debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #09957
[Bug 2130146] [NEW] Merge vim from Debian Unstable for resolute
Public bug reported:
Scheduled-For: ubuntu-25.11
Ubuntu: 2:9.1.0967-1ubuntu6
Debian Unstable: 2:9.1.1882-1
A new release of vim is available for merging from Debian Unstable.
If it turns out this needs a sync rather than a merge, please change the
tagging from ['dcr-merge'] to ['dcr-sync'], and (optionally) update the
title as desired.
If this merge pulls in a new upstream version, also consider adding an
entry to the resolute Release Notes:
https://discourse.ubuntu.com/t/resolute-raccoon-release-notes/
### New Debian Changes ###
vim (2:9.1.1882-1) unstable; urgency=medium
* Merge upstream patch v9.1.1882
* Build without wayland on hurd
-- James McCoy <jamessan@xxxxxxxxxx> Mon, 27 Oct 2025 20:41:30 -0400
vim (2:9.1.1846-1) unstable; urgency=medium
* Merge upstream tag v9.1.1845
+ 9.1.1843: Extend searchcount() timeout if the test is being re-run due
to flakiness, fixes test failure on slower architectures.
-- James McCoy <jamessan@xxxxxxxxxx> Fri, 10 Oct 2025 14:33:33 -0400
vim (2:9.1.1829-1) unstable; urgency=medium
* Upload to unstable
* Merge upstream tag v9.1.1829
* Remove src/LICENSE, src/README.txt, and runtime/doc/tags.ref during clean
* Skip tests for termdebug, since they currently fail on 32-bit
architectures
-- James McCoy <jamessan@xxxxxxxxxx> Mon, 06 Oct 2025 14:48:55 -0400
vim (2:9.1.1766-1) experimental; urgency=medium
* Merge upstream tag v9.1.1766 (Closes: #1115819)
+ Security fixes:
- 9.1.1400: use-after-free when evaluating tuple fails, (Closes:
#1110898, CVE-2025-55157)
- 9.1.1406: crash when importing invalid tuple, CVE-2025-55158
- 9.1.1551: path traversal issue in zip.vim if files have leading '../',
(Closes: #1109374, CVE-2025-53906)
- 9.1.1552: path traversal issue in tar.vim if files have leading '/',
CVE-2025-53905
- 9.1.1616: xxd: possible buffer overflow with bitwise output,
CVE-2025-9390
* Enable socketserver for vim-nox, vim-basic, and vim-gtk3
* Enable wayland support only for GUI builds
* Drop obsolete transitional package, vim-athena
-- James McCoy <jamessan@xxxxxxxxxx> Tue, 23 Sep 2025 21:13:05 -0400
vim (2:9.1.1385-1) experimental; urgency=medium
[ James McCoy ]
* Merge upstream tag v9.1.1385
[ Kirill Rekhov ]
* d/upstream/metadata: add metadata
* Fix day-of-week for changelog entries 1:6.3-015+1, 1:6.3-010+1, 4.6-2.
-- James McCoy <jamessan@xxxxxxxxxx> Thu, 15 May 2025 20:28:48 -0400
vim (2:9.1.1230-2) unstable; urgency=medium
* Backport v9.1.1242 and v9.1.1244 to fix crash when evaluating a variable
name. (Closes: #1106133)
-- James McCoy <jamessan@xxxxxxxxxx> Thu, 22 May 2025 20:48:59 -0400
vim (2:9.1.1230-1) unstable; urgency=medium
* Merge upstream tag v9.1.1230
+ Security fixes:
- 9.1.1115: use-after-free in str_to_reg(), CVE-2025-26603
- 9.1.1164: editing a specially crafted tar file allows code execution,
(Closes: #1099610, CVE-2025-27423)
- 9.1.1198: potential data loss with zip.vim and crafted zip files,
(Closes: #1101016, CVE-2025-29768)
-- James McCoy <jamessan@xxxxxxxxxx> Mon, 24 Mar 2025 20:59:06 -0400
vim (2:9.1.1113-1) unstable; urgency=medium
[ James McCoy ]
* Merge upstream tag v9.1.1113
+ Security fixes:
- 9.1.1003: heap-buffer overflow with visual mode when using :all,
CVE-2025-22134
- 9.1.1043: segfault in win_line(), CVE-2025-24014
- 9.1.1097: crash when using --log with non-existent path, CVE-2025-1215
[ Andrea Pappacoda ]
* Drop backspace and history from debian.vim (Closes: #1095155)
-- James McCoy <jamessan@xxxxxxxxxx> Sat, 15 Feb 2025 20:43:27 -0500
vim (2:9.1.0967-2) unstable; urgency=medium
* Revert "patch 9.1.0949: popups inconsistently shifted to the left",
since it breaks vim-youcompleteme's autopkgtests. (Closes: #1091729)
-- James McCoy <jamessan@xxxxxxxxxx> Fri, 10 Jan 2025 06:30:59 -0500
### Old Ubuntu Delta ###
vim (2:9.1.0967-1ubuntu6) questing; urgency=medium
* SECURITY UPDATE: Path traversal when opening specially crafted tar/zip
archives.
- debian/patches/CVE-2025-53905.patch: Replace "echohl Error" with call,
remove leading slashes from name, replace tar_secure with g:tar_secure in
runtime/autoload/tar.vim.
- debian/patches/CVE-2025-53906.patch: Add need_rename, replace w! with w,
call warning for path traversal attack, and escape leading "../" in
runtime/autoload/zip.vim.
- CVE-2025-53905
- CVE-2025-53906
-- Hlib Korzhynskyy <hlib.korzhynskyy@xxxxxxxxxxxxx> Mon, 15 Sep 2025
14:08:04 -0230
vim (2:9.1.0967-1ubuntu5) questing; urgency=medium
* Rebuild to include updated RISC-V base ISA RVA23
-- Heinrich Schuchardt <heinrich.schuchardt@xxxxxxxxxxxxx> Sat, 06 Sep
2025 15:38:52 +0000
vim (2:9.1.0967-1ubuntu4) plucky; urgency=medium
* SECURITY UPDATE: Crash when file is inaccessible with log option.
- debian/patches/CVE-2025-1215.patch: Split common_init to common_init_1
and common_init_2 in ./src/main.c.
- CVE-2025-1215
* SECURITY UPDATE: Denial of service.
- debian/patches/CVE-2025-24014.patch: fix a segfault in win_line()
in files src/gui.c, src/testdir/crash/ex_redraw_crash,
src/testdir/test_crash.vim.
- CVE-2025-24014
* SECURITY UPDATE: Use after free when redirecting display command to
register.
- debian/patches/CVE-2025-26603.patch: Change redir_reg check to use
vim_strchr command check in ./src/register.c.
- CVE-2025-26603
* SECURITY UPDATE: Code execution when editing tar files.
- debian/patches/CVE-2025-27423.patch: Use escape_file instead of fname in
./runtime/autoload/tar.vim.
- CVE-2025-27423
* SECURITY UPDATE: Data loss when extracting special zip files.
- debian/patches/CVE-2025-29768.patch: Substitute special characters in
./runtime/autoload/zip.vim.
- CVE-2025-29768
-- Hlib Korzhynskyy <hlib.korzhynskyy@xxxxxxxxxxxxx> Thu, 03 Apr 2025
11:38:49 -0230
vim (2:9.1.0967-1ubuntu3) plucky; urgency=medium
[ James McCoy ]
* Revert "patch 9.1.0949: popups inconsistently shifted to the left",
since it breaks vim-youcompleteme's autopkgtests. (Closes: #1091729)
-- Graham Inggs <ginggs@xxxxxxxxxx> Sun, 23 Feb 2025 15:22:10 +0000
vim (2:9.1.0967-1ubuntu2) plucky; urgency=medium
* SECURITY UPDATE: Heap-buffer-overflow when switching buffers.
- debian/patches/CVE-2025-22134.patch: Add reset_VIsual_and_resel() to
src/arglist.c. Add ptrlen checks in src/misc1.c and src/ops.c.
- CVE-2025-22134
-- Hlib Korzhynskyy <hlib.korzhynskyy@xxxxxxxxxxxxx> Tue, 21 Jan 2025
15:29:05 -0330
vim (2:9.1.0967-1ubuntu1) plucky; urgency=medium
* Merge from Debian Unstable. Remaining changes:
- debian/runtime/vimrc:
+ "syntax on" is a sane default for non-tiny Vim.
- debian/patches/debian/ubuntu-grub-syntax.patch:
+ Add Ubuntu-specific "quiet" keyword.
- debian/patches/ubuntu-mouse-off.patch:
+ Mouse mode is actively harmful in some chroots.
- debian/patches/increase_timeout.diff:
+ Increase timeout for the Test_pattern_compile_speed patch.
- debian/patches/0001-fix-flaky-terminal-mode-test.vim:
+ Fix flaky Vim terminal mode test.
- debian/patches/0002-disable-failing-tests-on-ppc64.patch:
+ Disable some tests that were throwing an ENOMEM during build on
ppc64el. The tests are only disabled when building on ppc64el.
-- Simon Quigley <tsimonq2@xxxxxxxxxx> Sat, 04 Jan 2025 23:57:59 -0600
** Affects: vim (Ubuntu)
Importance: Undecided
Status: New
** Tags: dcr-merge
** Changed in: vim (Ubuntu)
Milestone: None => ubuntu-25.11
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to vim in Ubuntu.
https://bugs.launchpad.net/bugs/2130146
Title:
Merge vim from Debian Unstable for resolute
Status in vim package in Ubuntu:
New
Bug description:
Scheduled-For: ubuntu-25.11
Ubuntu: 2:9.1.0967-1ubuntu6
Debian Unstable: 2:9.1.1882-1
A new release of vim is available for merging from Debian Unstable.
If it turns out this needs a sync rather than a merge, please change
the tagging from ['dcr-merge'] to ['dcr-sync'], and (optionally)
update the title as desired.
If this merge pulls in a new upstream version, also consider adding an
entry to the resolute Release Notes:
https://discourse.ubuntu.com/t/resolute-raccoon-release-notes/
### New Debian Changes ###
vim (2:9.1.1882-1) unstable; urgency=medium
* Merge upstream patch v9.1.1882
* Build without wayland on hurd
-- James McCoy <jamessan@xxxxxxxxxx> Mon, 27 Oct 2025 20:41:30 -0400
vim (2:9.1.1846-1) unstable; urgency=medium
* Merge upstream tag v9.1.1845
+ 9.1.1843: Extend searchcount() timeout if the test is being re-run due
to flakiness, fixes test failure on slower architectures.
-- James McCoy <jamessan@xxxxxxxxxx> Fri, 10 Oct 2025 14:33:33 -0400
vim (2:9.1.1829-1) unstable; urgency=medium
* Upload to unstable
* Merge upstream tag v9.1.1829
* Remove src/LICENSE, src/README.txt, and runtime/doc/tags.ref during clean
* Skip tests for termdebug, since they currently fail on 32-bit
architectures
-- James McCoy <jamessan@xxxxxxxxxx> Mon, 06 Oct 2025 14:48:55 -0400
vim (2:9.1.1766-1) experimental; urgency=medium
* Merge upstream tag v9.1.1766 (Closes: #1115819)
+ Security fixes:
- 9.1.1400: use-after-free when evaluating tuple fails, (Closes:
#1110898, CVE-2025-55157)
- 9.1.1406: crash when importing invalid tuple, CVE-2025-55158
- 9.1.1551: path traversal issue in zip.vim if files have leading '../',
(Closes: #1109374, CVE-2025-53906)
- 9.1.1552: path traversal issue in tar.vim if files have leading '/',
CVE-2025-53905
- 9.1.1616: xxd: possible buffer overflow with bitwise output,
CVE-2025-9390
* Enable socketserver for vim-nox, vim-basic, and vim-gtk3
* Enable wayland support only for GUI builds
* Drop obsolete transitional package, vim-athena
-- James McCoy <jamessan@xxxxxxxxxx> Tue, 23 Sep 2025 21:13:05 -0400
vim (2:9.1.1385-1) experimental; urgency=medium
[ James McCoy ]
* Merge upstream tag v9.1.1385
[ Kirill Rekhov ]
* d/upstream/metadata: add metadata
* Fix day-of-week for changelog entries 1:6.3-015+1, 1:6.3-010+1, 4.6-2.
-- James McCoy <jamessan@xxxxxxxxxx> Thu, 15 May 2025 20:28:48 -0400
vim (2:9.1.1230-2) unstable; urgency=medium
* Backport v9.1.1242 and v9.1.1244 to fix crash when evaluating a variable
name. (Closes: #1106133)
-- James McCoy <jamessan@xxxxxxxxxx> Thu, 22 May 2025 20:48:59 -0400
vim (2:9.1.1230-1) unstable; urgency=medium
* Merge upstream tag v9.1.1230
+ Security fixes:
- 9.1.1115: use-after-free in str_to_reg(), CVE-2025-26603
- 9.1.1164: editing a specially crafted tar file allows code execution,
(Closes: #1099610, CVE-2025-27423)
- 9.1.1198: potential data loss with zip.vim and crafted zip files,
(Closes: #1101016, CVE-2025-29768)
-- James McCoy <jamessan@xxxxxxxxxx> Mon, 24 Mar 2025 20:59:06 -0400
vim (2:9.1.1113-1) unstable; urgency=medium
[ James McCoy ]
* Merge upstream tag v9.1.1113
+ Security fixes:
- 9.1.1003: heap-buffer overflow with visual mode when using :all,
CVE-2025-22134
- 9.1.1043: segfault in win_line(), CVE-2025-24014
- 9.1.1097: crash when using --log with non-existent path, CVE-2025-1215
[ Andrea Pappacoda ]
* Drop backspace and history from debian.vim (Closes: #1095155)
-- James McCoy <jamessan@xxxxxxxxxx> Sat, 15 Feb 2025 20:43:27 -0500
vim (2:9.1.0967-2) unstable; urgency=medium
* Revert "patch 9.1.0949: popups inconsistently shifted to the left",
since it breaks vim-youcompleteme's autopkgtests. (Closes: #1091729)
-- James McCoy <jamessan@xxxxxxxxxx> Fri, 10 Jan 2025 06:30:59 -0500
### Old Ubuntu Delta ###
vim (2:9.1.0967-1ubuntu6) questing; urgency=medium
* SECURITY UPDATE: Path traversal when opening specially crafted tar/zip
archives.
- debian/patches/CVE-2025-53905.patch: Replace "echohl Error" with call,
remove leading slashes from name, replace tar_secure with g:tar_secure in
runtime/autoload/tar.vim.
- debian/patches/CVE-2025-53906.patch: Add need_rename, replace w! with w,
call warning for path traversal attack, and escape leading "../" in
runtime/autoload/zip.vim.
- CVE-2025-53905
- CVE-2025-53906
-- Hlib Korzhynskyy <hlib.korzhynskyy@xxxxxxxxxxxxx> Mon, 15 Sep
2025 14:08:04 -0230
vim (2:9.1.0967-1ubuntu5) questing; urgency=medium
* Rebuild to include updated RISC-V base ISA RVA23
-- Heinrich Schuchardt <heinrich.schuchardt@xxxxxxxxxxxxx> Sat, 06
Sep 2025 15:38:52 +0000
vim (2:9.1.0967-1ubuntu4) plucky; urgency=medium
* SECURITY UPDATE: Crash when file is inaccessible with log option.
- debian/patches/CVE-2025-1215.patch: Split common_init to common_init_1
and common_init_2 in ./src/main.c.
- CVE-2025-1215
* SECURITY UPDATE: Denial of service.
- debian/patches/CVE-2025-24014.patch: fix a segfault in win_line()
in files src/gui.c, src/testdir/crash/ex_redraw_crash,
src/testdir/test_crash.vim.
- CVE-2025-24014
* SECURITY UPDATE: Use after free when redirecting display command to
register.
- debian/patches/CVE-2025-26603.patch: Change redir_reg check to use
vim_strchr command check in ./src/register.c.
- CVE-2025-26603
* SECURITY UPDATE: Code execution when editing tar files.
- debian/patches/CVE-2025-27423.patch: Use escape_file instead of fname in
./runtime/autoload/tar.vim.
- CVE-2025-27423
* SECURITY UPDATE: Data loss when extracting special zip files.
- debian/patches/CVE-2025-29768.patch: Substitute special characters in
./runtime/autoload/zip.vim.
- CVE-2025-29768
-- Hlib Korzhynskyy <hlib.korzhynskyy@xxxxxxxxxxxxx> Thu, 03 Apr
2025 11:38:49 -0230
vim (2:9.1.0967-1ubuntu3) plucky; urgency=medium
[ James McCoy ]
* Revert "patch 9.1.0949: popups inconsistently shifted to the left",
since it breaks vim-youcompleteme's autopkgtests. (Closes: #1091729)
-- Graham Inggs <ginggs@xxxxxxxxxx> Sun, 23 Feb 2025 15:22:10 +0000
vim (2:9.1.0967-1ubuntu2) plucky; urgency=medium
* SECURITY UPDATE: Heap-buffer-overflow when switching buffers.
- debian/patches/CVE-2025-22134.patch: Add reset_VIsual_and_resel() to
src/arglist.c. Add ptrlen checks in src/misc1.c and src/ops.c.
- CVE-2025-22134
-- Hlib Korzhynskyy <hlib.korzhynskyy@xxxxxxxxxxxxx> Tue, 21 Jan
2025 15:29:05 -0330
vim (2:9.1.0967-1ubuntu1) plucky; urgency=medium
* Merge from Debian Unstable. Remaining changes:
- debian/runtime/vimrc:
+ "syntax on" is a sane default for non-tiny Vim.
- debian/patches/debian/ubuntu-grub-syntax.patch:
+ Add Ubuntu-specific "quiet" keyword.
- debian/patches/ubuntu-mouse-off.patch:
+ Mouse mode is actively harmful in some chroots.
- debian/patches/increase_timeout.diff:
+ Increase timeout for the Test_pattern_compile_speed patch.
- debian/patches/0001-fix-flaky-terminal-mode-test.vim:
+ Fix flaky Vim terminal mode test.
- debian/patches/0002-disable-failing-tests-on-ppc64.patch:
+ Disable some tests that were throwing an ENOMEM during build on
ppc64el. The tests are only disabled when building on ppc64el.
-- Simon Quigley <tsimonq2@xxxxxxxxxx> Sat, 04 Jan 2025 23:57:59
-0600
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/2130146/+subscriptions
