Bug 29583

Summary: vim new security issues CVE-2021-3872, CVE-2021-3875, CVE-2021-3903, CVE-2021-392[78], CVE-2021-3968, CVE-2021-397[34]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: Justinmachany932, aaron10101999, andrewsfarm, brtians1, davidwhodgins, hdetavernier, herman.viaene, mageia, sysadmin-bugs, thierry.vignaud
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: vim-8.2.2143-3.2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-10-23 15:43:45 CEST 
Fedora has issued an advisory today (October 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/S42L4Z4DTW4LHLQ4FJ33VEOXRCBE7WN4/

The issues are fixed upstream in 8.2.3489.
David Walser 2021-10-23 15:43:56 CEST

Status comment: (none) => Fixed upstream in 8.2.3489

Comment 1 Lewis Smith 2021-10-23 21:06:12 CEST 
Assigning to tv whose baby this is, CC'ing neoclust who did some recent patches.

CC: (none) => mageia
Assignee: bugsquad => thierry.vignaud

Comment 2 David Walser 2021-11-03 15:29:31 CET 
Fedora has issued an advisory today (November 3):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DU26T75PYA3OF7XJGNKMT2ZCQEU4UKP5/

The issue is fixed upstream in 8.2.3564.

Status comment: Fixed upstream in 8.2.3489 => Fixed upstream in 8.2.3564
Summary: vim new security issues CVE-2021-3872 and CVE-2021-3875 => vim new security issues CVE-2021-3872, CVE-2021-3875, CVE-2021-3903

Comment 3 David Walser 2021-11-05 22:37:06 CET 
Apparently there are some other recent security fixes upstream, like this one that supposedly has a CVE:
https://github.com/vim/vim/commit/0b5b06cb4777d1401fdf83e7d48d287662236e7e

We should update to the latest (currently 8.2.3582).
Comment 4 David Walser 2021-11-10 15:38:15 CET 
Fedora has issued an advisory today (November 10):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PGW56Z6IN4UVM3E5RXXF4G7LGGTRBI5C/

It has the two new CVEs, fixed in 8.2.3582.

Summary: vim new security issues CVE-2021-3872, CVE-2021-3875, CVE-2021-3903 => vim new security issues CVE-2021-3872, CVE-2021-3875, CVE-2021-3903, CVE-2021-392[78]
Status comment: Fixed upstream in 8.2.3564 => Fixed upstream in 8.2.3582

Comment 5 David Walser 2021-11-16 17:12:14 CET 
Ubuntu has issued an advisory for this on November 15:
https://ubuntu.com/security/notices/USN-5147-1
Comment 6 Nicolas Lécureuil 2021-11-22 21:29:47 CET 
as seen with thierry, i updated the release of vim.


src:
    - vim-8.2.3582-1.mga8

CC: (none) => thierry.vignaud
Assignee: thierry.vignaud => qa-bugs

Nicolas Lécureuil 2021-11-22 21:29:54 CET

Status comment: Fixed upstream in 8.2.3582 => (none)

Comment 7 David Walser 2021-11-22 21:35:31 CET 
vim-minimal-8.2.3582-1.mga8
vim-enhanced-8.2.3582-1.mga8
vim-X11-8.2.3582-1.mga8
vim-common-8.2.3582-1.mga8

from vim-8.2.3582-1.mga8.src.rpm
Comment 8 Brian Rockwell 2021-11-23 03:53:05 CET 
MG8-64, Xfce

The following 4 packages are going to be installed:

- vim-common-8.2.3582-1.mga8.x86_64
- vim-enhanced-8.2.3582-1.mga8.x86_64
- vim-minimal-8.2.3582-1.mga8.x86_64
- vim-X11-8.2.3582-1.mga8.x86_64

4.5MB of additional disk space will be used.

I used vim from terminal creating and edit small and large files
gvim - perforemd the same

This is working for me.

CC: (none) => brtians1

Comment 9 Hugues Detavernier 2021-11-23 09:43:04 CET 
Hi,

Mageia 8 X64 Gnome

rpm -qa | grep vim
vim-X11-8.2.3582-1.mga8
vim-common-8.2.3582-1.mga8
vim-enhanced-8.2.3582-1.mga8
vim-minimal-8.2.3582-1.mga8

Works fine.

CC: (none) => hdetavernier

Comment 10 David Walser 2021-11-25 01:28:00 CET 
Fedora has issued an advisory today (November 24):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IH2LS2DXBTYOCWGAKFMBF3HTWWXPBEFL/

Three new issues are fixed upstream in 8.2.3612.

Status comment: (none) => Fixed upstream in 8.2.3612
Assignee: qa-bugs => mageia

David Walser 2021-11-25 01:28:18 CET

Summary: vim new security issues CVE-2021-3872, CVE-2021-3875, CVE-2021-3903, CVE-2021-392[78] => vim new security issues CVE-2021-3872, CVE-2021-3875, CVE-2021-3903, CVE-2021-392[78], CVE-2021-3968, CVE-2021-397[34]

Comment 11 Nicolas Lécureuil 2021-11-25 22:59:25 CET 
again fixed in mga8:

src:
    - vim-8.2.3642-1.mga8

Assignee: mageia => qa-bugs
Status comment: Fixed upstream in 8.2.3612 => (none)

Comment 12 David Walser 2021-11-26 01:27:13 CET 
vim-X11-8.2.3642-1.mga8
vim-enhanced-8.2.3642-1.mga8
vim-minimal-8.2.3642-1.mga8
vim-common-8.2.3642-1.mga8

from vim-8.2.3642-1.mga8.src.rpm
Comment 13 Brian Rockwell 2021-11-26 01:51:29 CET 
upgraded

working for me.  

I used both vim on terminal and gvim from menu.
Comment 14 Herman Viaene 2021-12-02 16:28:37 CET 
MGA8-64 Plasma on Lenovo B50
No installation issues.
Used vimw to edit some text file: works OK after searching my memory for vi commands-phew....

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 15 Thomas Andrews 2021-12-02 17:00:46 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-12-03 17:50:44 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 16 Mageia Robot 2021-12-03 19:46:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0535.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 18 Aaron Ramsdale 2022-07-07 08:54:18 CEST Comment hidden (spam)

CC: (none) => aaron10101999

Comment 19 carlhammond hammond 2022-08-23 09:33:02 CEST Comment hidden (spam)

CC: (none) => Justinmachany932