stable-security update of vim

James Vega jamessan at debian.org
Mon Feb 16 09:10:17 UTC 2009 

On Thu, Jan 29, 2009 at 11:32:55AM -0500, Steffen Joeris wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for vim and seem to affect the packages in stable.
> 
> CVE-2008-2712[0]:
> | Vim 7.1.314, 6.4, and other versions allows user-assisted remote
> | attackers to execute arbitrary commands via Vim scripts that do not
> | properly sanitize inputs before invoking the execute or system
> | functions, as demonstrated using (1) filetype.vim, (2) zipplugin, (3)
> | xpm.vim, (4) gzip_vim, and (5) netrw.
> 
> CVE-2008-3074[1]:
> | ** RESERVED **
> | This candidate has been reserved by an organization or individual that
> | will use it when announcing a new security problem.  When the
> | candidate has been publicized, the details for this candidate will be
> | provided.
> 
> CVE-2008-3075[2]:
> | ** RESERVED **
> | This candidate has been reserved by an organization or individual that
> | will use it when announcing a new security problem.  When the
> | candidate has been publicized, the details for this candidate will be
> | provided.
> 
> CVE-2008-3076[3]:
> | ** RESERVED **
> | This candidate has been reserved by an organization or individual that
> | will use it when announcing a new security problem.  When the
> | candidate has been publicized, the details for this candidate will be
> | provided.
> 
> CVE-2008-4101[4]:
> | Vim 3.0 through 7.x before 7.2.010 does not properly escape
> | characters, which allows user-assisted attackers to (1) execute
> | arbitrary shell commands by entering a K keystroke on a line that
> | contains a ";" (semicolon) followed by a command, or execute arbitrary
> | Ex commands by entering an argument after a (2) "Ctrl-]" (control
> | close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke
> | sequence, a different issue than CVE-2008-2712.
> 
> For the reserved issues, there is a bugreport in the BTS with more 
> information.
> 
> We would like to issue a DSA for these CVEs and were wondering, whether you as 
> the maintainers could provide packages for stable-security?
> 
> It would be great, if you could send us a full debdiff.
> Thanks in advance for your work.

debdiff and source package are available on people[0].  Sorry for the
delay in getting the packages prepared.  I've included all the fixes
requested, including for netrw.

[0] - http://people.debian.org/~jamessan/tmp/
-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20090216/f6f1071b/attachment.pgp

More information about the pkg-vim-maintainers mailing list