Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: team@security.debian.org
[ Reason ]
* Vim has some recent "no DSA" CVEs which, although unlikely to hit,
would be good to fix (#994497, #994498, #994076)
* In the buster -> bullseye upgrade, vim-gtk becomes a transitional
package, switching to vim-gtk3. The vim-gtk alternatives weren't
cleaned up, so there's a lot of noise during the upgrade about
dangling links for alternatives and a window where the symlinks may
not exist (#993766).
[ Impact ]
* Off chance that Vim crashes or twiddles some bits in memory it
shouldn't be.
[ Tests ]
* The CVE fixes all come with tests from upstream.
* I've manually tested the upgrade scenario described in #993766. The
scary warnings about dangling links are fixed, but the scenario
encountered (conffile editing needed with no alternative link in
place) isn't something I see an obvious way to fix.
I've also tested upgrading from current bullseye to the proposed
changes.
The most likely reason to encounter the bug is if /etc/vim/vimrc,
which is a conffile, is modified, since it will cause dpkg's conffile
prompt to happen. At this point, buster vim-gtk's files have been
removed but vim-common is being configured before vim-gtk3, so the new
alternatives haven't been established.
The binaries are already in place, so the user can run vim.gtk3, but
it's not what their fingers (or possibly $VISUAL/$EDITOR) expects to
use.
[ Risks ]
Low risk. CVE fixes are pretty small and covered by new tests. The
alternatives issue is targeted
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
* Aside from the vim-gtk -> vim-gtk3 change, which is buster ->
bullseye specific.
[ Changes ]
attached
[ Other info ]
n/a
Attachment:
vim_8.2.2434-3+deb11u1.diff
Description: Binary data