Subject: [ASA-201707-19] gvim: arbitrary code execution Arch Linux Security Advisory ASA-201707-19 ========================================== Severity: High Date : 2017-07-18 CVE-ID : CVE-2017-11109 Package : gvim Type : arbitrary code execution Remote : No Link : https://security.archlinux.org/AVG-347 Summary ======= The package gvim before version 8.0.0722-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 8.0.0722-1. # pacman -Syu "gvim>=8.0.0722-1" The problem has been fixed upstream in version 8.0.0722. Workaround ========== None. Description =========== Vim 8.0 allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. Impact ====== An attacker is able to execute arbitrary code by tricking a user to locally execute a specially crafted vim source file. References ========== https://bugs.archlinux.org/task/54773 https://bugzilla.redhat.com/show_bug.cgi?id=1468492 https://www.mail-archive.com/vim_dev%40googlegroups.com/msg45274.html https://security.archlinux.org/CVE-2017-11109