Re: vim CVE-2021-4187

To: Sean Whitton <spwhitton@spwhitton.name>
Cc: debian-lts@lists.debian.org
Subject: Re: vim CVE-2021-4187
From: Adrian Bunk <bunk@debian.org>
Date: Mon, 24 Mar 2025 17:19:39 +0200
Message-id: <[🔎] Z+F4C8ncJLN2d0O4@localhost>
In-reply-to: <[🔎] 87ldt1bod9.fsf@melete.silentflame.com>
References: <[🔎] 87ldt1bod9.fsf@melete.silentflame.com>

On Wed, Mar 19, 2025 at 01:06:42PM +0800, Sean Whitton wrote:
> Hello,

Hi Sean,

> I have attempted to backport upstream's fix for this CVE in vim in
> d/patches/CVE-2021-4137.patch

4173

> on the debian/bullseye branch under
> lts-team on salsa.
> 
> My backporting is not correct, and causes a segfault when the tests run.
> 
> After studying it again, I have come to the conclusion that this is too
> difficult to backport without becoming a vimscript compilation expert.
> Therefore, considering the CVE severity, we should mark this one as
> ignored.  But I could be wrong -- maybe it is obvious what is wrong with
> my backport to someone else's eyes.
> 
> Therefore, could someone take a look at my work, and let me know if they
> can see the problem, please?

I have pushed a fix. No test regressions are caused by it, and both the 
PoC and the testcase for the non-CVE fix I picked as prerequisite are fixed.

There are two test failures caused by other patches later in the stack, 
I haven't looked at these (and commented out all later patches for my 
local testing).

> Thanks.

cu
Adrian

Reply to:

Follow-Ups:
- Re: vim CVE-2021-4187
  - From: Sean Whitton <spwhitton@spwhitton.name>

References:
- vim CVE-2021-4187
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Re: vim CVE-2021-4187
Next by Date: Re: vim CVE-2021-4187
Previous by thread: Re: vim CVE-2021-4187
Next by thread: Re: vim CVE-2021-4187
Index(es):
- Date
- Thread