mbox

[dunfell,0/8] Patch review - vim CVEs

Message ID cover.1645465376.git.steve@sakoman.com
State Not Applicable, archived
Headers show

Pull-request

git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut

Message

Steve Sakoman Feb. 21, 2022, 7:34 p.m. UTC 
There's a fairly constant flow of CVEs being reported for vim, which are
getting increasing non-trivial to backport. There are currenly 26 CVEs
outstanding for vim in dunfell.

This has been handled in master with a number of version updates. Since
vim is a fairly stand-alone package it seems to make sense to also follow
this strategy for dunfell.

This patch series backports the vim version updates from master.

I'd love to get some feedback on this approach.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3256

with the exception of a known autobuilder intermittent issue on oe-selftest-ubuntu,
which passed on subsequent retest:

https://autobuilder.yoctoproject.org/typhoon/#/builders/87/builds/3193


The following changes since commit 81fab225daf798792c139f669f5bfd96d9fd25a8:

  ruby: fix DEPENDS append (2022-02-21 04:52:33 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (1):
  vim: do not report upstream version check as broken

Richard Purdie (2):
  vim: Upgrade 4269 -> 4134
  vim: Upgrade 8.2.4314 -> 8.2.4424

Ross Burton (4):
  vim: set PACKAGECONFIG idiomatically
  vim: upgrade to 8.2 patch 3752
  vim: update to include latest CVE fixes
  vim: upgrade to patch 4269

Steve Sakoman (1):
  Revert "vim: fix CVE-2021-4069"

 ...1-reading-character-past-end-of-line.patch |  62 ------
 ...src-Makefile-improve-reproducibility.patch |  13 +-
 ...28-using-freed-memory-when-replacing.patch |  83 -------
 ...eading-uninitialized-memory-when-giv.patch |  63 ------
 ...rash-when-using-CTRL-W-f-without-fin.patch |  92 --------
 ...llegal-memory-access-if-buffer-name-.patch |  86 --------
 ...ml_get-error-after-search-with-range.patch |  72 ------
 ...nvalid-memory-access-when-scrolling-.patch |  97 --------
 .../vim/files/CVE-2021-3778.patch             |  61 ------
 .../vim/files/CVE-2021-4069.patch             |  43 ----
 ...1e135a16091c93f6f5f7525a5c58fb7ca9f9.patch | 207 ------------------
 .../vim/files/disable_acl_header_check.patch  |  15 +-
 .../vim/files/no-path-adjust.patch            |   8 +-
 meta/recipes-support/vim/files/racefix.patch  |   6 +-
 ...m-add-knob-whether-elf.h-are-checked.patch |  13 +-
 meta/recipes-support/vim/vim.inc              |  27 +--
 16 files changed, 33 insertions(+), 915 deletions(-)
 delete mode 100644 meta/recipes-support/vim/files/0001-patch-8.2.3581-reading-character-past-end-of-line.patch
 delete mode 100644 meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch
 delete mode 100644 meta/recipes-support/vim/files/0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch
 delete mode 100644 meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch
 delete mode 100644 meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
 delete mode 100644 meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch
 delete mode 100644 meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
 delete mode 100644 meta/recipes-support/vim/files/CVE-2021-3778.patch
 delete mode 100644 meta/recipes-support/vim/files/CVE-2021-4069.patch
 delete mode 100644 meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch

Comments

akuster808 Feb. 24, 2022, 6:01 a.m. UTC | #1 
On 2/21/22 11:34, Steve Sakoman wrote:
> There's a fairly constant flow of CVEs being reported for vim, which are
> getting increasing non-trivial to backport. There are currenly 26 CVEs
> outstanding for vim in dunfell.
>
> This has been handled in master with a number of version updates. Since
> vim is a fairly stand-alone package it seems to make sense to also follow
> this strategy for dunfell.
>
> This patch series backports the vim version updates from master.
>
> I'd love to get some feedback on this approach.

Under the situation, this is a good approach. Thanks for putting series 
together.

- armin
>
> Passed a-full on autobuilder:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3256
>
> with the exception of a known autobuilder intermittent issue on oe-selftest-ubuntu,
> which passed on subsequent retest:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/87/builds/3193
>
>
> The following changes since commit 81fab225daf798792c139f669f5bfd96d9fd25a8:
>
>    ruby: fix DEPENDS append (2022-02-21 04:52:33 -1000)
>
> are available in the Git repository at:
>
>    git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
>    http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
>
> Alexander Kanavin (1):
>    vim: do not report upstream version check as broken
>
> Richard Purdie (2):
>    vim: Upgrade 4269 -> 4134
>    vim: Upgrade 8.2.4314 -> 8.2.4424
>
> Ross Burton (4):
>    vim: set PACKAGECONFIG idiomatically
>    vim: upgrade to 8.2 patch 3752
>    vim: update to include latest CVE fixes
>    vim: upgrade to patch 4269
>
> Steve Sakoman (1):
>    Revert "vim: fix CVE-2021-4069"
>
>   ...1-reading-character-past-end-of-line.patch |  62 ------
>   ...src-Makefile-improve-reproducibility.patch |  13 +-
>   ...28-using-freed-memory-when-replacing.patch |  83 -------
>   ...eading-uninitialized-memory-when-giv.patch |  63 ------
>   ...rash-when-using-CTRL-W-f-without-fin.patch |  92 --------
>   ...llegal-memory-access-if-buffer-name-.patch |  86 --------
>   ...ml_get-error-after-search-with-range.patch |  72 ------
>   ...nvalid-memory-access-when-scrolling-.patch |  97 --------
>   .../vim/files/CVE-2021-3778.patch             |  61 ------
>   .../vim/files/CVE-2021-4069.patch             |  43 ----
>   ...1e135a16091c93f6f5f7525a5c58fb7ca9f9.patch | 207 ------------------
>   .../vim/files/disable_acl_header_check.patch  |  15 +-
>   .../vim/files/no-path-adjust.patch            |   8 +-
>   meta/recipes-support/vim/files/racefix.patch  |   6 +-
>   ...m-add-knob-whether-elf.h-are-checked.patch |  13 +-
>   meta/recipes-support/vim/vim.inc              |  27 +--
>   16 files changed, 33 insertions(+), 915 deletions(-)
>   delete mode 100644 meta/recipes-support/vim/files/0001-patch-8.2.3581-reading-character-past-end-of-line.patch
>   delete mode 100644 meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch
>   delete mode 100644 meta/recipes-support/vim/files/0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch
>   delete mode 100644 meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch
>   delete mode 100644 meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
>   delete mode 100644 meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch
>   delete mode 100644 meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
>   delete mode 100644 meta/recipes-support/vim/files/CVE-2021-3778.patch
>   delete mode 100644 meta/recipes-support/vim/files/CVE-2021-4069.patch
>   delete mode 100644 meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#162067): https://lists.openembedded.org/g/openembedded-core/message/162067
> Mute This Topic: https://lists.openembedded.org/mt/89301811/3616698
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>