A security issue in vim has been announced: http://openwall.com/lists/oss-security/2016/11/22/20 The issue is fixed upstream in 8.0.056 and the patch to fix it is included in the message above. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Debian has issued an advisory for this today (November 22): https://www.debian.org/security/2016/dsa-3722
CC: (none) => mageiaVersion: Cauldron => 5Whiteboard: MGA5TOO => (none)
URL: (none) => https://lwn.net/Vulnerabilities/707211/
Debian-LTS has issued an advisory today (February 13): https://lwn.net/Alerts/714402/ This fixes an additional issue, CVE-2017-5953: https://lwn.net/Vulnerabilities/714427/ The upstream commit to fix the issue is linked from the Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854969 The fix was included in 8.0.0322, so Cauldron will need to be updated too.
Version: 5 => CauldronSummary: vim new security issue CVE-2016-1248 => vim new security issues CVE-2016-1248 and CVE-2017-5953Whiteboard: (none) => MGA5TOO
Fedora has issued an advisory today (March 1): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JYVF3KT6EAEDFGLP5STYMQ7VRJDMK66G/ It fixes two additional security issues.
Summary: vim new security issues CVE-2016-1248 and CVE-2017-5953 => vim new security issues CVE-2016-1248, CVE-2017-5953, CVE-2017-6349, CVE-2017-6350
we have vim 8.0-388 so it is OK in cauldron
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)CVE: (none) => CVE-2016-1248, CVE-2017-5953, CVE-2017-6349, CVE-2017-6350
pushed in updates_testing for mageia 5 src.rpm: vim-7.4.430-7.1.mga5
Assignee: thierry.vignaud => qa-bugs
Advisory: ======================== Updated vim packages fix security vulnerabilities: Florian Larysch and Bram Moolenaar discovered that vim, an enhanced vi editor, does not properly validate values for the "filetype", "syntax" and "keymap" options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened (CVE-2016-1248). A vulnerability has been discovered in Vim where a malformed spell file could cause an integer overflow which is used as the size for memory allocation, resulting in a subsequent buffer overflow (CVE-2017-5953). An integer overflow flaw was found in the way vim handled undo files. This bug could result in vim crashing when trying to process corrupted undo files (CVE-2017-6349). An integer overflow flaw was found in the way vim handled tree length values when reading an undo file. This bug could result in vim crashing when trying to process corrupted undo files (CVE-2017-6350). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1248 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6349 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6350 https://www.debian.org/security/2016/dsa-3722 https://www.debian.org/security/2017/dsa-3786 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JYVF3KT6EAEDFGLP5STYMQ7VRJDMK66G/ ======================== Updated packages in core/updates_testing: ======================== vim-common-7.4.430-7.1.mga5 vim-minimal-7.4.430-7.1.mga5 vim-enhanced-7.4.430-7.1.mga5 vim-X11-7.4.430-7.1.mga5 from vim-7.4.430-7.1.mga5.src.rpm
Installed and tested without issues. There is no specific test procedure so I did some usual editing. $ rpm -qa | grep vim vim-common-7.4.430-7.1.mga5 vim-enhanced-7.4.430-7.1.mga5 vim-minimal-7.4.430-7.1.mga5
Whiteboard: (none) => MGA5-64-OKCC: (none) => mageia
Advisory uploaded, validating.
Whiteboard: MGA5-64-OK => advisory MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0275.html
Status: NEW => RESOLVEDResolution: (none) => FIXED