CVE-2017-11109 (https://nvd.nist.gov/vuln/detail/CVE-2017-11109): Vim 8.0 allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. NOTE: there might be a limited number of scenarios in which this has security relevance. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Hi Looking at the Debian changelog, this bug has been fixed for Vim versions greater than 8.0.070x [1]. The latest version available in our repository is 8.0.1188. Should I call for stabilisation of this version here? Thanks! [1]: https://anonscm.debian.org/cgit/pkg-vim/vim.git/commit/?id=ad7fc02
(In reply to Patrice Clement from comment #1) > Hi > > Looking at the Debian changelog, this bug has been fixed for Vim versions > greater than 8.0.070x [1]. The latest version available in our repository is > 8.0.1188. Should I call for stabilisation of this version here? Thanks! > > [1]: https://anonscm.debian.org/cgit/pkg-vim/vim.git/commit/?id=ad7fc02 Patrice, I apologize for the delay. Yes, you would call for stable here. Debian backported that patch from upstream. As long as the patch is either included in Gentoo as a backported patch or the code changes are included in the respective upstream version then we can proceed.
Redhat has the bug locked still and I cannot find a diff of the changes.
Sec team, The latest stable version of vim in the tree is 8.0.1298. As per comment https://bugs.gentoo.org/624650#c1, this CVE is no longer relevant. Please close this bug report.