GNU bug report logs - #27770
[PATCH] gnu: vim: Update to 8.0.0727 [fixes CVE-2017-11109].

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Thu, 20 Jul 2017 05:45:02 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27770 in the body.
You can then email your comments to 27770 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#27770; Package guix-patches. (Thu, 20 Jul 2017 05:45:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Thu, 20 Jul 2017 05:45:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: vim: Update to 8.0.0727 [fixes CVE-2017-11109].
Date: Thu, 20 Jul 2017 01:44:36 -0400

vim-full fails its tests with this update. I've noticed from previous
discussion that the test suite is flaky with vim-full. What do you
suggest?

------
Test results:


From test_alot.vim:
Found errors in Test_input_in_timer():
function RunTheTest[24]..Test_input_in_timer line 4: Expected 'hello' but got ''
Found errors in Test_map_ctrl_c_insert():
function RunTheTest[24]..Test_map_ctrl_c_insert line 7: Expected 'TEST2: CTRL-C |<ctrl-c>A|' but got 'GoTEST2: CTRL-C |<ctrl-c>A|'
TEST FAILURE
------

* gnu/packages/vim.scm (vim, vim-full): Update to 8.0.0727.
---
 gnu/packages/vim.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/vim.scm b/gnu/packages/vim.scm
index 27c0b0da9..39894f39c 100644
--- a/gnu/packages/vim.scm
+++ b/gnu/packages/vim.scm
@@ -60,7 +60,7 @@
 (define-public vim
   (package
     (name "vim")
-    (version "8.0.0600")
+    (version "8.0.0727")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://github.com/vim/vim/archive/v"
@@ -68,7 +68,7 @@
              (file-name (string-append name "-" version ".tar.gz"))
              (sha256
               (base32
-               "1ifaj0lfzqn06snkcd83l58m9r6lg7lk3wspx71k5ycvypyfi67s"))))
+               "0hwqglpsk8qlp2rn6q9p35fxk88xixljk1yv42m3j01g3bgqg0gx"))))
     (build-system gnu-build-system)
     (arguments
      `(#:test-target "test"
-- 
2.13.3
Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Fri, 21 Jul 2017 19:27:01 GMT) Full text and rfc822 format available.
Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Fri, 21 Jul 2017 19:27:01 GMT) Full text and rfc822 format available.

Message #10 received at 27770-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 27770-done <at> debbugs.gnu.org
Subject: Re: [PATCH] gnu: vim: Update to 8.0.0727 [fixes CVE-2017-11109].
Date: Fri, 21 Jul 2017 15:25:44 -0400

On Thu, Jul 20, 2017 at 01:44:36AM -0400, Leo Famulari wrote:
> vim-full fails its tests with this update. I've noticed from previous
> discussion that the test suite is flaky with vim-full. What do you
> suggest?

In 3c14378381fc1f187a07b2f958eeed1958f02672, I updated vim and kept
vim-full at 8.0.0600.

This means that vim-full is still vulnerable to CVE-2017-11109.

I'll remove the vim-full package in 1 week (July 28) unless we have a
fix for this bug.
Information forwarded to guix-patches <at> gnu.org:
bug#27770; Package guix-patches. (Sat, 29 Jul 2017 14:55:02 GMT) Full text and rfc822 format available.

Message #13 received at 27770-done <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>, 27770-done <at> debbugs.gnu.org
Subject: Re: bug#27770: [PATCH] gnu: vim: Update to 8.0.0727
 [fixes	CVE-2017-11109].
Date: Sat, 29 Jul 2017 16:54:46 +0200

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> On Thu, Jul 20, 2017 at 01:44:36AM -0400, Leo Famulari wrote:
>> vim-full fails its tests with this update. I've noticed from previous
>> discussion that the test suite is flaky with vim-full. What do you
>> suggest?
>
> In 3c14378381fc1f187a07b2f958eeed1958f02672, I updated vim and kept
> vim-full at 8.0.0600.
>
> This means that vim-full is still vulnerable to CVE-2017-11109.
>
> I'll remove the vim-full package in 1 week (July 28) unless we have a
> fix for this bug.

FWIW I believe the root cause of at least some of the failing GUI tests
have been found:

https://groups.google.com/forum/#!msg/vim_dev/_a9DYXDuZ1I/Mb2c3lUbBgAJ

I don't have strong objections against removing this package, but we
could also just disable tests until it's working again.

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 27 Aug 2017 11:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 6 years and 252 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.