Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: team@security.debian.org [ Reason ] Various "non DSA" CVEs have accumulated in Vim, and it seemed like a good idea to get a new upload addressing those. [ Impact ] * CVE-2019-20807 - Shell commands can be executed from rvim (restricted vim) via the bindings to other programming languages * CVE-2021-3770 / #994076 - Invalid memory access when a very large number is given to :retab command * CVE-2021-3778 / #994498 - Reading beyond end of line when invalid utf-8 character is encountered * CVE-2021-3796 / #994497 - Using freed memory in replace mode [ Tests ] Upstream tests accompany all of the fixes for the CVEs [ Risks ] The changes are pretty targeted and have had time to "soak" upstream. Patches for subsequent issues in initial fixes are included. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] attached
Attachment:
vim_8.1.0875-5+deb10u1.diff
Description: Binary data