Your message dated Tue, 25 Mar 2025 01:20:34 +0000
with message-id <[email protected]>
and subject line Bug#1099610: fixed in vim 2:9.1.1230-1
has caused the Debian Bug report #1099610,
regarding vim: CVE-2025-27423
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1099610: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099610
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vim
Version: 2:9.1.0861-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2:9.0.1378-2
Control: found -1 2:9.1.1113-1
Hi,
The following vulnerability was published for vim.
CVE-2025-27423[0]:
| Vim is an open source, command line text editor. Vim is distributed
| with the tar.vim plugin, that allows easy editing and viewing of
| (compressed or uncompressed) tar files. Starting with 9.1.0858, the
| tar.vim plugin uses the ":read" ex command line to append below the
| cursor position, however the is not sanitized and is taken literally
| from the tar archive. This allows to execute shell commands via
| special crafted tar archives. Whether this really happens, depends
| on the shell being used ('shell' option, which is set using $SHELL).
| The issue has been fixed as of Vim patch v9.1.1164
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27423
https://www.cve.org/CVERecord?id=CVE-2025-27423
[1] https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3
[2] https://github.com/vim/vim/commit/334a13bff78aa0ad206bc436885f63e3a0bab399
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: vim
Source-Version: 2:9.1.1230-1
Done: James McCoy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <[email protected]> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 24 Mar 2025 20:59:06 -0400
Source: vim
Architecture: source
Version: 2:9.1.1230-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Vim Maintainers <[email protected]>
Changed-By: James McCoy <[email protected]>
Closes: 1099610 1101016
Changes:
vim (2:9.1.1230-1) unstable; urgency=medium
.
* Merge upstream tag v9.1.1230
+ Security fixes:
- 9.1.1115: use-after-free in str_to_reg(), CVE-2025-26603
- 9.1.1164: editing a specially crafted tar file allows code execution,
(Closes: #1099610, CVE-2025-27423)
- 9.1.1198: potential data loss with zip.vim and crafted zip files,
(Closes: #1101016, CVE-2025-29768)
Checksums-Sha1:
2900d794d460091db959906ec7b58c159dc44709 3230 vim_9.1.1230-1.dsc
5791f48be554abc98765f7b665f4d65913450326 12331388 vim_9.1.1230.orig.tar.xz
72423ce276dbf865d5e91c39f8150eb790f71639 191148 vim_9.1.1230-1.debian.tar.xz
Checksums-Sha256:
4c771a3701ba35dd76648da2465e2babbc56d592bad90234f932934c55f4fe50 3230
vim_9.1.1230-1.dsc
203640cca8fa97603868ef42f34eeb723803ab15fd141b68b1cba54b7993b2bf 12331388
vim_9.1.1230.orig.tar.xz
f3e6fa014d050fceae78104d4a2592fc70f25fc1dd5429f8718afdd798f13581 191148
vim_9.1.1230-1.debian.tar.xz
Files:
1fdc221d4e4c49d8173ee7cb6d5ccc7e 3230 editors optional vim_9.1.1230-1.dsc
a81348a668d6bbe6dbaa5774af88626e 12331388 editors optional
vim_9.1.1230.orig.tar.xz
77bfbf7445862c523eceab6fea7a35a7 191148 editors optional
vim_9.1.1230-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKoBAEBCgCSFiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAmfiADNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx
QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIUHGphbWVzc2Fu
QGRlYmlhbi5vcmcACgkQ3+aRrjMbo9uNDw/8C8OitLa1SJ6miIi/FMcHn+j2gUzJ
JXF8VL3BIqhZn/Ji4C21/gXMEE97h1vopLY1/scp5FZW1aCeL3P/j5+2X4EjW8on
3NYglrX3B6hEJl6ghXEwXrSNfZmFD9SrW4q4Hy4wYKsTIMkP3u0NRjVKk3bKmmJr
8cvQS+8LpImg/25VeiYrmfEsAy0QH6ZK/O7OGdH2H0TCdw9SMt6R1uSSmn2c5qjU
wptwxPiT18IDM1S+g7VcThoAjK2AE/G4pG6i/t+vgSxKRalAz8/lrwB3UJwgwYit
n5OZ4N15Q2iwk72Ylg9GljRGCviQORjmpF8h0YsvH1DV6c8A0ixlIpLrXdh9yXJj
jCeCYKX1NKJqqO+pbLJkjyL3523pc5PqueKZk3vYGh3VoKDG9ARMFq4zs0UIKNFY
W4nUTSuLcVxouxqjXVjGRCkhyW+hkl7bNCglquEHBCdYFyTzCuhmJ9r4lgMpsSSk
loYQFiI6hw5pjpuZYp2eKKO1/4gO/v0nFhywECAQJA3oMSLLAIfLGwEjt1iQDur5
wlDN8XaOUuqlP7U4KRRZlIUtOkP1b9sSK4SOhzNmGrMX6y52Lll9E8KWx48zvDoG
zRohE5mBjP/3XIKQh6D86etgMYpQuJSNLDX1VlaLjXFD7i1Ww94dg834nARqXWHn
zPr+0p1V8HtNX7s=
=+FIa
-----END PGP SIGNATURE-----
pgpah1Gb8oJ1Y.pgp
Description: PGP signature
--- End Message ---
