NixOS · Jun 6, 2019 · Jun 6, 2019
diff --git a/pkgs/applications/editors/neovim/default.nix b/pkgs/applications/editors/neovim/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, cmake, gettext, msgpack, libtermkey, libiconv
+{ stdenv, fetchFromGitHub, fetchpatch, cmake, gettext, msgpack, libtermkey, libiconv
 , libuv, luaPackages, ncurses, pkgconfig
 , unibilium, xsel, gperf
 , libvterm-neovim
@@ -20,6 +20,15 @@ let
       sha256 = "19jy9nr2ffscli6wsysqkdvqvh7sgkkwhzkw3yypfrvg4pj9rl56";
     };
 
+    patches = [
+      # Arbitrary code execution fix
+      # https://github.com/numirias/security/blob/cf4f74e0c6c6e4bbd6b59823aa1b85fa913e26eb/doc/2019-06-04_ace-vim-neovim.md
+      (fetchpatch {
+        url = "https://github.com/neovim/neovim/pull/10082.patch";
+        sha256 = "0g4knlpaabbq6acqgqm765b1knqv981nk2gf84fmknqnv4sgbsq2";
+      })
+    ];
+
     enableParallelBuilding = true;
 
     buildInputs = [

diff --git a/pkgs/applications/editors/vim/0001-source-command-doesnt-check-for-the-sandbox-5357552.patch b/pkgs/applications/editors/vim/0001-source-command-doesnt-check-for-the-sandbox-5357552.patch
@@ -0,0 +1,31 @@
+From 53575521406739cf20bbe4e384d88e7dca11f040 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 22 May 2019 22:38:25 +0200
+Subject: [PATCH] patch 8.1.1365: source command doesn't check for the sandbox
+
+Problem:    Source command doesn't check for the sandbox. (Armin Razmjou)
+Solution:   Check for the sandbox when sourcing a file.
+---
+ src/getchar.c               | 6 ++++++
+ src/testdir/test_source.vim | 9 +++++++++
+ src/version.c               | 2 ++
+ 3 files changed, 17 insertions(+)
+
+diff --git a/src/getchar.c b/src/getchar.c
+index 9379a6a8d4..debad7efd2 100644
+--- a/src/getchar.c
++++ b/src/getchar.c
+@@ -1407,6 +1407,12 @@ openscript(
+ 	emsg(_(e_nesting));
+ 	return;
+     }
++
++    // Disallow sourcing a file in the sandbox, the commands would be executed
++    // later, possibly outside of the sandbox.
++    if (check_secure())
++	return;
++
+ #ifdef FEAT_EVAL
+     if (ignore_script)
+ 	/* Not reading from script, also don't open one.  Warning message? */
+diff --git a/src/testdir/test_source.vim b/src/testdir/test_source.vim
diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix
@@ -13,6 +13,12 @@ rec {
 
   hardeningDisable = [ "fortify" ];
 
+  patches = [
+    # Arbitrary code execution fix
+    # https://github.com/numirias/security/blob/cf4f74e0c6c6e4bbd6b59823aa1b85fa913e26eb/doc/2019-06-04_ace-vim-neovim.md
+    ./0001-source-command-doesnt-check-for-the-sandbox-5357552.patch
+  ];
+
   postPatch =
     # Use man from $PATH; escape sequences are still problematic.
     ''

diff --git a/pkgs/applications/editors/vim/configurable.nix b/pkgs/applications/editors/vim/configurable.nix
@@ -75,7 +75,9 @@ in stdenv.mkDerivation rec {
     "default" = common.src; # latest release
   };
 
-  patches = [ ./cflags-prune.diff ] ++ stdenv.lib.optional ftNixSupport ./ft-nix-support.patch;
+  patches = common.patches or []
+    ++ [ ./cflags-prune.diff ]
+    ++ stdenv.lib.optional ftNixSupport ./ft-nix-support.patch;
 
   configureFlags = [
     "--enable-gui=${guiSupport}"

diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix
@@ -15,7 +15,7 @@ in
 stdenv.mkDerivation rec {
   name = "vim-${version}";
 
-  inherit (common) version src postPatch hardeningDisable enableParallelBuilding meta;
+  inherit (common) version src patches postPatch hardeningDisable enableParallelBuilding meta;
 
   nativeBuildInputs = [ gettext pkgconfig ];
   buildInputs = [ ncurses ]