vim patch 6.3.081 is needed ciaranm who currently is unable to login to bugzilla said that ka0ttic, slarti, rphillips or agriffis could act as the proxy to commit this update. http://groups.yahoo.com/group/vimdev/message/40147
ka0ttic, slarti, rphillips or agriffis please advise.
ciaranm says that upgrading to 6.3.082 resolves this (and similar issues with expand())
i'm working on committing 084.
ok. 084 has been committed and unmasked on x86.
Arches, please test and mark gvim (except arm and s390), vim and vim-core 6.3.084 stable. Thanks everybody!
Is it OK to mark these bad boys as blocker during release time when we're under crunch time if it is holding us up? Heh... Well... this is blocking the release at the moment... thanks all
This would already be stable on amd64 if I could get the patches from the mirrors...
Stable on hppa
Stable on amd64.
Upgrading severity to blocker as requested by wolf31o2
The mirrors should have the packages now.
Marked ppc stable.
sparc stable. FYI ppc forgot about gvim... how's that reading ability doing? ;)
Yeah, yeah. Sorry about that, I forgot to commit. It's fixed.
Back to blocker.
stable on ppc64
Stable on alpha.
This one is ready for GLSA decision.
voting NO, gentoo disables modelines by default, which i assume is the only attack vector here. Also, the vim documentation states that the sandbox is not guaranteed to be secure.
Thx for the explanation Tavis. I also vote NO. Closing with NO GLSA. arm, ia64, mips, s390 please remember to mark stable.
Stable on mips.
*** Bug 100353 has been marked as a duplicate of this bug. ***
Candidate: CAN-2005-2368 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2368 Reference: FULLDISC:20050725 Help poor children in Uganda Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-July/035402.html Reference: MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_5.html vim 6.3 before 6.3.082, with modelines enabled, allows attackers to execute arbitrary commands via shell metacharacters in the (1) glob or (2) expand commands of a foldexpr expression for calculating fold levels.