Comment 1 Ali Polatel (RETIRED) 2008-06-20 12:37:28 UTC

I've bumped vim-core,vim and gvim to 7.1.319.
@security: I plan to remove vim-6.4. Do you want me to mask it or will you do it?

Comment 2 Pierre-Yves Rofes (RETIRED) 2008-07-06 18:59:00 UTC

ali: please proceed with the mask.
Arches, please test and mark stable app-editors/vim-core-7.1.319. Target KEYWORDS: "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"

Comment 3 Friedrich Oslage (RETIRED) 2008-07-06 20:11:28 UTC

Are we supposted to just stablize vim-core or vim-core,vim and gvim?

Comment 4 Pierre-Yves Rofes (RETIRED) 2008-07-06 20:17:58 UTC

(In reply to comment #3)
> Are we supposted to just stablize vim-core or vim-core,vim and gvim?
> 

both of them, my mistake.

Comment 5 Jeroen Roovers (RETIRED) 2008-07-06 20:21:38 UTC

(In reply to comment #4)
> (In reply to comment #3)
> > Are we supposted to just stablize vim-core or vim-core,vim and gvim?
> > 
> 
> both of them, my mistake.

All three of them.

Comment 6 Dawid Węgliński (RETIRED) 2008-07-06 21:00:04 UTC

amd64/x86 stable

Comment 7 Dawid Węgliński (RETIRED) 2008-07-06 21:05:33 UTC

Also unCC arches.

Comment 8 Jeroen Roovers (RETIRED) 2008-07-06 21:45:16 UTC

Stable for HPPA.

Comment 9 Ferris McCormick (RETIRED) 2008-07-06 22:38:29 UTC

All three stable on sparc.  I've been using [vim, gvim]-7.1.319 pretty heavily for almost four weeks with no problems.

Comment 10 Brent Baude (RETIRED) 2008-07-07 02:56:22 UTC

ppc and ppc64 done for all three pkgs

Comment 11 Raúl Porcel (RETIRED) 2008-07-07 12:15:53 UTC

alpha/ia64 stable

Comment 12 Tobias Heinlein (RETIRED) 2008-07-15 16:46:28 UTC

Does this version actually fix all of the vulnerabilities? Using the test suite from http://www.rdancer.org/vulnerablevim.html I get the following result:

-------------------------------------------
-------- Test results below ---------------
-------------------------------------------
filetype.vim
  strong  : EXPLOIT FAILED
  weak    : EXPLOIT FAILED
zipplugin : VULNERABLE
xpm.vim
  xpm     : VULNERABLE
  xpm2    : VULNERABLE
  remote  : VULNERABLE
gzip_vim  : EXPLOIT FAILED
netrw     : VULNERABLE

Should be noted in the GLSA I guess.

Comment 13 Tobias Heinlein (RETIRED) 2008-07-17 12:15:28 UTC

vim team, do you know if upstream is trying to fix the remaining issues in the near future? if yes, we will postpone this glsa until everything is fixed.

Comment 14 Ali Polatel (RETIRED) 2008-08-14 08:44:21 UTC

(In reply to comment #13)
> vim team, do you know if upstream is trying to fix the remaining issues in the
> near future? if yes, we will postpone this glsa until everything is fixed.
> 

{vim,gvim}-7.2 fixes this. It's in CVS.
-------------------------------------------
-------- Test results below ---------------
-------------------------------------------
Vim version 7.2
zip.vim version: 
netrw.vim version: 
-------------------------------------------
filetype.vim
  strong  : EXPLOIT FAILED
  weak    : EXPLOIT FAILED
tarplugin : EXPLOIT FAILED
tarplugin.updated: EXPLOIT FAILED
tarplugin.v2: EXPLOIT FAILED
zipplugin : EXPLOIT FAILED
zipplugin.v2: EXPLOIT FAILED
xpm.vim
  xpm     : EXPLOIT FAILED
  xpm2    : EXPLOIT FAILED
  remote  : EXPLOIT FAILED
gzip_vim  : EXPLOIT FAILED
netrw     : EXPLOIT FAILED
netrw.v2  : EXPLOIT FAILED
netrw.v3  : EXPLOIT FAILED
netrw.v4  : EXPLOIT FAILED
netrw.v5  : EXPLOIT FAILED
shellescape: EXPLOIT FAILED

Comment 15 Sean Amoss (RETIRED) 2014-05-31 18:05:24 UTC

This issue has been fixed on Security-supported arches since Aug 15, 2008. No GLSA will be issued