CVE-2018-11319

An attacker with write access to a parent directory of a project being checked by Syntastic can place a malicious configuration file. This file can contain arguments that instruct the compiler to load a malicious GCC plugin. If the plugin is loaded, it can execute arbitrary code on the system, as demonstrated by creating a file with specific content [ref_id=2]. Exploitation is more difficult after version 3.8.0 due to filename prediction requirements [NOTE: The original text mentioned this, but it's not a formal citation].

The vulnerability lies in how Syntastic searches for configuration files for various linters. The commit `6d7c0b394e001233dd09ec473fbea2002c72632f` shows that default configuration filenames were removed and replaced with 'unset' for numerous linters, including `g:syntastic_ada_config_file`, `g:syntastic_asm_config_file`, and `g:syntastic_avrgcc_config_file` [ref_id=1].

The patch modifies Syntastic to no longer have default configuration filenames for linters. Instead, these defaults are unset, requiring users to explicitly define them. This change prevents Syntastic from automatically searching for and loading potentially malicious configuration files that could lead to arbitrary code execution [ref_id=1].

1. Create a malicious GCC plugin (e.g., `plugin.cc`) that writes to `/tmp/test`. 2. Build the plugin: `gcc -I$(gcc -print-file-name=plugin)/include -fPIC -fno-rtti -O2 -shared plugin.cc -o /tmp/plugin.so`. 3. Create a Syntastic configuration file: `echo -fplugin=/tmp/plugin.so > /tmp/.syntastic_avrgcc_config`. 4. Ensure the plugin and config file are owned by the user running Syntastic. 5. Configure Syntastic to use the `avrgcc` checker (e.g., `let g:syntastic_cpp_checkers = ['avrgcc']`). 6. Edit a C++ file within a directory that has `/tmp` as a parent (e.g., `/tmp/foo.cc`) using Vim. 7. Check the content of `/tmp/test` to verify arbitrary code execution [ref_id=2].