[conspire] (forw) Re: [GoLugTech] Fw: [PLUG] vim and neovim bug
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Thu Jun 13 20:50:55 PDT 2019
> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: [conspire] (forw) Re: [GoLugTech] Fw: [PLUG] vim and neovim bug
> Date: Thu, 13 Jun 2019 16:41:54 -0700
> ----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----
>
> Date: Thu, 13 Jun 2019 16:40:57 -0700
> From: Rick Moen <rick at linuxmafia.com>
> To: tech at golug.org
> Subject: Re: [GoLugTech] Fw: [PLUG] vim and neovim bug
> Organization: If you lived here, you'd be $HOME already.
>
> Quoting Steve Litt via Tech (tech at golug.org):
>
>> This doesn't sound good:
>> https://threatpost.com/linux-command-line-editors-high-severity-bug/145569/
>
> Rule of thumb: If you're never going to use a feature in public-facing
> software, turn it off. I have no use for modeline support, do you?
>
> https://www.techrepublic.com/blog/it-security/turn-off-modeline-support-in-vim/
>
> Locally:
> :r! grep modeline .vimrc
> set nomodeline
>
> Back when I ran a Ops for a merchant bank operation (my firm's
> subsidiary that did online credit-card processing), I basically
> had to read CVEs as part of my job (to pass PCIDSS auditing every three
> months), and I can't tell you how many CVEs we just didn't have to worry
> about because it was an attack against some baroque software feature
> we'd already disabled.
And of course [n]vi lacks that (mis)feature. :-)
Yes, more material for vim annoyances.
http://www.rawbw.com/~mp/linux/vim/vim_annoyances.txt
More information about the conspire
mailing list