Debian Bug report logs - #486502
multiple vulnerabilities found in vim

version graph

Package: vim; Maintainer for vim is Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>; Source for vim is src:vim.

Reported by: Jamie Strandboge <jamie@strandboge.com>

Date: Mon, 16 Jun 2008 14:09:06 UTC

Severity: grave

Tags: security

Found in version vim/1:6.4-000+1

Fixed in versions vim/1:7.1.314-3, vim/1:7.1.314-3+lenny1

Done: James Vega <jamessan@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#486502; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Jamie Strandboge <jamie@strandboge.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jamie Strandboge <jamie@strandboge.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: multiple vulnerabilities found in vim
Date: Mon, 16 Jun 2008 09:28:17 -0400
Package: vim
Version: 1:7.1.314-2
Severity: grave
Tags: security
Justification: user security hole


Forwarding the following, which was just pointed out to me:
http://www.rdancer.org/vulnerablevim.html
http://www.reddit.com/r/programming/info/6ng40/comments/




Bug no longer marked as found in version 1:7.1.314-2. Request was from James Vega <jamessan@debian.org> to control@bugs.debian.org. (Mon, 16 Jun 2008 14:30:04 GMT) Full text and rfc822 format available.

Bug marked as found in version 1:6.4-000+1. Request was from James Vega <jamessan@debian.org> to control@bugs.debian.org. (Mon, 16 Jun 2008 14:30:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#486502; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Jamie Strandboge <jamie@canonical.com>:
Extra info received and forwarded to list. Copy sent to Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #14 received at 486502@bugs.debian.org (full text, mbox):

From: Jamie Strandboge <jamie@canonical.com>
To: 486502@bugs.debian.org
Subject: Re: multiple vulnerabilities found in vim
Date: Mon, 16 Jun 2008 10:44:06 -0400
[Message part 1 (text/plain, inline)]
These should all be fixed now according to:
http://groups.google.com/group/vim_dev/tree/browse_frm/month/2008-06/6d7899eac89aa333?rnum=131&_done=%2Fgroup%2Fvim_dev%2Fbrowse_frm%2Fmonth%2F2008-06%3F#doc_9bb6550f4f955f04

Also, 7.1.314 is supposedly mostly not affected, but I did find these commits:
http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1012
http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1013
http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1021


-- 
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#486502; Package vim. Full text and rfc822 format available.

Acknowledgement sent to James Vega <jamessan@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #19 received at 486502@bugs.debian.org (full text, mbox):

From: James Vega <jamessan@debian.org>
To: Jamie Strandboge <jamie@canonical.com>, 486502@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#486502: multiple vulnerabilities found in vim
Date: Mon, 16 Jun 2008 11:23:58 -0400
[Message part 1 (text/plain, inline)]
In regard to the Vim vulnerabilities described at
<http://www.rdancer.org/vulnerablevim.html>.

On Mon, Jun 16, 2008 at 10:44:06AM -0400, Jamie Strandboge wrote:
> These should all be fixed now according to:
> http://groups.google.com/group/vim_dev/tree/browse_frm/month/2008-06/6d7899eac89aa333?rnum=131&_done=%2Fgroup%2Fvim_dev%2Fbrowse_frm%2Fmonth%2F2008-06%3F#doc_9bb6550f4f955f04
> 
> Also, 7.1.314 is supposedly mostly not affected, but I did find these commits:
> http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1012
> http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1013
> http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1021

Right, the core code is up-to-date as of 7.1.314.  I'm currently working
on updating the remaining affected runtime files/documentation for an
upload to unstable.

Given that the vulnerability requires the user to edit files with rather
odd filenames, I'm not sure whether it warrants a security upload to
stable-security.  Comments from the security team?

If there is a need for one, I could spend some time this weekend getting
a more minimal diff to apply against the stable package.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#486502; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #24 received at 486502@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: James Vega <jamessan@debian.org>
Cc: Jamie Strandboge <jamie@canonical.com>, 486502@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#486502: multiple vulnerabilities found in vim
Date: Mon, 16 Jun 2008 17:35:22 +0200
[Message part 1 (text/plain, inline)]
Hi James,
* James Vega <jamessan@debian.org> [2008-06-16 17:26]:
> In regard to the Vim vulnerabilities described at
> <http://www.rdancer.org/vulnerablevim.html>.
> 
> On Mon, Jun 16, 2008 at 10:44:06AM -0400, Jamie Strandboge wrote:
> > These should all be fixed now according to:
> > http://groups.google.com/group/vim_dev/tree/browse_frm/month/2008-06/6d7899eac89aa333?rnum=131&_done=%2Fgroup%2Fvim_dev%2Fbrowse_frm%2Fmonth%2F2008-06%3F#doc_9bb6550f4f955f04
> > 
> > Also, 7.1.314 is supposedly mostly not affected, but I did find these commits:
> > http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1012
> > http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1013
> > http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1021
> 
> Right, the core code is up-to-date as of 7.1.314.  I'm currently working
> on updating the remaining affected runtime files/documentation for an
> upload to unstable.
> 
> Given that the vulnerability requires the user to edit files with rather
> odd filenames,
[...] 
Note that this is not the case for every vulnerability. Have 
a look at the filetype.vim issue which doesn't need a 
crafted filename.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#486502; Package vim. Full text and rfc822 format available.

Acknowledgement sent to James Vega <jamessan@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #29 received at 486502@bugs.debian.org (full text, mbox):

From: James Vega <jamessan@debian.org>
To: control@bugs.debian.org
Cc: 486446@bugs.debian.org, 486502@bugs.debian.org
Subject: setting package to vim-common vim-python vim-lesstif vim-nox vim-runtime vim-dbg vim-gtk vim-perl vim-full vim-ruby vim-gnome vim vim-doc vim-tcl vim-gui-common vim-tiny ...
Date: Mon, 16 Jun 2008 13:35:53 -0400
# Automatically generated email from bts, devscripts version 2.10.29
#
# vim (1:7.1.314-3) UNRELEASED; urgency=high
#
#  * Update runtime files affected by the filename escape vulnerability.
#    (Closes: #486502)
#  * debian/vim-runtime.postrm:
#    - Only remove the diversions if the postrm is called with the "remove"
#      argument.  (Closes: #486446)
#

package vim-common vim-python vim-lesstif vim-nox vim-runtime vim-dbg vim-gtk vim-perl vim-full vim-ruby vim-gnome vim vim-doc vim-tcl vim-gui-common vim-tiny
tags 486502 + pending
tags 486446 + pending





Tags added: pending Request was from James Vega <jamessan@debian.org> to control@bugs.debian.org. (Mon, 16 Jun 2008 17:39:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#486502; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #36 received at 486502@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 486502@bugs.debian.org
Subject: CVE id for this
Date: Mon, 16 Jun 2008 23:02:36 +0200
[Message part 1 (text/plain, inline)]
Hi,
Name: CVE-2008-2712
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712
Reference: BUGTRAQ:20080613 Collection of Vulnerabilities in Fully Patched Vim 7.1
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/493352/100/0/threaded
Reference: BUGTRAQ:20080614 Re: Collection of Vulnerabilities in Fully Patched Vim 7.1
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/493353/100/0/threaded
Reference: MISC:http://www.rdancer.org/vulnerablevim.html
Reference: MLIST:[oss-security] CVE Id request: vim
Reference: URL:http://www.openwall.com/lists/oss-security/2008/06/16/2

Vim 7.1.314, 6.4, and other versions allows user-assisted remote
attackers to execute arbitrary commands via Vim scripts that do not
properly sanitize inputs before invoking the execute or system
functions, as demonstrated using (1) filetype.vim, (2) zipplugin, (3)
xpm.vim, (4) gzip_vim, and (5) netrw.

Please reference this CVE id in the changelog when closing the bug.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to James Vega <jamessan@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Jamie Strandboge <jamie@strandboge.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #41 received at 486502-close@bugs.debian.org (full text, mbox):

From: James Vega <jamessan@debian.org>
To: 486502-close@bugs.debian.org
Subject: Bug#486502: fixed in vim 1:7.1.314-3
Date: Tue, 17 Jun 2008 16:02:31 +0000
Source: vim
Source-Version: 1:7.1.314-3

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:

vim-common_7.1.314-3_i386.deb
  to pool/main/v/vim/vim-common_7.1.314-3_i386.deb
vim-dbg_7.1.314-3_i386.deb
  to pool/main/v/vim/vim-dbg_7.1.314-3_i386.deb
vim-doc_7.1.314-3_all.deb
  to pool/main/v/vim/vim-doc_7.1.314-3_all.deb
vim-full_7.1.314-3_all.deb
  to pool/main/v/vim/vim-full_7.1.314-3_all.deb
vim-gnome_7.1.314-3_i386.deb
  to pool/main/v/vim/vim-gnome_7.1.314-3_i386.deb
vim-gtk_7.1.314-3_i386.deb
  to pool/main/v/vim/vim-gtk_7.1.314-3_i386.deb
vim-gui-common_7.1.314-3_all.deb
  to pool/main/v/vim/vim-gui-common_7.1.314-3_all.deb
vim-lesstif_7.1.314-3_i386.deb
  to pool/main/v/vim/vim-lesstif_7.1.314-3_i386.deb
vim-nox_7.1.314-3_i386.deb
  to pool/main/v/vim/vim-nox_7.1.314-3_i386.deb
vim-perl_7.1.314-3_all.deb
  to pool/main/v/vim/vim-perl_7.1.314-3_all.deb
vim-python_7.1.314-3_all.deb
  to pool/main/v/vim/vim-python_7.1.314-3_all.deb
vim-ruby_7.1.314-3_all.deb
  to pool/main/v/vim/vim-ruby_7.1.314-3_all.deb
vim-runtime_7.1.314-3_all.deb
  to pool/main/v/vim/vim-runtime_7.1.314-3_all.deb
vim-tcl_7.1.314-3_all.deb
  to pool/main/v/vim/vim-tcl_7.1.314-3_all.deb
vim-tiny_7.1.314-3_i386.deb
  to pool/main/v/vim/vim-tiny_7.1.314-3_i386.deb
vim_7.1.314-3.diff.gz
  to pool/main/v/vim/vim_7.1.314-3.diff.gz
vim_7.1.314-3.dsc
  to pool/main/v/vim/vim_7.1.314-3.dsc
vim_7.1.314-3_i386.deb
  to pool/main/v/vim/vim_7.1.314-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 486502@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Vega <jamessan@debian.org> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 17 Jun 2008 11:12:18 -0400
Source: vim
Binary: vim-common vim-gui-common vim-runtime vim-doc vim-tiny vim vim-dbg vim-perl vim-python vim-ruby vim-tcl vim-gtk vim-nox vim-lesstif vim-gnome vim-full
Architecture: source all i386
Version: 1:7.1.314-3
Distribution: unstable
Urgency: high
Maintainer: Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>
Changed-By: James Vega <jamessan@debian.org>
Description: 
 vim        - Vi IMproved - enhanced vi editor
 vim-common - Vi IMproved - Common files
 vim-dbg    - Vi IMproved - enhanced vi editor (debugging symbols)
 vim-doc    - Vi IMproved - HTML documentation
 vim-full   - Vi IMproved - enhanced vi editor (transitional package)
 vim-gnome  - Vi IMproved - enhanced vi editor - with GNOME2 GUI
 vim-gtk    - Vi IMproved - enhanced vi editor - with GTK2 GUI
 vim-gui-common - Vi IMproved - Common GUI files
 vim-lesstif - Vi IMproved - enhanced vi editor - with LessTif GUI
 vim-nox    - Vi IMproved - enhanced vi editor
 vim-perl   - Vi IMproved - enhanced vi editor (transitional package)
 vim-python - Vi IMproved - enhanced vi editor (transitional package)
 vim-ruby   - Vi IMproved - enhanced vi editor (transitional package)
 vim-runtime - Vi IMproved - Runtime files
 vim-tcl    - Vi IMproved - enhanced vi editor (transitional package)
 vim-tiny   - Vi IMproved - enhanced vi editor - compact version
Closes: 486417 486446 486502
Changes: 
 vim (1:7.1.314-3) unstable; urgency=high
 .
   * Update runtime files affected by the filename escape vulnerability.
     (CVE 2008-2712, Closes: #486502)
   * debian/vim-runtime.preinst:
     - Only add the diversions if the preinst is called with the "install" or
       "upgrade" (to handle the previous mishandling in postrm) arguments.
   * debian/vim-runtime.postrm:
     - Only remove the diversions if the postrm is called with the "remove"
       argument.  (Closes: #486446)
   * runtime/menu.vim:
     - Escape the buffer name when using the "Window -> Split File Explorer"
       menu item.  (Closes: #486417)
Checksums-Sha1: 
 6601b57927ce68bce5fd2cf9fcab5f1be659cd5e 1698 vim_7.1.314-3.dsc
 bf645e6f1a918f7cf23182768a9791d266e3bcf7 404431 vim_7.1.314-3.diff.gz
 e085e66c66292158480fe8223050470aa81cb974 174970 vim-gui-common_7.1.314-3_all.deb
 e2ed9adfbc8054289c6b0d39e0851b427144e4a0 5606868 vim-runtime_7.1.314-3_all.deb
 6af962596f4de9f53b21aa869e1abc9e5c558ec8 2151506 vim-doc_7.1.314-3_all.deb
 1233d32b6b3df893fc9e5da76a8322a83390e044 74374 vim-perl_7.1.314-3_all.deb
 29081a31ecb2fd21003613ecf8b74de90bb10d3d 74374 vim-python_7.1.314-3_all.deb
 e1a3297f2d93a7f10e272eeb881051147ea0529f 74374 vim-ruby_7.1.314-3_all.deb
 43657b532a8060c55218e2bcdbcce7410b524970 74368 vim-tcl_7.1.314-3_all.deb
 3c0e984f41d84547428c20d14e5563e30fa50c00 74400 vim-full_7.1.314-3_all.deb
 e1ad4db11dccaaa6c3682638ee29164129fd78b7 334592 vim-tiny_7.1.314-3_i386.deb
 7287003ad605b981d03561de4ac9e3bee64aba92 993172 vim-gtk_7.1.314-3_i386.deb
 e2553f60447f0933cbb48dc88ce361117eae6367 995390 vim-gnome_7.1.314-3_i386.deb
 1be080d7c64fc2432db7da04622d53e9ee781dfb 986134 vim-lesstif_7.1.314-3_i386.deb
 0f83db4af1695e385277afdee3bac410fa02b66a 862810 vim-nox_7.1.314-3_i386.deb
 eaa5f50bd41bdcc389d07a36a4aa49640ecab814 229568 vim-common_7.1.314-3_i386.deb
 fcba36f8c9752f6b74ef37df6ff9263cceb8c911 776482 vim_7.1.314-3_i386.deb
 0f4e2fae14dfc896bda0a0625240c9453637e37a 8381388 vim-dbg_7.1.314-3_i386.deb
Checksums-Sha256: 
 b346155c683bcbaaa40890928d8c3552a487a6600adcad26d699ebd9cd613047 1698 vim_7.1.314-3.dsc
 ad81d074e1ac0fdc7938be95212adf236619e9b77ceb4102e663e3419d74cf8e 404431 vim_7.1.314-3.diff.gz
 f4a290171eb2606e6facc0f444613f51da1c978f04800e7c3ee512d2eeba05f0 174970 vim-gui-common_7.1.314-3_all.deb
 f0523591bb84648b5e3f665f0e0f6a493f2a54b48875fc551e949b0557adb978 5606868 vim-runtime_7.1.314-3_all.deb
 84ca83d3334986f0d6683ef22c244bc61222a20f8c9ad62d0e8acd9ccd26bcf5 2151506 vim-doc_7.1.314-3_all.deb
 09404e6536ed7fd182657faf8caa43c7343f995d8206ffc4693c261d9ba3e5fb 74374 vim-perl_7.1.314-3_all.deb
 620c65faa11c5a867c90ef96133cfd356e30bc5a8892f2bcaeb9cfba3887cfd1 74374 vim-python_7.1.314-3_all.deb
 3044262073ec9011f9b0b5df5da34766de3adb0d02614a907305495d4bfdf4a6 74374 vim-ruby_7.1.314-3_all.deb
 dda6491565e0aa121b73d26824577bcc702dd026fd6d01d29f177ea937e6773a 74368 vim-tcl_7.1.314-3_all.deb
 53fe0e45a1db9f7e166232105c1cd4ec96948f76039ede29cf741296ac1b65d5 74400 vim-full_7.1.314-3_all.deb
 9ac585828487db1c8938e85c376cd7272d896f76997dbd99f9df38c049e1fb56 334592 vim-tiny_7.1.314-3_i386.deb
 a66800afe629a29adac10403c31a56974032b8c94d8a9a4f3f2563e0059b8da7 993172 vim-gtk_7.1.314-3_i386.deb
 cb62583fc3e6d825db548c38e17073588905d568d17db681c3b94c9b51433f2b 995390 vim-gnome_7.1.314-3_i386.deb
 eae638c60dea7cdf8f717a336bd50b2ba911b10fe5e4af4d6d1c6af121c0e1bb 986134 vim-lesstif_7.1.314-3_i386.deb
 59b9993f631c3ac3e26bed04329e8dbc2023826e6c26fe784081fd53a815cfa1 862810 vim-nox_7.1.314-3_i386.deb
 65a743e7244c2e04db49fccd618ffbf8aac40bd7a7cabc475fa4f1c6a625c67b 229568 vim-common_7.1.314-3_i386.deb
 2d3b3c01feca0d009bd9bd80b845f83a77baa3b29469073c1493f285be7bd2e3 776482 vim_7.1.314-3_i386.deb
 0a0ad200f357f24a71e14aa6cb1c2ea3e26fea137c247d97bb70f848aa82d40c 8381388 vim-dbg_7.1.314-3_i386.deb
Files: 
 6fa164c6b186d61a87b6a4b04d1b84e0 1698 editors optional vim_7.1.314-3.dsc
 fbac45c14fa93265b96aab12e61c7816 404431 editors optional vim_7.1.314-3.diff.gz
 24e02c39ab94006855cad5f37a55a136 174970 editors optional vim-gui-common_7.1.314-3_all.deb
 387bfba0eed274bc06d2773428a20a56 5606868 editors optional vim-runtime_7.1.314-3_all.deb
 c43e1833849621b927d33545e18cbab6 2151506 doc optional vim-doc_7.1.314-3_all.deb
 13df95a4c7ab9bca2c0aa25c8f109688 74374 editors extra vim-perl_7.1.314-3_all.deb
 59be3c9017d36fe783d4a9f38c6cfc39 74374 editors extra vim-python_7.1.314-3_all.deb
 4ee4b8b6a8c1278793697d2da61f6960 74374 editors extra vim-ruby_7.1.314-3_all.deb
 6b187da4e7acda408bb76ca1d18548e0 74368 editors extra vim-tcl_7.1.314-3_all.deb
 1db8e401811e06f0f337643da75da1d4 74400 editors extra vim-full_7.1.314-3_all.deb
 01cb9912672ce279fe17bf550628dc41 334592 editors important vim-tiny_7.1.314-3_i386.deb
 8171c691d5058662252a61abaac8b6ba 993172 editors extra vim-gtk_7.1.314-3_i386.deb
 ab781f2443c3c29ade6fdced74365cd5 995390 editors extra vim-gnome_7.1.314-3_i386.deb
 8133013f2d276619de53465ca7e8130b 986134 editors extra vim-lesstif_7.1.314-3_i386.deb
 78ea32cb3d152f6338cfc63cf56ef313 862810 editors extra vim-nox_7.1.314-3_i386.deb
 eca91d3fa1ae090ac2f46164d853d21c 229568 editors important vim-common_7.1.314-3_i386.deb
 245fb0879f6ad74808dcc81e29272a5e 776482 editors optional vim_7.1.314-3_i386.deb
 d2f8e26bae3ba5962e10b6aebc13aa98 8381388 editors extra vim-dbg_7.1.314-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhX2/kACgkQDb3UpmEybUA0ZgCfeai4OlfXNSnrO4nDD+bxOL3p
6V0An2RdoUPapC2CsGMyxqH/eA6dxtWj
=/XbZ
-----END PGP SIGNATURE-----





Reply sent to James Vega <jamessan@debian.org>:
You have taken responsibility. (Wed, 15 Oct 2008 02:30:05 GMT) Full text and rfc822 format available.

Notification sent to Jamie Strandboge <jamie@strandboge.com>:
Bug acknowledged by developer. (Wed, 15 Oct 2008 02:30:06 GMT) Full text and rfc822 format available.

Message #46 received at 486502-close@bugs.debian.org (full text, mbox):

From: James Vega <jamessan@debian.org>
To: 486502-close@bugs.debian.org
Subject: Bug#486502: fixed in vim 1:7.1.314-3+lenny1
Date: Wed, 15 Oct 2008 02:02:07 +0000
Source: vim
Source-Version: 1:7.1.314-3+lenny1

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:

vim-common_7.1.314-3+lenny1_i386.deb
  to pool/main/v/vim/vim-common_7.1.314-3+lenny1_i386.deb
vim-dbg_7.1.314-3+lenny1_i386.deb
  to pool/main/v/vim/vim-dbg_7.1.314-3+lenny1_i386.deb
vim-doc_7.1.314-3+lenny1_all.deb
  to pool/main/v/vim/vim-doc_7.1.314-3+lenny1_all.deb
vim-full_7.1.314-3+lenny1_all.deb
  to pool/main/v/vim/vim-full_7.1.314-3+lenny1_all.deb
vim-gnome_7.1.314-3+lenny1_i386.deb
  to pool/main/v/vim/vim-gnome_7.1.314-3+lenny1_i386.deb
vim-gtk_7.1.314-3+lenny1_i386.deb
  to pool/main/v/vim/vim-gtk_7.1.314-3+lenny1_i386.deb
vim-gui-common_7.1.314-3+lenny1_all.deb
  to pool/main/v/vim/vim-gui-common_7.1.314-3+lenny1_all.deb
vim-lesstif_7.1.314-3+lenny1_i386.deb
  to pool/main/v/vim/vim-lesstif_7.1.314-3+lenny1_i386.deb
vim-nox_7.1.314-3+lenny1_i386.deb
  to pool/main/v/vim/vim-nox_7.1.314-3+lenny1_i386.deb
vim-perl_7.1.314-3+lenny1_all.deb
  to pool/main/v/vim/vim-perl_7.1.314-3+lenny1_all.deb
vim-python_7.1.314-3+lenny1_all.deb
  to pool/main/v/vim/vim-python_7.1.314-3+lenny1_all.deb
vim-ruby_7.1.314-3+lenny1_all.deb
  to pool/main/v/vim/vim-ruby_7.1.314-3+lenny1_all.deb
vim-runtime_7.1.314-3+lenny1_all.deb
  to pool/main/v/vim/vim-runtime_7.1.314-3+lenny1_all.deb
vim-tcl_7.1.314-3+lenny1_all.deb
  to pool/main/v/vim/vim-tcl_7.1.314-3+lenny1_all.deb
vim-tiny_7.1.314-3+lenny1_i386.deb
  to pool/main/v/vim/vim-tiny_7.1.314-3+lenny1_i386.deb
vim_7.1.314-3+lenny1.diff.gz
  to pool/main/v/vim/vim_7.1.314-3+lenny1.diff.gz
vim_7.1.314-3+lenny1.dsc
  to pool/main/v/vim/vim_7.1.314-3+lenny1.dsc
vim_7.1.314-3+lenny1_i386.deb
  to pool/main/v/vim/vim_7.1.314-3+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 486502@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Vega <jamessan@debian.org> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 14 Oct 2008 21:11:21 -0400
Source: vim
Binary: vim-common vim-gui-common vim-runtime vim-doc vim-tiny vim vim-dbg vim-perl vim-python vim-ruby vim-tcl vim-gtk vim-nox vim-lesstif vim-gnome vim-full
Architecture: source all i386
Version: 1:7.1.314-3+lenny1
Distribution: testing-proposed-updates
Urgency: low
Maintainer: Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>
Changed-By: James Vega <jamessan@debian.org>
Description: 
 vim        - Vi IMproved - enhanced vi editor
 vim-common - Vi IMproved - Common files
 vim-dbg    - Vi IMproved - enhanced vi editor (debugging symbols)
 vim-doc    - Vi IMproved - HTML documentation
 vim-full   - Vi IMproved - enhanced vi editor (transitional package)
 vim-gnome  - Vi IMproved - enhanced vi editor - with GNOME2 GUI
 vim-gtk    - Vi IMproved - enhanced vi editor - with GTK2 GUI
 vim-gui-common - Vi IMproved - Common GUI files
 vim-lesstif - Vi IMproved - enhanced vi editor - with LessTif GUI
 vim-nox    - Vi IMproved - enhanced vi editor
 vim-perl   - Vi IMproved - enhanced vi editor (transitional package)
 vim-python - Vi IMproved - enhanced vi editor (transitional package)
 vim-ruby   - Vi IMproved - enhanced vi editor (transitional package)
 vim-runtime - Vi IMproved - Runtime files
 vim-tcl    - Vi IMproved - enhanced vi editor (transitional package)
 vim-tiny   - Vi IMproved - enhanced vi editor - compact version
Closes: 384635 456897 486502 492450 492519 499451 500381
Changes: 
 vim (1:7.1.314-3+lenny1) testing-proposed-updates; urgency=low
 .
   * Cherry-pick patches from upstream to address filename escaping
     vulnerabilities
     - 7.2a.013 shellescape() does not escape "%" and "#" characters
     - 7.2b.005 shellescape() doesn't take care of "!" and "\n"
     - 7.2b.018 cmdline completion on shell cmd fails on file containing '!'
     - 7.2b.026 GTK 2 file chooser causes significant slowdown  (Closes:
       #456897, #384635)
     - 7.2c.002 fnameescape() doesn't handle a leading '+' or '>'
     - 7.2.010 "K" in Visual mode does not properly escape all characters
       (CVE 2008-4101, Closes: #500381)
       + src/normal.c: Only use the word under the cursor, instead of the
         entire line after the cursor, when constructing the shell command to
         run.
   * Update runtime files affected by filename escape vulnerabilities.
     (CVE 2008-2712, Closes: #486502)
   * src/spell.c: Stop reading when EOF is reached to avoid allocing large
     amounts of memory.
   * src/main.c: After further discussion with upstream, revert behavior of
     -N/-C causing (no)compatible to be set after all startup files/plugins are
     sourced, c.f. #438560.
   * debian/control: vim-runtime Depends on dpkg >= 1.14.20 for sane
     dpkg-divert behavior
   * debian.vim: Do not enable 'autoindent' and filetype plugins by default.
   * Add NEWS item for change in default configuration.
   * runtime/autoload/netrw.vim: Fix deletion of incorrect file in wide display
     listing.  Using Jan Minář's patch from the vim-dev list.  (Closes:
     #492519)
   * Improve handling of transition from vim-runtime Replacing vim-tiny to
     using diversions to manage their conflicting files.  (Closes: #492450)
   * Add vim-runtime.preinst to handle moving /etc/vim/vimrc.tiny from
     vim-common to vim-tiny.  (Closes: #499451)
Checksums-Sha1: 
 4dd425bc2cf9d8be7dea3878fad5f006109c8bc5 1726 vim_7.1.314-3+lenny1.dsc
 c6b607c354828bc8628736c720839230a5d638a5 377885 vim_7.1.314-3+lenny1.diff.gz
 894cfd8b40852f22359043cacc7edd90e801072f 159756 vim-gui-common_7.1.314-3+lenny1_all.deb
 8d3422b4c38a2bd1f72c227a1b5ad749b8652c5e 5594788 vim-runtime_7.1.314-3+lenny1_all.deb
 80fa589e72eaf33735433f4833a6f68abf0fdcf4 2151930 vim-doc_7.1.314-3+lenny1_all.deb
 9e5d717bbc00560d643a785dc3a4f0c5d231fadc 75220 vim-perl_7.1.314-3+lenny1_all.deb
 b9e77d0ef7e0f91c68a5d2b7eef4a58d39997195 75226 vim-python_7.1.314-3+lenny1_all.deb
 3818f208142aad576ebaf5987c30d46b87b526e0 75218 vim-ruby_7.1.314-3+lenny1_all.deb
 ea7d8330284815043070e62783f5f0a1b3ad2e44 75218 vim-tcl_7.1.314-3+lenny1_all.deb
 3988c8a35d54e6cb6639e34267eb2a1756f5bed7 75244 vim-full_7.1.314-3+lenny1_all.deb
 54e947dab1f11fe600c36b4492037581f8e74d6a 334966 vim-tiny_7.1.314-3+lenny1_i386.deb
 0920f540e5388925fb8994c487e2d990a0b38fae 993934 vim-gtk_7.1.314-3+lenny1_i386.deb
 2daa81e77e5cb66cc335b4a4ec73120268d2ebca 996072 vim-gnome_7.1.314-3+lenny1_i386.deb
 fbb31bbb593f786cf7f10d953f03b1a84497f753 986426 vim-lesstif_7.1.314-3+lenny1_i386.deb
 5348af60fb555fdea99f37402fd54b4bdffec975 862980 vim-nox_7.1.314-3+lenny1_i386.deb
 4628755608d60fb564007e92e28a4957280f6f65 208086 vim-common_7.1.314-3+lenny1_i386.deb
 9340f7b5bd7ad46b6f76df0166a34f365d10df2d 776652 vim_7.1.314-3+lenny1_i386.deb
 40af6013f632bc1935ca52bb82c17c2b25117408 8379772 vim-dbg_7.1.314-3+lenny1_i386.deb
Checksums-Sha256: 
 a1a1b63727f081df238c6d133c7137851b1fde035b9a6eb71c4d8c9d42fd9bec 1726 vim_7.1.314-3+lenny1.dsc
 352663390c9138305881a327f9ed713d5d5b3d0524abb7c85a822948c798ba77 377885 vim_7.1.314-3+lenny1.diff.gz
 5171dfc76b8fcd4da5def633c9f6d57e28de60a07cd6c12aac3a7521a48891cb 159756 vim-gui-common_7.1.314-3+lenny1_all.deb
 887923eeeda4034697d9fe085ca0c2d4930f56f0c2f882fc0e2a205300e338c7 5594788 vim-runtime_7.1.314-3+lenny1_all.deb
 cf2ee5e145ae347ebda61a596c87083f4975cf7b048acb21b7ec40e1c4422da3 2151930 vim-doc_7.1.314-3+lenny1_all.deb
 3ef213948741ce86130c0f385c46ce8bc9a24224b0c46688ea0e1d77f2ed653f 75220 vim-perl_7.1.314-3+lenny1_all.deb
 4b92c282a63a95b4a86835712363204b84dd30c34674959a4016ab7bea3bd9c8 75226 vim-python_7.1.314-3+lenny1_all.deb
 f6e45afe3832880be75fae1f76b1ccc08e5f76b31a6ca410eb184d3537811923 75218 vim-ruby_7.1.314-3+lenny1_all.deb
 06ec80e4bed3e1c62f4fe82f7a37ba18fbcca3e00f7ebe77d9aef1960737035a 75218 vim-tcl_7.1.314-3+lenny1_all.deb
 9e2bc0fef11b7d4d9188c1e76135351517213c4ab820a712789786be3714134d 75244 vim-full_7.1.314-3+lenny1_all.deb
 32391366288b596bea97377621f8b737ab65a811be5b4c1fee1c9049188792f6 334966 vim-tiny_7.1.314-3+lenny1_i386.deb
 c58cd747c2f7e48432a8188c5fc58ca5288074358882157787397c3a1628c464 993934 vim-gtk_7.1.314-3+lenny1_i386.deb
 424f9d9d96a75c6a2019a633bee19a6bf1f8dfc38a796d677263193d6991337b 996072 vim-gnome_7.1.314-3+lenny1_i386.deb
 a0e5740fbb73731a541242bd50dc59e179e1d5246f0cd1fb80371e4b6f2c4141 986426 vim-lesstif_7.1.314-3+lenny1_i386.deb
 c09f2dade223699df59bddd4c53c748751be6a54d02039bb4828471a42eca4ed 862980 vim-nox_7.1.314-3+lenny1_i386.deb
 abbaa3cea631728baf72425b5610bd7fd911759f4073423a1412e6a8a59e17d0 208086 vim-common_7.1.314-3+lenny1_i386.deb
 6a283df98a1ac5a0d1ae63c84a4316e574dbd6299f2284fce38fcb9093fe89c2 776652 vim_7.1.314-3+lenny1_i386.deb
 179401308ed19e705f5f7e0519ded117825d2015da80721d3b3fbeb545f70923 8379772 vim-dbg_7.1.314-3+lenny1_i386.deb
Files: 
 166285e7b8359c58a2ee4192ec7bd647 1726 editors optional vim_7.1.314-3+lenny1.dsc
 51298e450877dd084622e4dbf7ca4069 377885 editors optional vim_7.1.314-3+lenny1.diff.gz
 370d615ae4cd6939992dc86711127af5 159756 editors optional vim-gui-common_7.1.314-3+lenny1_all.deb
 eb3ac92786d5523cfc73e4a50254d808 5594788 editors optional vim-runtime_7.1.314-3+lenny1_all.deb
 555c522152facea3ac63849f8b1862d5 2151930 doc optional vim-doc_7.1.314-3+lenny1_all.deb
 4dbd8196e8460b326c2313207280e0b4 75220 editors extra vim-perl_7.1.314-3+lenny1_all.deb
 8ec20588c8cbc7c86cd2f080505bac19 75226 editors extra vim-python_7.1.314-3+lenny1_all.deb
 3e75bcb51ade2ebe72fe30f196e6d450 75218 editors extra vim-ruby_7.1.314-3+lenny1_all.deb
 091d9d62112f40e1d4f24735c5d2c49b 75218 editors extra vim-tcl_7.1.314-3+lenny1_all.deb
 3426cd27ead531bb9275fcf6cca86274 75244 editors extra vim-full_7.1.314-3+lenny1_all.deb
 406b4c18431d45d3e62a3de0952dad04 334966 editors important vim-tiny_7.1.314-3+lenny1_i386.deb
 34d00943f6793447ab122f97d38c8bcc 993934 editors extra vim-gtk_7.1.314-3+lenny1_i386.deb
 0d9ed2d17550c174f629ace4540d26b1 996072 editors extra vim-gnome_7.1.314-3+lenny1_i386.deb
 f24776ef05e085613772ea4da27c1027 986426 editors extra vim-lesstif_7.1.314-3+lenny1_i386.deb
 55f900dfe509d977017c9320b60c22bf 862980 editors extra vim-nox_7.1.314-3+lenny1_i386.deb
 e42447b47bef096d9009815658123a31 208086 editors important vim-common_7.1.314-3+lenny1_i386.deb
 d6b258afe28b60f81f099f424466ae49 776652 editors optional vim_7.1.314-3+lenny1_i386.deb
 0700ea8145ebb736877fecf891387832 8379772 editors extra vim-dbg_7.1.314-3+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkj1S+kACgkQDb3UpmEybUDZAwCcCvKT/nwMdspwan/XByC3+K1B
/hoAn3HEXaW9YSeD211wQpAaiXQRObij
=qfnm
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Feb 2009 07:38:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 14:35:43 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.