Re: vim CVE-2021-4187
On Wed, Mar 19, 2025 at 01:06:42PM +0800, Sean Whitton wrote:
> Hello,
Hi Sean,
> I have attempted to backport upstream's fix for this CVE in vim in
> d/patches/CVE-2021-4137.patch
4173
> on the debian/bullseye branch under
> lts-team on salsa.
>
> My backporting is not correct, and causes a segfault when the tests run.
>
> After studying it again, I have come to the conclusion that this is too
> difficult to backport without becoming a vimscript compilation expert.
> Therefore, considering the CVE severity, we should mark this one as
> ignored. But I could be wrong -- maybe it is obvious what is wrong with
> my backport to someone else's eyes.
>
> Therefore, could someone take a look at my work, and let me know if they
> can see the problem, please?
I have pushed a fix. No test regressions are caused by it, and both the
PoC and the testcase for the non-CVE fix I picked as prerequisite are fixed.
There are two test failures caused by other patches later in the stack,
I haven't looked at these (and commented out all later patches for my
local testing).
> Thanks.
cu
Adrian
Reply to: