CVE-2019-12735 question

Question

Does anyone know if the Windows versions (pre 8.1.1365) of VIM (https://www.vim.org/download.php#pc) are vulnerable, per CVE-2019-12735?

Everything I have read always mentions LINUX, and many LINUX commands would be harmless on Windows, but I assume malicious people could just as easily include Windows commands, yes?

What think ye?

As stated in the vulnerability page the issue has been fixed in Vim 8.1.1365, so theoretically the download page points to the latest, non vulnerable version. However to be sure you can still download it and check that the version is greater than 8.1.1365 using :version — statox, Jun 21 '19 at 14:45
That is where things get confusing. I installed the latest Windows VIM, and it is VIM 8.1.1568, so it should be safe. What I was more interested in, and I was unclear, is if the exploit even works on the Windows version pre 8.1.1365. If the commands are crafted as an LINUX command, such as "rm -rf /", Windows may not be vulnerable. But I guess the coder could just include Windows commands just as easily as LINUX, I am thinking Windows is vulnerable. Would you concur that Windows would be vulnerable as well? — jgranto, Jun 21 '19 at 15:07
yes, windows would be vulnerable as well. If you want to make sure, use an up-to-date installation from https://github.com/vim/vim-win32-installer — Christian Brabandt, Jun 22 '19 at 10:16

score 1 · Answer 1 · answered Jun 22 '19 at 17:01

Yes, the Windows version of Vim is still vulnerable to CVE-2019-12735, so you should upgrade your Vim to version 8.1.1365 or later as soon as possible.

While most exploits are probably targeting Linux and Macs with shell commands such as rm -rf etc., nothing prevents using a cmd.exe or Powershell command there that would work on Windows.

Vim on Windows is definitely not as popular as on Linux and Mac (where it's always shipped by default), it is possible that exploits for Windows are not to be found in the wild as much or as often as those that target Linux or Mac... But as explained above, exploits are still possible and you should upgrade your Vim.

Version 8.1.1365 is the first one with the fix, use the :version command to check the version you're running and make sure it's at least as high as that.

CVE-2019-12735 question

1 Answers1