[ubuntu/questing-proposed] vim 2:9.1.0967-1ubuntu6 (Accepted)

Hlib Korzhynskyy hlib.korzhynskyy at canonical.com
Mon Sep 15 17:52:20 UTC 2025 

vim (2:9.1.0967-1ubuntu6) questing; urgency=medium

  * SECURITY UPDATE: Path traversal when opening specially crafted tar/zip
    archives.
    - debian/patches/CVE-2025-53905.patch: Replace "echohl Error" with call,
      remove leading slashes from name, replace tar_secure with g:tar_secure in
      runtime/autoload/tar.vim.
    - debian/patches/CVE-2025-53906.patch: Add need_rename, replace w! with w,
      call warning for path traversal attack, and escape leading "../" in
      runtime/autoload/zip.vim.
    - CVE-2025-53905
    - CVE-2025-53906

Date: Mon, 15 Sep 2025 14:08:04 -0230
Changed-By: Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/vim/2:9.1.0967-1ubuntu6
-------------- next part --------------
Format: 1.8
Date: Mon, 15 Sep 2025 14:08:04 -0230
Source: vim
Built-For-Profiles: noudeb
Architecture: source
Version: 2:9.1.0967-1ubuntu6
Distribution: questing
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com>
Changes:
 vim (2:9.1.0967-1ubuntu6) questing; urgency=medium
 .
   * SECURITY UPDATE: Path traversal when opening specially crafted tar/zip
     archives.
     - debian/patches/CVE-2025-53905.patch: Replace "echohl Error" with call,
       remove leading slashes from name, replace tar_secure with g:tar_secure in
       runtime/autoload/tar.vim.
     - debian/patches/CVE-2025-53906.patch: Add need_rename, replace w! with w,
       call warning for path traversal attack, and escape leading "../" in
       runtime/autoload/zip.vim.
     - CVE-2025-53905
     - CVE-2025-53906
Checksums-Sha1:
 a7d572e67a43ac12a9401ed5b42575e4ec546be8 3065 vim_9.1.0967-1ubuntu6.dsc
 1774035662493ad4fee6dd85887ea130ec49874b 217216 vim_9.1.0967-1ubuntu6.debian.tar.xz
 ee8cd5b278349a21590753f099264c83c521ee88 17664 vim_9.1.0967-1ubuntu6_source.buildinfo
Checksums-Sha256:
 b26409d6bbf8eb9cd6de3fd371627ed445f2d2e05ddb72f832595103f3285ab2 3065 vim_9.1.0967-1ubuntu6.dsc
 bed833d10d790918bdcb28b6550d5b6e3a418464d61c3c08a78adf648791c393 217216 vim_9.1.0967-1ubuntu6.debian.tar.xz
 d71b466a5bb2b87a46236ed53760e88a756cf6d4809fee35ebe796b7610387d4 17664 vim_9.1.0967-1ubuntu6_source.buildinfo
Files:
 de7475065a0adadd8408793df0eb1ce5 3065 editors optional vim_9.1.0967-1ubuntu6.dsc
 81262b66533a46e39f4be1ca4ae6eb5c 217216 editors optional vim_9.1.0967-1ubuntu6.debian.tar.xz
 28ec687a3502ceaaf672094e7a9a9f00 17664 editors optional vim_9.1.0967-1ubuntu6_source.buildinfo
Original-Maintainer: Debian Vim Maintainers <team+vim at tracker.debian.org>

More information about the Questing-changes mailing list