On Sun, Oct 05, 2008 at 01:23:42AM +0200, Marc 'HE' Brockschmidt wrote:
> > Although this is a new upstream version, their are various important
> > changes (including fixes for and related to grave bugs) in the package
> > since 1:7.1.314-3 and relatively few non-bug fix changes in the upstream
> > release. Full dpkg-parsechangelog of new versions below.
> >
> > people.d.o has the diffs for the source[0]
> [...]
> > [0] http://people.debian.org/~jamessan/tmp/vim.diff.gz
>
> 74 files changed, 2838 insertions(+), 1532 deletions(-)
>
> Rejected. This is in no way suitable for a freeze exception. #500381
> will need a tpu upload.
I've prepared a candidate for tpu upload[0] to fix the issues which I
think should be fixed for Lenny. Source diff[1], runtime diff[2], and
full debdiff[3] are available.
[0] - dget http://people.debian.org/~jamessan/tmp/vim_7.1.314-3+lenny1.dsc
[1] - http://people.debian.org/~jamessan/tmp/vim_7.1.314-3+lenny1-src.debdiff.gz
[2] - http://people.debian.org/~jamessan/tmp/vim_7.1.314-3+lenny1-runtime.debdiff.gz
[3] - http://people.debian.org/~jamessan/tmp/vim_7.1.314-3+lenny1.debdiff.gz
Source: vim
Version: 1:7.1.314-3+lenny1
Distribution: testing-proposed-updates
Urgency: low
Maintainer: James Vega <jamessan@debian.org>
Date: Sat, 11 Oct 2008 03:01:50 -0400
Closes: 384635 456897 486502 492450 492519 499451 500381
Changes:
vim (1:7.1.314-3+lenny1) testing-proposed-updates; urgency=low
.
* Cherry-pick patches from upstream to address filename escaping
vulnerabilities
- 7.2a.013 shellescape() does not escape "%" and "#" characters
- 7.2b.005 shellescape() doesn't take care of "!" and "\n"
- 7.2b.018 cmdline completion on shell cmd fails on file containing '!'
- 7.2b.026 GTK 2 file chooser causes significant slowdown (Closes:
#456897, #384635)
- 7.2c.002 fnameescape() doesn't handle a leading '+' or '>'
- 7.2.010 "K" in Visual mode does not properly escape all characters
(CVE 2008-4101, Closes: #500381)
+ src/normal.c: Only use the word under the cursor, instead of the
entire line after the cursor, when constructing the shell command to
run.
* Update runtime files affected by filename escape vulnerabilities.
(CVE 2008-2712, Closes: #486502)
* src/spell.c: Stop reading when EOF is reached to avoid allocing large
amounts of memory.
* src/main.c: After further discussion with upstream, revert behavior of
-N/-C causing (no)compatible to be set after all startup files/plugins are
sourced, c.f. #438560.
* debian/control: vim-runtime Depends on dpkg >= 1.14.20 for sane
dpkg-divert behavior
* debian.vim: Do not enable 'autoindent' and filetype plugins by default.
* Add NEWS item for change in default configuration.
* runtime/autoload/netrw.vim: Fix deletion of incorrect file in wide display
listing. Using Jan Minář's patch from the vim-dev list. (Closes:
#492519)
* Improve handling of transition from vim-runtime Replacing vim-tiny to
using diversions to manage their conflicting files. (Closes: #492450)
* Add vim-runtime.preinst to handle moving /etc/vim/vimrc.tiny from
vim-common to vim-tiny. (Closes: #499451)
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
Attachment:
signature.asc
Description: Digital signature