[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#995494: marked as done (bullseye-pu: package vim/2:8.2.2434-3+deb11u1)

Your message dated Sat, 18 Dec 2021 11:36:17 +0000
with message-id <f35b13da0620aab462a587a3d6f06f29a527c6c9.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for changes included in 11.2
has caused the Debian Bug report #995494,
regarding bullseye-pu: package vim/2:8.2.2434-3+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
995494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995494
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: team@security.debian.org

[ Reason ]
* Vim has some recent "no DSA" CVEs which, although unlikely to hit,
  would be good to fix (#994497, #994498, #994076)

* In the buster -> bullseye upgrade, vim-gtk becomes a transitional
  package, switching to vim-gtk3.  The vim-gtk alternatives weren't
  cleaned up, so there's a lot of noise during the upgrade about
  dangling links for alternatives and a window where the symlinks may
  not exist (#993766).

[ Impact ]
* Off chance that Vim crashes or twiddles some bits in memory it
  shouldn't be.

[ Tests ]
* The CVE fixes all come with tests from upstream.

* I've manually tested the upgrade scenario described in #993766.  The
  scary warnings about dangling links are fixed, but the scenario
  encountered (conffile editing needed with no alternative link in
  place) isn't something I see an obvious way to fix.

  I've also tested upgrading from current bullseye to the proposed
  changes.

  The most likely reason to encounter the bug is if /etc/vim/vimrc,
  which is a conffile, is modified, since it will cause dpkg's conffile
  prompt to happen.  At this point, buster vim-gtk's files have been
  removed but vim-common is being configured before vim-gtk3, so the new
  alternatives haven't been established.

  The binaries are already in place, so the user can run vim.gtk3, but
  it's not what their fingers (or possibly $VISUAL/$EDITOR) expects to
  use.

[ Risks ]
Low risk.  CVE fixes are pretty small and covered by new tests.  The
alternatives issue is targeted

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
      * Aside from the vim-gtk -> vim-gtk3 change, which is buster ->
        bullseye specific.

[ Changes ]
attached

[ Other info ]
n/a

Attachment: vim_8.2.2434-3+deb11u1.diff
Description: Binary data


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.2

Hi,

All of the updates referred to by these bugs were included in this
morning's bullseye point release.

Regards,

Adam

--- End Message ---
Reply to: