Add a note about VIM's modeline support. This will instruct users

that do not need the modeline support to disable it, since it contained remote vulnerabilities. Reviewed by: simon Approved by: portsmgr (blanket, secteam), obrien (maintainer)
svn path=/head/; revision=140893
2024-12-29 05:38:00 +00:00 · 2005-08-16 16:48:41 +00:00 · 2005-08-16 16:48:41 +00:00 · ec9063b927 · 2021-03-31 03:12:20 +00:00
commit ec9063b927
parent a02d5df600
2 changed files with 9 additions and 0 deletions
--- a/editors/vim/Makefile
+++ b/editors/vim/Makefile
@ -173,6 +173,9 @@ post-install:
 	${ECHO_CMD} "x!"				>> ${WRKDIR}/ex.script
 	${CP} -p ${TMPPLIST} ${TMPPLIST}.pre-share-vim
 	cd ${WRKDIR} ; ex < ex.script
+	@${ECHO_CMD}
+	@${CAT} ${PKGMESSAGE}
+	@${ECHO_CMD}

 cklatest:
 	@-ncftpls \
--- a/editors/vim/pkg-message
+++ b/editors/vim/pkg-message
@ -0,0 +1,6 @@
+SECURITY NOTE: The VIM software has had several remote vulnerabilities
+discovered within VIM's modeline support.  It allowed remote attackers to
+execute arbitrary code as the user running VIM.  All known problems
+have been fixed, but the FreeBSD Security Team advises that VIM users
+use 'set nomodeline' in ~/.vimrc to avoid the possibility of trojaned
+text files.