Bug#486502: multiple vulnerabilities found in vim
James Vega
jamessan at debian.org
Mon Jun 16 15:23:58 UTC 2008
In regard to the Vim vulnerabilities described at
<http://www.rdancer.org/vulnerablevim.html>.
On Mon, Jun 16, 2008 at 10:44:06AM -0400, Jamie Strandboge wrote:
> These should all be fixed now according to:
> http://groups.google.com/group/vim_dev/tree/browse_frm/month/2008-06/6d7899eac89aa333?rnum=131&_done=%2Fgroup%2Fvim_dev%2Fbrowse_frm%2Fmonth%2F2008-06%3F#doc_9bb6550f4f955f04
>
> Also, 7.1.314 is supposedly mostly not affected, but I did find these commits:
> http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1012
> http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1013
> http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1021
Right, the core code is up-to-date as of 7.1.314. I'm currently working
on updating the remaining affected runtime files/documentation for an
upload to unstable.
Given that the vulnerability requires the user to edit files with rather
odd filenames, I'm not sure whether it warrants a security upload to
stable-security. Comments from the security team?
If there is a need for one, I could spend some time this weekend getting
a more minimal diff to apply against the stable package.
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20080616/f474c29b/attachment-0001.pgp
More information about the pkg-vim-maintainers
mailing list