Bug#486502: multiple vulnerabilities found in vim

Nico Golde nion at debian.org
Mon Jun 16 15:35:22 UTC 2008


Hi James,
* James Vega <jamessan at debian.org> [2008-06-16 17:26]:
> In regard to the Vim vulnerabilities described at
> <http://www.rdancer.org/vulnerablevim.html>.
> 
> On Mon, Jun 16, 2008 at 10:44:06AM -0400, Jamie Strandboge wrote:
> > These should all be fixed now according to:
> > http://groups.google.com/group/vim_dev/tree/browse_frm/month/2008-06/6d7899eac89aa333?rnum=131&_done=%2Fgroup%2Fvim_dev%2Fbrowse_frm%2Fmonth%2F2008-06%3F#doc_9bb6550f4f955f04
> > 
> > Also, 7.1.314 is supposedly mostly not affected, but I did find these commits:
> > http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1012
> > http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1013
> > http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1021
> 
> Right, the core code is up-to-date as of 7.1.314.  I'm currently working
> on updating the remaining affected runtime files/documentation for an
> upload to unstable.
> 
> Given that the vulnerability requires the user to edit files with rather
> odd filenames,
[...] 
Note that this is not the case for every vulnerability. Have 
a look at the filetype.vim issue which doesn't need a 
crafted filename.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20080616/fb60e9c5/attachment.pgp 


More information about the pkg-vim-maintainers mailing list