Ubuntu
vim package

[vim] [dapper-backports] Format string vulnerability in the helptags_one function

Bug #150858 reported by disabled.user
254
Affects Status Importance Assigned to Milestone
vim (Ubuntu)
Fix Released
Undecided
Reinhard Tartler

Bug Description

Binary package hint: vim

I recently got vim 7.0.235 "pushed" via dapper-backports (no problem, totally happy with that!).

When comparing dapper-backports' vim changelog.Debian.gz with that from the current vim in Debian's etch-security-repo[1], I noticed that a current patch from upstream, which fixes the issues reported in CVE-2007-2953, is missing. It would be nice if someone could apply the patch and then re-publish the package.

[1] http://packages.debian.org/changelogs/pool/main/v/vim/vim_7.0-122+1etch3/changelog

CVE References

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

http://www.ubuntu.com/usn/usn-505-1

Changed in vim:
status: New → Fix Released
status: Fix Released → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The above USN is for official versions of vim, and not the backports version you requested. Sorry for marking it as 'fix released'. I have remarked it new and assigned the backporter to the bug, as I don't see another LP bug referring to the backport of vim.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Please re-sync the dapper backport to address CVE-2007-2953

Changed in vim:
assignee: nobody → siretart
Jamie Strandboge (jdstrand)
Changed in vim:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vim - 1:7.0-035+1ubuntu5.2~dapper1

---------------
vim (1:7.0-035+1ubuntu5.2~dapper1) dapper-backports; urgency=low

  * import the patch from vim upload 1:7.0-035+1ubuntu5.2 to edgy-security
    LP: #150858

vim (1:7.0-035+1ubuntu5.2) edgy-security; urgency=low

  * SECURITY UPDATE: Format string vulnerability allows user-assisted
    remote attackers to execute arbitrary code.
  * Added 'patches/801_CVE-2007-2953': Use puts() instead of
    fprintf(). Patch from upstream, backported.
  * References
    CVE-2007-2953

 -- Reinhard Tartler <email address hidden> Tue, 05 Feb 2008 20:57:44 +0100

Changed in vim:
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.