Message ID | 20220831160712.189938-1-richard.purdie@linuxfoundation.org |
---|---|
State | Accepted, archived |
Commit | 01c08d47ecfcc7aefacc8280e0055c75b13795b2 |
Headers | show |
Series | vim: Upgrade 9.0.0242 -> 9.0.0341 | expand |
I have to wonder, what is really going on there? :-) This never ending stream of CVEs makes vim formally the most insecure item in core. Does anyone know? Alex On Wed, 31 Aug 2022 at 18:07, Richard Purdie <richard.purdie@linuxfoundation.org> wrote: > > Addresses CVE-2022-2980, CVE-2022-2946 and CVE-2022-2982. > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > --- > meta/recipes-support/vim/vim.inc | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc > index 5b95ab2625c..33a82992433 100644 > --- a/meta/recipes-support/vim/vim.inc > +++ b/meta/recipes-support/vim/vim.inc > @@ -20,8 +20,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ > file://no-path-adjust.patch \ > " > > -PV .= ".0242" > -SRCREV = "171c683237149262665135c7d5841a89bb156f53" > +PV .= ".0341" > +SRCREV = "92a3d20682d46359bb50a452b4f831659e799155" > > # Remove when 8.3 is out > UPSTREAM_VERSION_UNKNOWN = "1" > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#170134): https://lists.openembedded.org/g/openembedded-core/message/170134 > Mute This Topic: https://lists.openembedded.org/mt/93374420/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
"Alexander Kanavin" <alex.kanavin@gmail.com> writes: > I have to wonder, what is really going on there? :-) This never ending > stream of CVEs makes vim formally the most insecure item in core. Does > anyone know? Is it rhetorical question? :) Vim has very old codebase and nobody carried about security at that time. There were few attemps to rewrite vim recently (neovim for example) but I don't know the outcome. > > Alex > > On Wed, 31 Aug 2022 at 18:07, Richard Purdie > <richard.purdie@linuxfoundation.org> wrote: >> >> Addresses CVE-2022-2980, CVE-2022-2946 and CVE-2022-2982. >> >> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> >> --- >> meta/recipes-support/vim/vim.inc | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc >> index 5b95ab2625c..33a82992433 100644 >> --- a/meta/recipes-support/vim/vim.inc >> +++ b/meta/recipes-support/vim/vim.inc >> @@ -20,8 +20,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ >> file://no-path-adjust.patch \ >> " >> >> -PV .= ".0242" >> -SRCREV = "171c683237149262665135c7d5841a89bb156f53" >> +PV .= ".0341" >> +SRCREV = "92a3d20682d46359bb50a452b4f831659e799155" >> >> # Remove when 8.3 is out >> UPSTREAM_VERSION_UNKNOWN = "1" >> -- >> 2.34.1 >> >> >> >> > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#170135): https://lists.openembedded.org/g/openembedded-core/message/170135 > Mute This Topic: https://lists.openembedded.org/mt/93374420/6390638 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [pavel@zhukoff.net] > -=-=-=-=-=-=-=-=-=-=-=-
On Wed, 2022-08-31 at 18:17 +0200, Alexander Kanavin wrote: > I have to wonder, what is really going on there? :-) This never ending > stream of CVEs makes vim formally the most insecure item in core. Does > anyone know? Personally I suspect some kind of bug bounty system may be influencing things. I have wondered about removing vim from core. Cheers, Richard
On Wed, 31 Aug 2022 at 18:21, Richard Purdie <richard.purdie@linuxfoundation.org> wrote: > > I have to wonder, what is really going on there? :-) This never ending > > stream of CVEs makes vim formally the most insecure item in core. Does > > anyone know? > > Personally I suspect some kind of bug bounty system may be influencing > things. I have wondered about removing vim from core. As someone who writes all his code with nano, can I vote for that please? :-) Alex
On 8/31/22 9:21 AM, Richard Purdie wrote: > On Wed, 2022-08-31 at 18:17 +0200, Alexander Kanavin wrote: >> I have to wonder, what is really going on there? :-) This never ending >> stream of CVEs makes vim formally the most insecure item in core. Does >> anyone know? > > Personally I suspect some kind of bug bounty system may be influencing > things. I have wondered about removing vim from core. +1, do we have a non-busybox editor perhaps move nano from meta-oe into core. > > Cheers, > > Richard > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#170136): https://lists.openembedded.org/g/openembedded-core/message/170136 > Mute This Topic: https://lists.openembedded.org/mt/93374420/1997914 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5b95ab2625c..33a82992433 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -20,8 +20,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".0242" -SRCREV = "171c683237149262665135c7d5841a89bb156f53" +PV .= ".0341" +SRCREV = "92a3d20682d46359bb50a452b4f831659e799155" # Remove when 8.3 is out UPSTREAM_VERSION_UNKNOWN = "1"
Addresses CVE-2022-2980, CVE-2022-2946 and CVE-2022-2982. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)