Jeffrey Walton <noloa...@gmail.com> wrote: > On Tue, Apr 4, 2023 at 9:46 AM Stefan Monnier > <monn...@iro.umontreal.ca> wrote: > > > > > Here are three more data points. > > > > > > * Emacs - 41 CVEs since 2000 [1] > > > * Vi - 61 CVEs since 1999 [2] > > > * Vim - 656 CVEs since 2001 [3] > > > > > > I'm not sure how many CVEs overlap for Vim due to Vi. > > > > I don't know what the number of CVEs tells us about a project... > > I'm a big fan of, past performance is an indicator of future > expectations. Whatever is happening, it is probably going to continue > to happen, and more frequently to Vim.
But cropping and ignoring the actual point of Stefan's mail rather misses the point and insults him. For example, three CVEs chosen at random from the 'vim' list: CVE-2010-3481 Multiple SQL injection vulnerabilities in login.php in ApPHP PHP MicroCMS 1.0.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) user_name and (2) password variables, possibly related to include/classes/Login.php. NOTE: some of these details are obtained from third party information. NOTE: the password vector might not be vulnerable. CVE-2010-2704 Buffer overflow in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long HTTP request to nnmrptconfig.exe. CVE-2010-2703 Stack-based buffer overflow in the execvp_nc function in the ov.dll module in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53, when running on Windows, allows remote attackers to execute arbitrary code via a long HTTP request to webappmon.exe. FWIW, the word SQL appears 127 times in the 'vim' CVEs, and the word 'vim' doesn't appear in most so I'm not sure how helpful these numbers actually are. > Jeff
