Friday, September 29, 2017

Re: VIM and NVD Vulnerability

Susanne Ramsey wrote:

> The National Vulnerability Database (NVD) lists a high vulnerability for VIM 8.0. https://nvd.nist.gov/vuln/detail/CVE-2017-11109
> Vim 8.0 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted source (aka -S) file.
> NOTE: there might be a limited number of scenarios in which this has security relevance.
>
>
> Unfortunately, the info provided in the CVE does not specify if it is
> only the initial release 8.0 or the subsequent patched versions that
> are vulnerable. I have searched the VIM website readme and other
> documents but can't find the answer, so I am turning to you. I
> appreciate your assistance. Is the current version still vulnerable
> to the issue noted above or has this been remediated in the patch
> updates?

Patch 8.0.0693 fixed the first issue.

Note that it requires the user to install and source a script from
someone else. This is not really a security issue. I haven't wasted
time arguing about the reported risks.

--
Your fault: core dumped

/// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///

--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_use+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments: