#2597: Update vim-7.2-fixes-5.patch
---------------------+------------------------------------------------------
Reporter: kratz00 | Owner: lfs-b...@…
Type: task | Status: new
Priority: normal | Milestone: 6.7
Component: Book | Version: SVN
Severity: normal | Keywords:
---------------------+------------------------------------------------------
Comment(by matt...@…):
Gilles,
CVE-2008-6235 - netrw.vim not patched upstream yet[[br]]
CVE-2008-3076 - netrw.vim not patched upstream yet[[br]]
CVE-2008-3075 - same root cause as 3074[[br]]
CVE-2008-3074 - same root cause as 3075 - isn't identified in CVE DB
though[[br]]
CVE-2009-0316 - patched in upstream patch 045[[br]]
CVE-2008-4677 - netrw.vim not patched upstream yet[[br]]
CVE-2008-4101 - patched in upstream patch 010[[br]]
So, out of 7 vulnerabilities I can only be confident of fixing 2 of them.
3 haven't been addressed upstream, from what I can tell, and 2 don't even
allude to where the problem lies. Checking whether upstream has fixed
those is impossible as none of their patches contain CVE numbers!
Just cherry picking the 2 CVE fixes we know about and putting them in the
book would, I suspect, give our users a false sense of security. So, I
stand by my original assertion that we shouldn't patch Vim at all.
For anyone interested, my Vim patch generation script is now at
http://www.linuxfromscratch.org/~matthew/genVimPatch.sh
--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/2597#comment:6>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
--
http://linuxfromscratch.org/mailman/listinfo/lfs-book
FAQ: http://www.linuxfromscratch.org/lfs/faq.html
Unsubscribe: See the above information page
