Eli, sorry for the duplicate. I messed up the reply... On Mon, 20 Jan 2025, Eli Schwartz wrote:
> It seems strange to me to say that it is a vulnerability, for a vim > option that accepts a full-blown script to also crash when fuzzed. > > It's not an attack vector to crash /bin/bash when fed a malformed > script, so why is there anything to comment on with regard to vim > either? It was reported to us via the Security Advisory feature of Github and while I am convinced that this cannot be used to do any harm to users (except for crashing), there was still a small possibility that this may have been abused in the future. So when in doubt, I go with the handling this as security relevant. > How is this "medium" impact? The CVE calculator tends to exaggerate the score, even when being conservative with each metric. Thanks, Christian
