Your message dated Sat, 01 Sep 2007 19:56:28 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#435401: fixed in vim 1:7.0-122+1etch3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: vim
Version: 1:7.1-022+1
Severity: grave
Tags: security
Justification: user security hole
Hi mates
I found this CVE[0], which states:
The sandbox for vim allows dangerous functions such as (1) writefile,
(2) feedkeys, and (3) system, which might allow user-assisted attackers
to execute shell commands and write files via modelines.
I also saw that there is an ubuntu security announce, including these
two patches[1] as a fix.
Can you please investigate, if any versions in debian are vulnerable?
Please also feel free to downgrade/close this bug, if the fix is already
in unstable.
Thanks for your efforts.
Cheers
Steffen
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2438
[1]: http://developer.skolelinux.no/~white/security/vim/
--- End Message ---
--- Begin Message ---
Source: vim
Source-Version: 1:7.0-122+1etch3
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:
vim-common_7.0-122+1etch3_i386.deb
to pool/main/v/vim/vim-common_7.0-122+1etch3_i386.deb
vim-doc_7.0-122+1etch3_all.deb
to pool/main/v/vim/vim-doc_7.0-122+1etch3_all.deb
vim-full_7.0-122+1etch3_i386.deb
to pool/main/v/vim/vim-full_7.0-122+1etch3_i386.deb
vim-gnome_7.0-122+1etch3_i386.deb
to pool/main/v/vim/vim-gnome_7.0-122+1etch3_i386.deb
vim-gtk_7.0-122+1etch3_i386.deb
to pool/main/v/vim/vim-gtk_7.0-122+1etch3_i386.deb
vim-gui-common_7.0-122+1etch3_all.deb
to pool/main/v/vim/vim-gui-common_7.0-122+1etch3_all.deb
vim-lesstif_7.0-122+1etch3_i386.deb
to pool/main/v/vim/vim-lesstif_7.0-122+1etch3_i386.deb
vim-perl_7.0-122+1etch3_i386.deb
to pool/main/v/vim/vim-perl_7.0-122+1etch3_i386.deb
vim-python_7.0-122+1etch3_i386.deb
to pool/main/v/vim/vim-python_7.0-122+1etch3_i386.deb
vim-ruby_7.0-122+1etch3_i386.deb
to pool/main/v/vim/vim-ruby_7.0-122+1etch3_i386.deb
vim-runtime_7.0-122+1etch3_all.deb
to pool/main/v/vim/vim-runtime_7.0-122+1etch3_all.deb
vim-tcl_7.0-122+1etch3_i386.deb
to pool/main/v/vim/vim-tcl_7.0-122+1etch3_i386.deb
vim-tiny_7.0-122+1etch3_i386.deb
to pool/main/v/vim/vim-tiny_7.0-122+1etch3_i386.deb
vim_7.0-122+1etch3.diff.gz
to pool/main/v/vim/vim_7.0-122+1etch3.diff.gz
vim_7.0-122+1etch3.dsc
to pool/main/v/vim/vim_7.0-122+1etch3.dsc
vim_7.0-122+1etch3_i386.deb
to pool/main/v/vim/vim_7.0-122+1etch3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Vega <[EMAIL PROTECTED]> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 17 Aug 2007 22:46:28 -0400
Source: vim
Binary: vim-full vim-lesstif vim-common vim-gnome vim-doc vim-runtime vim
vim-gtk vim-perl vim-ruby vim-gui-common vim-tiny vim-python vim-tcl
Architecture: source all i386
Version: 1:7.0-122+1etch3
Distribution: stable-security
Urgency: high
Maintainer: Debian VIM Maintainers <[EMAIL PROTECTED]>
Changed-By: James Vega <[EMAIL PROTECTED]>
Description:
vim - Vi IMproved - enhanced vi editor
vim-common - Vi IMproved - Common files
vim-doc - Vi IMproved - HTML documentation
vim-full - Vi IMproved - enhanced vi editor - full fledged version
vim-gnome - Vi IMproved - enhanced vi editor - with GNOME2 GUI
vim-gtk - Vi IMproved - enhanced vi editor - with GTK2 GUI
vim-gui-common - Vi IMproved - Common GUI files
vim-lesstif - Vi IMproved - enhanced vi editor - with LessTif GUI
vim-perl - Vi IMproved - enhanced vi editor - with Perl support
vim-python - Vi IMproved - enhanced vi editor - with Python support
vim-ruby - Vi IMproved - enhanced vi editor - with Ruby support
vim-runtime - Vi IMproved - Runtime files
vim-tcl - Vi IMproved - enhanced vi editor - with TCL support
vim-tiny - Vi IMproved - enhanced vi editor - compact version
Closes: 435401 438593
Changes:
vim (1:7.0-122+1etch3) stable-security; urgency=high
.
* Add upstream patches 7.0.234 and 7.0.235 which fix CVE-2007-2438.
(Closes: #435401)
* Add upstream patch 7.1.039 which fixes CVE-2007-2953. (Closes: #438593)
Files:
cbe01a52d42f25617a4e3609b91b327f 1437 editors optional vim_7.0-122+1etch3.dsc
9ba05680b0719462f653e82720599f32 8457888 editors optional vim_7.0.orig.tar.gz
acd1e7b91a1ec5e3417118045cd8bb2e 285021 editors optional
vim_7.0-122+1etch3.diff.gz
64ac83f818c9f9b3bbf40ca56b15b725 142582 editors optional
vim-gui-common_7.0-122+1etch3_all.deb
b27f042fadc4507f2a4829b10e6949da 6362332 editors optional
vim-runtime_7.0-122+1etch3_all.deb
c589a9ec2cd7c3c6f45f48ff58871c5a 2034356 doc optional
vim-doc_7.0-122+1etch3_all.deb
81c890f5348042c2060fea9bb8368279 540270 editors important
vim-tiny_7.0-122+1etch3_i386.deb
55929d92c3b2d496ba95cb2e80da1d69 913800 editors extra
vim-ruby_7.0-122+1etch3_i386.deb
eadd254febb55b2a69613ebc8d710774 872952 editors extra
vim-tcl_7.0-122+1etch3_i386.deb
28876441af29051e315a3c1a8b71bcca 865592 editors extra
vim-gtk_7.0-122+1etch3_i386.deb
20dcd46eb38f1b32e600dddc81b8e328 859848 editors extra
vim-lesstif_7.0-122+1etch3_i386.deb
8639573d18e103d6e816f9bacdc844ef 924264 editors extra
vim-perl_7.0-122+1etch3_i386.deb
8ecf10dd01bb07c53aab5782db738602 917972 editors extra
vim-python_7.0-122+1etch3_i386.deb
501208beae0375d1610e3cebfefcf542 868016 editors extra
vim-gnome_7.0-122+1etch3_i386.deb
41be0b2741614c054fece73548cec703 947320 editors extra
vim-full_7.0-122+1etch3_i386.deb
bdd2098b76d4885f28e1f6e3b7376b7d 181252 editors important
vim-common_7.0-122+1etch3_i386.deb
956ef68561a71a8eed0047175dfff9d5 745158 editors optional
vim_7.0-122+1etch3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG1VXZXm3vHE4uyloRAkI8AKCw4fK0uMDLLQVqUvV04L9ltzP7wQCg7M2k
NFbDu5zTgeu1ok75rN3ay5Y=
=kFGu
-----END PGP SIGNATURE-----
--- End Message ---
