X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org D4F453858297
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1700259286;
	bh=58YV0jOBOvVTHKs1CPERUmlZxBiYY3dPVyt4JRhPP28=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=NquwFosyP9w4iHYisZrqHKHOQW+UP8ZFFqM+vVcoplYULrMEq3z9ubsxL0GpyJGuE
	uFWicIPvYVvXji8wiFgJCkgKvMcNsDUoF4MIsoZRKksUX7S/5rOQrwWEgvlZ+ueUXm
	w9DVQWHOaYkvu4FIgLQ04/jdEw40sFw+G8owOwMQ=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 5C21C3858C54
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 5C21C3858C54
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1700259272; cv=none;
	b=BeIdc2cMRA57wvdk2gwjXgYnswksd3SmcP3bOMZV1K46FDVEo7e0qECOAHnKMrEY6idB3fa/DlF8plSGUg2GpOIvP4MYwqTqZyU3I9l4no4Bza8QuQMcuuOqG4OObq8nRJYrMOkKUl2UVSsZ1SlqvxZLkxGNWmjSo5CucuNsO5c=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1700259272; c=relaxed/simple;
	bh=GffNE5GCbvY4n8zistkxNJX4WldT2QI4JvRVvTnEwQE=;
	h=DKIM-Signature:Message-ID:Date:MIME-Version:From:Subject:To;
	b=vq7xzmx10PIhhnfwdJ+exIy/bDP44m2pYhTggLk0ZOXbxmmtgLBlGp9XpjJ1JK8h8GCHAbNqI/PP5AkiXtxi+LGMKd9G7FbXYIBMtgNRWqweKHH8e6n2eJZKxkOI/wpvZHIhs3bARlYz68cQOVv4FFfJTP8WDHRCYR1Ephyvl0o=
ARC-Authentication-Results:	i=1; server2.sourceware.org
X-Authority-Analysis:	v=2.4 cv=Cousz10D c=1 sm=1 tr=0 ts=6557e5c5
	a=DxHlV3/gbUaP7LOF0QAmaA==:117 a=DxHlV3/gbUaP7LOF0QAmaA==:17
	a=IkcTkHD0fZMA:10 a=NEAV23lmAAAA:8 a=3L6Nh-GTAAAA:8 a=uNaNvZzx7LivvJRsurcA:9
	a=QEXdDO2ut3YA:10 a=izEBCtx8DkBWphcOf488:22
Message-ID:	<bf424fdc-2f78-4182-bb92-40cd64f80414@Shaw.ca>
Date:	Fri, 17 Nov 2023 15:14:29 -0700
MIME-Version:	1.0
User-Agent:	Mozilla Thunderbird
Subject:	Re: Could we get Vim 9 packaged to fix CVEs
To:	cygwin AT cygwin DOT com
References:	<CAN3V7BRCjqUU0h3pGgrQg7y-jDLLGEbtsXMzCjtWENFaGrGf+Q AT mail DOT gmail DOT com>
	<122a988f-97dd-458a-9bc9-42a526e1b1e5 AT Shaw DOT ca>
Organization:	Inglis
In-Reply-To:	<122a988f-97dd-458a-9bc9-42a526e1b1e5@Shaw.ca>
X-CMAE-Envelope:	MS4xfGK9jqKLN+Ndia3ZbUh9RN46xUNfx9skBiyN+B1uCEgOezHmxR3XlDXptRFE53cHPCgK/VURf24ykboJxArAMThpYKWL1oFTdfg8rJ7jFC0kWlO5voMZ
	1YA5kSNKRQIiUg1Q81xJEB/5KVp7+DQNopn5WyjkYEY3MbttUlJ/+CNSVnek8siX7VEXzT/YICE2vw==
X-Spam-Status:	No, score=-1.7 required=5.0 tests=BAYES_00, BODY_8BITS,
	DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, KAM_LOTSOFHASH,
	RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,
	SPF_PASS, TXREP,
	T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Brian DOT Inglis AT Shaw DOT ca
Errors-To:	cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 3AHMEm2Q010553

On 2023-11-12 15:27, Brian Inglis via Cygwin wrote:
> On 2023-11-09 09:35, Jack S via Cygwin wrote:
>> Would it be possible to update the vim packages with Vim 9, please?

> Also now:
>      https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm

Expanding above:

CVE-2023-46246: Integer overflow in :history Ex-Command in Vim < 9.0.2068
https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm
fixed in Vim patch 9.0.2068
https://github.com/vim/vim/commit/9198c1f2b1ddecde22af918541e0de2a32f0f45a

New:

[vim-security] several minor security issues in Vim v9.0.2106-v9.0.2112
https://seclists.org/oss-sec/2023/q4/218

CVE-2023-48231: Use-After-Free in win_close()
https://github.com/vim/vim/security/advisories/GHSA-8g46-v9ff-c765
fixed in Vim patch 9.0.2106
https://github.com/vim/vim/commit/25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a

CVE-2023-48232: Floating point Exception in adjust_plines_for_skipcol()
https://github.com/vim/vim/security/advisories/GHSA-f6cx-x634-hqpw
fixed in Vim patch 9.0.2107
https://github.com/vim/vim/commit/cb0b99f0672d8446585d26e998343dceca17d1ce

CVE-2023-48233: overflow with count for :s command
https://github.com/vim/vim/security/advisories/GHSA-3xx4-hcq6-r2vj
fixed in Vim patch 9.0.2108
https://github.com/vim/vim/commit/ac63787734fda2e294e477af52b3bd601517fa78

CVE-2023-48234: overflow in nv_z_get_count
https://github.com/vim/vim/security/advisories/GHSA-59gw-c949-6phq
fixed in Vim patch 9.0.2109
https://github.com/vim/vim/commit/58f9befca1fa172068effad7f2ea5a9d6a7b0cca

CVE-2023-48235: overflow in ex address parsing
https://github.com/vim/vim/security/advisories/GHSA-6g74-hr6q-pr8g
fixed in Vim patch 9.0.2110
https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200

CVE-2023-48236: overflow in get_number
https://github.com/vim/vim/security/advisories/GHSA-pr4c-932v-8hx5
fixed in Vim patch 9.0.2111
https://github.com/vim/vim/commit/73b2d3790cad5694fc0ed0db2926e4220c48d968

CVE-2023-48237: overflow in shift_line
https://github.com/vim/vim/security/advisories/GHSA-f2m2-v387-gv87
fixed in Vim patch 9.0.2112
https://github.com/vim/vim/commit/6bf131888a3d1de62bbfa8a7ea03c0ddccfd496e

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -