Your message dated Sun, 30 Jun 2019 18:35:42 +0000 with message-id <e1hhefu-0007ga...@fasolo.debian.org> and subject line Bug#930020: fixed in vim 2:8.0.0197-4+deb9u2 has caused the Debian Bug report #930020, regarding vim: CVE-2019-12735: Modelines allow arbitrary code execution to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 930020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930020 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: vim Severity: important Tags: upstream Dear Maintainer, Vim versions < 8.1.1365 are subject to an Arbitrary Code Execution exploit via modelines, as described in this blogpost: https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim- neovim.md Upgrading the Vim package to >= 8.1.1365 fixes this exploit. -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: vim Source-Version: 2:8.0.0197-4+deb9u2 We believe that the bug you reported is fixed in the latest version of vim, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 930...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James McCoy <james...@debian.org> (supplier of updated vim package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 16 Jun 2019 13:06:40 -0400 Source: vim Architecture: source Version: 2:8.0.0197-4+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Debian Vim Maintainers <pkg-vim-maintain...@lists.alioth.debian.org> Changed-By: James McCoy <james...@debian.org> Closes: 930020 Changes: vim (2:8.0.0197-4+deb9u2) stretch-security; urgency=high . * Backport patches to address CVE-2019-12735 (Closes: #930020) + 8.0.0649: when opening a help file the filetype is set several times + 8.0.0651: build failure without the auto command feature + 8.1.0066: nasty autocommand causes using freed memory + 8.1.0177: defining function in sandbox is inconsistent + 8.1.0189: function defined in sandbox not tested + 8.1.0205: invalid memory access with invalid modeline + 8.1.0206: duplicate test function name + 8.1.0208: file left behind after running individual test + 8.1.0506: modelinen test fails when run by root + 8.1.0538: evaluating a modeline might invoke using a shell command + 8.1.0539: cannot build without the sandbox + 8.1.0540: may evaluate insecure value when appending to option + 8.1.0544: setting 'filetype' in a modeline causes an error + 8.1.0546: modeline test with keymap fails + 8.1.0547: modeline test with keymap still fails + 8.1.0613: when executing an insecure function the secure flag is stuck + 8.1.1046: the "secure" variable is used inconsistently + 8.1.1365: source command doesn't check for the sandbox + 8.1.1366: using expressions in a modeline is unsafe + 8.1.1367: can set 'modelineexpr' in modeline + 8.1.1368: modeline test fails with python but without pythonhome + 8.1.1382: error when editing test files + 8.1.1401: misspelled mkspellmem and makespellmem * gbp.conf: Set debian-branch to debian/stretch * gbp.conf: Set upstream-tag to v%(version)s Checksums-Sha1: d619296fbcdd5ece133cf675f76269117fce0f91 3048 vim_8.0.0197-4+deb9u2.dsc 9201147e6b8844bec2dab7e67baddef034ff677b 12959375 vim_8.0.0197.orig.tar.gz 79d68180dfdf0264b4d4072ef70a1d8e65450016 174048 vim_8.0.0197-4+deb9u2.debian.tar.xz bd4b0dc5066175537871570e7b9e4d9ca619310b 6436 vim_8.0.0197-4+deb9u2_source.buildinfo Checksums-Sha256: c372c4b36f06744cc9d0cae5529f6ded85755b3a7d09308a5d914c500d328c2b 3048 vim_8.0.0197-4+deb9u2.dsc 7fc1d5ef76a86961316666fb8e050cdb79bd86f9264028d597e682582b25be16 12959375 vim_8.0.0197.orig.tar.gz 2ffad3c562f86d3af6a3a04d6ea15af1d520b1d359d5680e037b3d528a227b22 174048 vim_8.0.0197-4+deb9u2.debian.tar.xz 6d8ed9248bc700c59a8e4e2daec59a339cde6dbbf025b40ab6a6bc12f2963747 6436 vim_8.0.0197-4+deb9u2_source.buildinfo Files: 8df682a479b9c65207a82fa1345aa57a 3048 editors optional vim_8.0.0197-4+deb9u2.dsc 718499f6187066988cfd1e3ea3ccaf67 12959375 editors optional vim_8.0.0197.orig.tar.gz e9df03480977355f3e9579abb5b53cba 174048 editors optional vim_8.0.0197-4+deb9u2.debian.tar.xz a35d2c01ceb82eb9be76ca6f9bd15dfb 6436 editors optional vim_8.0.0197-4+deb9u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKoBAEBCgCSFiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAl0IUElfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIUHGphbWVzc2Fu QGRlYmlhbi5vcmcACgkQ3+aRrjMbo9tJ8xAAvZjijgP2p3QQLwYkcOFdj0aC/a/r 9pVWxtSx/mkFxpKuZ6tF34n+uEfGaUqrEre1oyvoT38dsTneyrWEpJrsYy/DBgcb wGk+xBWTO7XJX6mFRkZb/P0S5/AO/Gv5fmv4NR5MhCbBqTW7fY3uhJxnyUU+RLNr wr1z8UlfImRTow/gCwOELoQvOukUPxvRL67x9g88LzMVob5CttbHa1Nh2E2c+0gz G0aPscgD87im105j7LusSYfyF2DRdTVwiliseSpsE2mWUkRpN2Y8+kbKOrmCpi+V XWmx4eU8jEP8cYgUFXgTLrZRw2hyclTTVprcvg5y/wJkUtaBOak2+Q3Av0YYva8t PpJmH/1GfIr0on2WeN2cL39VEcOQs81IWEjQl5Ml4bEYCMDhN2gfncf+B/W2Gz9n M4jTKLqJV2ObeAPeKXDYE+hfs82G2XilDnJAZYfFrojWlc7NDbiqupikxY+1aa+4 XJ9BGM1tkiinWANDO480+V3uC4Do7mSF07DVPfUMNUIJjl3lE/5SaXRWiudgPbS9 3JiTG8v3stdN47cjVJEGoigXR/2+veXfOypLxGAnBRQ3T0RMH//QWSXBM2NxZJ+M eSVN9DEn2eJZPKG215uaS/BtuPJBvFqf2kEPM5XcJ8CHpprwfo5g6FmvUxleF426 5KCT/2qaAJqARYQ= =YW1m -----END PGP SIGNATURE-----
--- End Message ---
