Public bug reported: Scheduled-For: ubuntu-26.02 Ubuntu: 2:9.1.1882-1ubuntu2 Debian Unstable: 2:9.1.2141-1
A new release of vim is available for merging from Debian Unstable. If it turns out this needs a sync rather than a merge, please change the tagging from ['dcr-merge'] to ['dcr-sync'], and (optionally) update the title as desired. ### Old Ubuntu Delta ### vim (2:9.1.1882-1ubuntu2) resolute; urgency=medium * No-change rebuild with Python 3.14 as default -- Graham Inggs <[email protected]> Thu, 22 Jan 2026 22:05:05 +0000 vim (2:9.1.1882-1ubuntu1) resolute; urgency=medium * Merge with Debian unstable (LP: #2130146). Remaining changes: - d/p/0001-fix-flaky-terminal-mode-test.vim: Fix flaky Vim terminal mode test - d/p/0002-disable-failing-tests-on-ppc64.patch: Disable some tests that were throwing an ENOMEM during build on ppc64el. The tests are only disabled when building on ppc64el. - d/p/0003-skip-test-failing-on-s390x-only.patch: Skip test failing on s390x - d/p/increase_timeout.diff: Increase timeout for the Test_pattern_compile_speed patch. - d/p/debian/ubuntu-grub-syntax.patch: Add Ubuntu-specific "quiet" keyword. - d/runtime/vimrc: "syntax on" is a sane default for non-tiny Vim. Dropping changes applied in upstream: - SECURITY UPDATE: Path traversal when opening specially crafted tar/zip archives. + d/p/CVE-2025-53905.patch: Replace "echohl Error" with call, remove leading slashes from name, replace tar_secure with g:tar_secure in runtime/autoload/tar.vim. + d/p/CVE-2025-53906.patch: Add need_rename, replace w! with w, call warning for path traversal attack, and escape leading "../" in runtime/autoload/zip.vim. + CVE-2025-53905 + CVE-2025-53906 - SECURITY UPDATE: Data loss when extracting special zip files. + d/p/CVE-2025-29768.patch: Substitute special characters in ./runtime/autoload/zip.vim. + CVE-2025-29768 - SECURITY UPDATE: Code execution when editing tar files. + d/p/CVE-2025-27423.patch: Use escape_file instead of fname in ./runtime/autoload/tar.vim. + CVE-2025-27423 - SECURITY UPDATE: Use after free when redirecting display command to register. + d/p/CVE-2025-26603.patch: Change redir_reg check to use vim_strchr command check in ./src/register.c. + CVE-2025-26603 - SECURITY UPDATE: Denial of service. + d/p/CVE-2025-24014.patch: fix a segfault in win_line() in files src/gui.c, src/testdir/crash/ex_redraw_crash, src/testdir/test_crash.vim. + CVE-2025-24014 - SECURITY UPDATE: Crash when file is inaccessible with log option. + d/p/CVE-2025-1215.patch: Split common_init to common_init_1 and common_init_2 in ./src/main.c. + CVE-2025-1215 - SECURITY UPDATE: Heap-buffer-overflow when switching buffers. + d/p/CVE-2025-22134.patch: Add reset_VIsual_and_resel() to src/arglist.c. Add ptrlen checks in src/misc1.c and src/ops.c. + CVE-2025-22134 Dropping changes applied in Debian: - Revert "patch 9.1.0949: popups inconsistently shifted to the left", since it breaks vim-youcompleteme's autopkgtests. (Closes: #1091729) Dropping changes that are no longer needed in Ubuntu: - d/p/ubuntu-mouse-off.patch: Mouse mode is actively harmful in some chroots. Dropping since it causes many issues with the test suite - d/p/ubuntu-disable-mouse-popup-test.patch: Disable mouse popup test Is related to ubuntu-mouse-off.patch - d/s/include-binaries: Add heap_overflow3 test file to include-binaries Dropping since it was originally added for testdata coming from a security update, but now the orig tarball actually contains this testdata * d/p/0002-disable-failing-tests-on-ppc64.patch: Skip Test_autocmd_SafeState * d/p/0003-skip-test-failing-on-s390x-only.patch: Skip Test_linematch_diff_grouping and Test_diff_overlapped_diff_blocks_will_be_merged -- Nadzeya Hutsko <[email protected]> Fri, 28 Nov 2025 14:26:41 +0100 ### New Debian Changes ### vim (2:9.1.2141-1) unstable; urgency=medium * Merge upstream tag v9.1.2141 + Security fixes - 9.1.2132: Fix buffer-overflow in 'helpfile' option handling, CVE-2026-25749 -- James McCoy <[email protected]> Mon, 09 Feb 2026 07:06:42 -0500 vim (2:9.1.2103-1) unstable; urgency=medium * Merge upstream patch v9.1.2103 + syntax/debcontrol.vim: - Only highlight email addresses in Maintainer / Uploaders fields - Add support for highlighting build profiles and architecture restrictions (Closes: #1124089) * Disable flaky Test_client_server_stopinsert test * Remove Rules-Requires-Root, since no is the default value * Remove Priority field, since optional is the default value * Declare compliance with Policy 4.7.3 -- James McCoy <[email protected]> Fri, 23 Jan 2026 06:27:15 -0500 ** Affects: vim (Ubuntu) Importance: Undecided Assignee: Ural Tunaboyu (uralt) Status: In Progress ** Tags: dcr-merge -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142221 Title: Merge vim from Debian Unstable for resolute To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/vim/+bug/2142221/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
