Bug#486502: multiple vulnerabilities found in vim
Nico Golde
nion at debian.org
Mon Jun 16 15:35:22 UTC 2008
Hi James,
* James Vega <jamessan at debian.org> [2008-06-16 17:26]:
> In regard to the Vim vulnerabilities described at
> <http://www.rdancer.org/vulnerablevim.html>.
>
> On Mon, Jun 16, 2008 at 10:44:06AM -0400, Jamie Strandboge wrote:
> > These should all be fixed now according to:
> > http://groups.google.com/group/vim_dev/tree/browse_frm/month/2008-06/6d7899eac89aa333?rnum=131&_done=%2Fgroup%2Fvim_dev%2Fbrowse_frm%2Fmonth%2F2008-06%3F#doc_9bb6550f4f955f04
> >
> > Also, 7.1.314 is supposedly mostly not affected, but I did find these commits:
> > http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1012
> > http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1013
> > http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1021
>
> Right, the core code is up-to-date as of 7.1.314. I'm currently working
> on updating the remaining affected runtime files/documentation for an
> upload to unstable.
>
> Given that the vulnerability requires the user to edit files with rather
> odd filenames,
[...]
Note that this is not the case for every vulnerability. Have
a look at the filetype.vim issue which doesn't need a
crafted filename.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20080616/fb60e9c5/attachment.pgp
More information about the pkg-vim-maintainers
mailing list