debcrafters-packages team mailing list archive

Thread
Date
[Bug 2112088] Re: Merge vim from Debian Unstable for questing

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Sebastien Bacher <2112088@xxxxxxxxxxxxxxxxxx>
Date: Thu, 29 May 2025 09:35:28 -0000
Reply-to: Bug 2112088 <2112088@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
*** This bug is a duplicate of bug 2110002 ***
    https://bugs.launchpad.net/bugs/2110002

** This bug has been marked a duplicate of bug 2110002
   Please merge 2:9.1.1230-1 into questing

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to vim in Ubuntu.
https://bugs.launchpad.net/bugs/2112088

Title:
  Merge vim from Debian Unstable for questing

Status in vim package in Ubuntu:
  New

Bug description:
  Scheduled-For: ubuntu-25.06
  Ubuntu: 2:9.1.0967-1ubuntu4
  Debian Unstable: 2:9.1.1230-2
  Debian Experimental: 2:9.1.1385-1

  A new release of vim is available for merging from Debian Unstable.

  If it turns out this needs a sync rather than a merge, please change
  the tag 'dcr-merge' to 'dcr-sync', and (optionally) update the title
  as desired.

  If this merge pulls in a new upstream version, also consider adding an
  entry to the questing Release Notes:
  https://discourse.ubuntu.com/t/questing-quokka-release-notes/

  ### New Debian Changes ###

  vim (2:9.1.1230-2) unstable; urgency=medium

    * Backport v9.1.1242 and v9.1.1244 to fix crash when evaluating a variable
      name. (Closes: #1106133)

   -- James McCoy <jamessan@xxxxxxxxxx>  Thu, 22 May 2025 20:48:59 -0400

  vim (2:9.1.1230-1) unstable; urgency=medium

    * Merge upstream tag v9.1.1230
      + Security fixes:
        - 9.1.1115: use-after-free in str_to_reg(), CVE-2025-26603
        - 9.1.1164: editing a specially crafted tar file allows code execution,
          (Closes: #1099610, CVE-2025-27423)
        - 9.1.1198: potential data loss with zip.vim and crafted zip files,
          (Closes: #1101016, CVE-2025-29768)

   -- James McCoy <jamessan@xxxxxxxxxx>  Mon, 24 Mar 2025 20:59:06 -0400

  vim (2:9.1.1113-1) unstable; urgency=medium

    [ James McCoy ]
    * Merge upstream tag v9.1.1113
      + Security fixes:
        - 9.1.1003: heap-buffer overflow with visual mode when using :all,
          CVE-2025-22134
        - 9.1.1043: segfault in win_line(), CVE-2025-24014
        - 9.1.1097: crash when using --log with non-existent path, CVE-2025-1215

    [ Andrea Pappacoda ]
    * Drop backspace and history from debian.vim (Closes: #1095155)

   -- James McCoy <jamessan@xxxxxxxxxx>  Sat, 15 Feb 2025 20:43:27 -0500

  vim (2:9.1.0967-2) unstable; urgency=medium

    * Revert "patch 9.1.0949: popups inconsistently shifted to the left",
      since it breaks vim-youcompleteme's autopkgtests. (Closes: #1091729)

   -- James McCoy <jamessan@xxxxxxxxxx>  Fri, 10 Jan 2025 06:30:59 -0500


  ### Old Ubuntu Delta ###

  vim (2:9.1.0967-1ubuntu4) plucky; urgency=medium

    * SECURITY UPDATE: Crash when file is inaccessible with log option.
      - debian/patches/CVE-2025-1215.patch: Split common_init to common_init_1
        and common_init_2 in ./src/main.c.
      - CVE-2025-1215
    * SECURITY UPDATE: Denial of service.
      - debian/patches/CVE-2025-24014.patch: fix a segfault in win_line()
        in files src/gui.c, src/testdir/crash/ex_redraw_crash,
        src/testdir/test_crash.vim.
      - CVE-2025-24014
    * SECURITY UPDATE: Use after free when redirecting display command to
      register.
      - debian/patches/CVE-2025-26603.patch: Change redir_reg check to use
        vim_strchr command check in ./src/register.c.
      - CVE-2025-26603
    * SECURITY UPDATE: Code execution when editing tar files.
      - debian/patches/CVE-2025-27423.patch: Use escape_file instead of fname in
        ./runtime/autoload/tar.vim.
      - CVE-2025-27423
    * SECURITY UPDATE: Data loss when extracting special zip files.
      - debian/patches/CVE-2025-29768.patch: Substitute special characters in
        ./runtime/autoload/zip.vim.
      - CVE-2025-29768

   -- Hlib Korzhynskyy <hlib.korzhynskyy@xxxxxxxxxxxxx>  Thu, 03 Apr
  2025 11:38:49 -0230

  vim (2:9.1.0967-1ubuntu3) plucky; urgency=medium

    [ James McCoy ]
    * Revert "patch 9.1.0949: popups inconsistently shifted to the left",
      since it breaks vim-youcompleteme's autopkgtests. (Closes: #1091729)

   -- Graham Inggs <ginggs@xxxxxxxxxx>  Sun, 23 Feb 2025 15:22:10 +0000

  vim (2:9.1.0967-1ubuntu2) plucky; urgency=medium

    * SECURITY UPDATE: Heap-buffer-overflow when switching buffers.
      - debian/patches/CVE-2025-22134.patch: Add reset_VIsual_and_resel() to
        src/arglist.c. Add ptrlen checks in src/misc1.c and src/ops.c.
      - CVE-2025-22134

   -- Hlib Korzhynskyy <hlib.korzhynskyy@xxxxxxxxxxxxx>  Tue, 21 Jan
  2025 15:29:05 -0330

  vim (2:9.1.0967-1ubuntu1) plucky; urgency=medium

    * Merge from Debian Unstable. Remaining changes:
      - debian/runtime/vimrc:
        + "syntax on" is a sane default for non-tiny Vim.
      - debian/patches/debian/ubuntu-grub-syntax.patch:
        + Add Ubuntu-specific "quiet" keyword.
      - debian/patches/ubuntu-mouse-off.patch:
       + Mouse mode is actively harmful in some chroots.
      - debian/patches/increase_timeout.diff:
        + Increase timeout for the Test_pattern_compile_speed patch.
      - debian/patches/0001-fix-flaky-terminal-mode-test.vim:
        + Fix flaky Vim terminal mode test.
      - debian/patches/0002-disable-failing-tests-on-ppc64.patch:
        + Disable some tests that were throwing an ENOMEM during build on
          ppc64el. The tests are only disabled when building on ppc64el.

   -- Simon Quigley <tsimonq2@xxxxxxxxxx>  Sat, 04 Jan 2025 23:57:59
  -0600

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/2112088/+subscriptions
References

[Bug 2112088] [NEW] Merge vim from Debian Unstable for questing
From: Bryce Harrington, 2025-05-29