Debian Bug report logs -
#867720
CVE-2017-11109
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#867720; Package src:vim.
(Sat, 08 Jul 2017 21:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>.
(Sat, 08 Jul 2017 21:42:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: vim
Severity: important
Tags: security
This was assigned CVE-2017-11109:
https://bugzilla.redhat.com/show_bug.cgi?id=1468492
Cheers,
Moritz
Marked as found in versions vim/2:8.0.0134-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 09 Jul 2017 07:39:05 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 09 Jul 2017 07:39:06 GMT) (full text, mbox, link).
Marked as found in versions vim/2:7.4.488-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 09 Jul 2017 07:39:08 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from James McCoy <jamessan@debian.org>
to control@bugs.debian.org.
(Wed, 12 Jul 2017 03:15:05 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#867720.
(Wed, 12 Jul 2017 03:15:07 GMT) (full text, mbox, link).
Message #18 received at 867720-submitter@bugs.debian.org (full text, mbox, reply):
tag 867720 pending
thanks
Hello,
Bug #867720 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/pkg-vim/vim.git/commit/?id=ad7fc02
---
commit ad7fc02f0a9eac2edb38ca70223b98a60a139efa
Author: James McCoy <jamessan@debian.org>
Date: Tue Jul 11 22:37:54 2017 -0400
Backport upstream patches 8.0.070{3,6,7} for CVE-2017-11109
Signed-off-by: James McCoy <jamessan@debian.org>
diff --git a/debian/changelog b/debian/changelog
index 978762c..8df2745 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+vim (2:8.0.0197-5) UNRELEASED; urgency=medium
+
+ * Backport upstream patches to fix CVE-2017-11109 (Closes: #867720)
+ + 8.0.0703: Illegal memory access with empty :doau command
+ + 8.0.0706: Crash when cancelling the cmdline window in Ex mode
+ + 8.0.0707: Freeing wrong memory when manipulating buffers in autocommands
+
+ -- James McCoy <jamessan@debian.org> Tue, 11 Jul 2017 22:34:22 -0400
+
vim (2:8.0.0197-4) unstable; urgency=medium
* Backport upstream patch v8.0.0550 to fix a regression in tag lookups for
Reply sent
to James McCoy <jamessan@debian.org>:
You have taken responsibility.
(Wed, 12 Jul 2017 03:39:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 12 Jul 2017 03:39:03 GMT) (full text, mbox, link).
Message #23 received at 867720-close@bugs.debian.org (full text, mbox, reply):
Source: vim
Source-Version: 2:8.0.0197-5
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 867720@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Jul 2017 23:11:25 -0400
Source: vim
Binary: vim-common vim-gui-common vim-runtime vim-doc vim-tiny vim vim-gtk vim-gtk3 vim-nox vim-athena vim-gnome xxd
Architecture: source
Version: 2:8.0.0197-5
Distribution: unstable
Urgency: high
Maintainer: Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Description:
vim - Vi IMproved - enhanced vi editor
vim-athena - Vi IMproved - enhanced vi editor - with Athena GUI
vim-common - Vi IMproved - Common files
vim-doc - Vi IMproved - HTML documentation
vim-gnome - Vi IMproved - enhanced vi editor (dummy package)
vim-gtk - Vi IMproved - enhanced vi editor - with GTK2 GUI
vim-gtk3 - Vi IMproved - enhanced vi editor - with GTK3 GUI
vim-gui-common - Vi IMproved - Common GUI files
vim-nox - Vi IMproved - enhanced vi editor - with scripting languages suppo
vim-runtime - Vi IMproved - Runtime files
vim-tiny - Vi IMproved - enhanced vi editor - compact version
xxd - tool to make (or reverse) a hex dump
Closes: 867720
Changes:
vim (2:8.0.0197-5) unstable; urgency=high
.
* Backport upstream patches to fix CVE-2017-11109 (Closes: #867720)
+ 8.0.0703: Illegal memory access with empty :doau command
+ 8.0.0706: Crash when cancelling the cmdline window in Ex mode
+ 8.0.0707: Freeing wrong memory when manipulating buffers in autocommands
Checksums-Sha1:
337bd05cf0105eb25212faef82efc267e681b2f7 2991 vim_8.0.0197-5.dsc
6615d7a1639084d78e896d49c54549343710e6f6 158196 vim_8.0.0197-5.debian.tar.xz
f5154e9343b8a0598784105ef243157b628bb854 20365 vim_8.0.0197-5_amd64.buildinfo
Checksums-Sha256:
e2487383cdb131ea08dbe760bdbb9dfc51018ab9505e84e5b2f8798d3c02f3f9 2991 vim_8.0.0197-5.dsc
180057363d54f0b230be0ddb8c04597ecf2a957deeb387c450ad6cb9dfb258bd 158196 vim_8.0.0197-5.debian.tar.xz
25ceef8f3e2a924e8b28035917cd4474e3eb0d70fff1387ccee80dc63e6b75e8 20365 vim_8.0.0197-5_amd64.buildinfo
Files:
37695fc24f0efe8b9436ee9a3e9bfb9d 2991 editors optional vim_8.0.0197-5.dsc
52b5cf7cff4e0bd92eca561ca0415188 158196 editors optional vim_8.0.0197-5.debian.tar.xz
0765bc2792552eb5c5c30bfb728a8363 20365 editors optional vim_8.0.0197-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAlllluFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx
QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIACgkQ3+aRrjMb
o9sBFQ//ZnREc9egmX9kk8uxE35MDhiPugy6Ur2OHv+XSZh4bwLpuGNuWUN6wp4f
EjkeMP7++SmZaFeN2BZjR/ySNrcGOvW+Uq6atXrMV+fyYClRSJmDTCHRphneP9Gj
Gn+4xLnueMmOj3BsLh5IPXwxNcHwMMpq+O0NweakswMFQ5+llfWifoQP/QoCIL5S
bu/pl19xUFseHBGCBYsR8o6wuBAt4jNzlzoN0vpQ/chs6SjHvln7cjG869eIQN+6
CEJKVNqArPIgvHP9lPfdoOTHcmnUu6GuwOB++Cq7ChtSmUsOqhIwOjUFhh4KqTR1
Mwzg+5cMBEUMmFyu/F09seGOrxGiXFNRBq8I8J0amlKbUAL2SJnf4a+yXamSJA4G
pBYh6biypfTODft+4mjysxHm96wzFnQPoyzUQWyKmeL1RGx/OHCrAiJRqHwDQ1DK
fqW4epwPurpA4Pq98G0cCOUtL1uMKGGJRq1FRmJ3/XMwuLjtEYg7dEMkyeqSQjD4
3rzEG12g71mFFWd4ZwZrhfl8pyEy/l0pGEtU07Ela9NyAQ9KfltTU/zNf1YNIT2h
PlThNPTxtCKkqDEyNjcbSQK+eW9J4Zk9oMwN5V9lb+P6Ok2yVmYSqzbsL3xoGdtY
dhsQpUElirqVKWutahOre4mXHr/rcKVWWmwsQWvnD1DiNOBy6Ao=
=XqWR
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 11 Aug 2017 07:25:23 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 30 Sep 2017 12:09:06 GMT) (full text, mbox, link).
Marked as found in versions vim/2:8.0.0197-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 30 Sep 2017 12:09:08 GMT) (full text, mbox, link).
Marked as found in versions vim/2:7.4.488-7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 30 Sep 2017 12:09:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#867720; Package src:vim.
(Sat, 30 Sep 2017 12:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to James McCoy <jamessan@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>.
(Sat, 30 Sep 2017 12:39:03 GMT) (full text, mbox, link).
Message #36 received at 867720@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sep 30, 2017 08:00, "Salvatore Bonaccorso" <carnil@debian.org> wrote:
Hi
On Sat, Sep 30, 2017 at 11:59:07AM +0200, Moritz Mühlenhoff wrote:
> James McCoy wrote:
> > diff --git a/debian/changelog b/debian/changelog
> > index 978762c..8df2745 100644
> > --- a/debian/changelog
> > +++ b/debian/changelog
> > @@ -1,3 +1,12 @@
> > +vim (2:8.0.0197-5) UNRELEASED; urgency=medium
> > +
> > + * Backport upstream patches to fix CVE-2017-11109 (Closes: #867720)
>
> JFTR, this doesn't warrant a DSA on it's own, we can fix this along
> when the next (more severe) vim security issue arises.
Or, always possible, an update via a point release :)
I had been meaning to do that, but have found time yet. I'll bump up the
priority. Thanks for the reminder.
Cheers,
James
[Message part 2 (text/html, inline)]
Reply sent
to James McCoy <jamessan@debian.org>:
You have taken responsibility.
(Sun, 01 Oct 2017 12:03:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 01 Oct 2017 12:03:06 GMT) (full text, mbox, link).
Message #41 received at 867720-close@bugs.debian.org (full text, mbox, reply):
Source: vim
Source-Version: 2:8.0.0197-4+deb9u1
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 867720@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Sep 2017 14:21:38 -0400
Source: vim
Binary: vim-common vim-gui-common vim-runtime vim-doc vim-tiny vim vim-gtk vim-gtk3 vim-nox vim-athena vim-gnome xxd
Architecture: source
Version: 2:8.0.0197-4+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Description:
vim - Vi IMproved - enhanced vi editor
vim-athena - Vi IMproved - enhanced vi editor - with Athena GUI
vim-common - Vi IMproved - Common files
vim-doc - Vi IMproved - HTML documentation
vim-gnome - Vi IMproved - enhanced vi editor (dummy package)
vim-gtk - Vi IMproved - enhanced vi editor - with GTK2 GUI
vim-gtk3 - Vi IMproved - enhanced vi editor - with GTK3 GUI
vim-gui-common - Vi IMproved - Common GUI files
vim-nox - Vi IMproved - enhanced vi editor - with scripting languages suppo
vim-runtime - Vi IMproved - Runtime files
vim-tiny - Vi IMproved - enhanced vi editor - compact version
xxd - tool to make (or reverse) a hex dump
Closes: 867720
Changes:
vim (2:8.0.0197-4+deb9u1) stretch; urgency=medium
.
* Backport upstream patches to fix CVE-2017-11109 (Closes: #867720)
+ 8.0.0703: Illegal memory access with empty :doau command
+ 8.0.0706: Crash when cancelling the cmdline window in Ex mode
+ 8.0.0707: Freeing wrong memory when manipulating buffers in autocommands
Checksums-Sha1:
a444f6e18c28c1b2e0f73ce8c0bff765234c05ad 3019 vim_8.0.0197-4+deb9u1.dsc
3d034557c6d045e81976c76d093f8869ecf275d3 158244 vim_8.0.0197-4+deb9u1.debian.tar.xz
23b1ca8c75fc023d57719fbc3801b0aa2dd89545 20790 vim_8.0.0197-4+deb9u1_amd64.buildinfo
Checksums-Sha256:
b6d1c67c48519a311497cb3a293563d8759551bfdb1cf80a591b3ede5b1da963 3019 vim_8.0.0197-4+deb9u1.dsc
36ac268dc53ff68d0844d1c86e1e7b238aadc3004109dae3faf0927e97ad46fe 158244 vim_8.0.0197-4+deb9u1.debian.tar.xz
afad6d771587caaa4e048ab708310b000465b47d8b95fabf0d49211a38439bfb 20790 vim_8.0.0197-4+deb9u1_amd64.buildinfo
Files:
a5f56ef97be60597e1f0f10318b2b4d6 3019 editors optional vim_8.0.0197-4+deb9u1.dsc
19e5501c7a4debc6427555100e8ba2d8 158244 editors optional vim_8.0.0197-4+deb9u1.debian.tar.xz
cd830dba0544a4673286e5f74d4eb547 20790 editors optional vim_8.0.0197-4+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAlnQLXFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx
QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIACgkQ3+aRrjMb
o9ugUA/+NExnjnaj9D7O+TebmocY8HzITqKM3J8Z256GvDs+T1z+dBC8ojVi/oK9
k11669MiFfAGnG0H6yIpp4kZ4OI4nSjOa3IaAI+OtT1MQAgpxnY+AGWsoE+tv6Zo
hvorwwPtY5aVBpD5hU8pLy3ew1VKhMi3vkGl10bAuYSuhWosgNTNKhoxHGd61r2O
3rubONoNC6OxbbA3Uvvu6acxAe47/5TSgtdChYYlhX/KiGeQ4j1LkVKCdnT+gBF/
xvYJuFACSAW4ACAPnfNNxfRrTP4vRI3ktI2pdQ88Gn0xkY/PaSVDPm8aKjP4mNEj
rn32Uy4iiJEeHh5RdDnqiMOao0Z033gUKmPrhP/S76tZcQTHO0kQYJqoYHYPfy6o
tGKZGKmeWE232DUe+nwhrTVL3TR0RTsMYBc7EQ84NNBgq2+J6yhk2LOs1BhQ59Kg
KYu6E4qqwRsKd6/2tvliOtxnegVyq7kOiPyJMenaKHDccT2qEAJwHcz+DlKzB9dq
1JEC0WSk4QcvAmIjCFYE8Se8c0PNIkBKSKcNmNHgYF/hDUGTf+sxYXvV4eyWISRz
cTcTKt9WUGivEBrgpiugBC7iW/as+3LHUo7VKp+HFFKII6tlRB6fGfNaq/qeFElA
gUmqXo19cCLrNo0ximaDgRXfNzjVvmugn5yW37gXBGaZBst3R/0=
=DzGX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 30 Oct 2017 07:25:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:01:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon