I got a heads up on IRC about a security issue fixed upstream in vim: https://github.com/vim/vim/commit/23a971da506249fc8388f06cd5c011b83406ac5c "code exec through rvim" So we'll need to update it again soon (latest is currently 9.0.1441). I assume a CVE will be assigned at some point (especially since it seems like most vim commits get CVEs lately).
Whiteboard: (none) => MGA8TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: "rvim" can execute a shell through :diffpatch. References: https://github.com/vim/vim/commit/23a971da506249fc8388f06cd5c011b83406ac5c ======================== Updated packages in core/updates_testing: ======================== vim-X11-9.0.1441-1.mga8 vim-common-9.0.1441-1.mga8 vim-enhanced-9.0.1441-1.mga8 vim-minimal-9.0.1441-1.mga8 from SRPM: vim-9.0.1441-1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Assignee: bugsquad => qa-bugsSource RPM: vim-9.0.1411-1.mga9.src.rpm => vim-9.0.1411-1.mga8.src.rpmStatus: NEW => ASSIGNEDCC: (none) => nicolas.salgueroVersion: Cauldron => 8
Mageia8, x86_64 Sidestepped the business of executing a shell via :diffpatch. Not my territory. The point about rvim is that it involves usage restrictions like not being able to start a shell. Updated the packages and tested vim much as in bug 31637 and found no regressions. vim opens a file with the cursor positioned at the last position it occupied if previously edited with vim. `vim -r` lists all swap files in current directory and various tmp directories. A previous session may be recovered using $ vim -r <filename> e.g. $ vim -r kernel Using swap file ".kernel.swp" Original file "~/text/kernel" Recovery completed. Buffer contents equals file contents. You may want to delete the .swp file now. Press ENTER or type command to continue -------------------- That worked but the .kernel.swp file in the current directory had not changed, so the swap file must be removed before closing the current edit. $ex <file> works. A search with the / command returns the first match and 'visual' switches to normal mode. Useful perhaps for checking contents of files without revealing everything. $ vimdiff kernel kernel.106 2 files to edit This showed the differences between two files side by side (up to 8 is possible). `vim -d files...` is the same thing. $ gvim <file> displays the file in a gui panel which responds to the mouse for positioning. evim does not seem to be available (easy mode) but `vim -y` does the same thing but does not seem to be very useful because there is no way apparent to exit. No regressions as far as can be seen.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating. Advisory in comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0137.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED