzise uma ibhokisi le-sandbox selishiywe," kubhala umcwaningi emlayezo okhishwe ekuqaleni kwale nyanga. -ci.
Ngakho-ke, umuntu angakha kancane umugqa womodeli owenza ikhodi ngaphandle kwebhokisi le-sandbox.
Iposi lifaka amafayili wombhalo wokufakazelwa komthetho amabili, okukodwa okukhombisa ngokusobala usongo.
Omunye wabo uvula igobolondo elibuyela emuva kukhompyutha esebenzisa iVim noma i-NeoVim. Ukusuka lapho, abahlaseli bebekwazi ukwethula imiyalo abayithandayo emshinini oceliwe.
"Le PoC ichaza indlela yangempela yokuhlasela lapho kwethulwa khona igobolondo elibuyela emuva lapho umsebenzisi evula ifayela," kubhala uRazmjou. «Ukufihla ukuhlaselwa, ifayela lizobhalwa kabusha ngokushesha lapho livulwa. Futhi, i-PoC isebenzisa ukulandelana kokuphunyuka ukugcina ukugcina umugqa wemodeli lapho okuqukethwe kuprintwe ngekati. (ikati -v lembula okuqukethwe uqobo). «
Ukuba sengozini kokusebenzisa umyalo kudinga ukwenziwa kokusebenza kokumodela okujwayelekile, njengokunye ukusatshalaliswa okuzenzakalelayo kwe-Linux. Iphutha litholakala kuVim ngaphambi kwenguqulo 8.1.1365 nakuNeovim ngaphambi kwenguqulo 0.3.6.
Lesi seluleko esivela kuDatabase Likazwelonke Lezingozi Zobungozi seNational Institute of Standards and Technology sikhombisa ukuthi ukusatshalaliswa kweDebian neFedora Linux sekuqalile ukukhipha izinhlobo ezihleliwe.
Ngokwabiwa, inkinga ixazululwa ku- RHEL, SUSE / openSUSE, Fedora, FreeBSD, Ubuntu, Arch Linux, ne-ALT.
Ukuba sengozini kuhlala kungalungisiwe ku-Debian (Kumodeli kaDebian kukhutshazwe ngokuzenzakalela, ngakho-ke ukuba sengozini akubonakali esimweni esizenzakalelayo).
Uhlobo lwakamuva lweMacOS luyaqhubeka nokusebenzisa inguqulo esengozini, noma ngabe ukuhlaselwa kusebenza kuphela lapho abasebenzisi beguqule ukulungiselelwa okuzenzakalelayo okunikwe amandla isici semodeli.