SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
in a stable release the software shouldn't be updated every day, right? OR I miss something?
I think that in a stable release, a software should be updated every time there is a security issue, event if it's every day (which is not really the case for Vim)
The majority of Vim CVEs, are more or less related to application crashes in very specific cases
For example, the latest CVE proof of concept:
Code:
vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc10_huaf.dat -c :qa!
=================================================================
==6729==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500000d910 at pc 0x559ab291177f bp 0x7ffd8c790370 sp 0x7ffd8c790360
READ of size 16 at 0x62500000d910 thread T0
...
nothing really scary in our daily use
IF there's nothing really scary in our daily use, WHY those CVEs needs to be fixed ASAP and new VIM packages are issued, WHEN a privilege escalation and remote code execution issue is still ignored since months?
Yes, I talk about the XWayland server from Slackware 15.0 , not patched even today.
IF there's nothing really scary in our daily use, WHY those CVEs needs to be fixed ASAP and new VIM packages are issued, WHEN a privilege escalation and remote code execution issue is still ignored since months?
Yes, I talk about the XWayland server from Slackware 15.0 , not patched even today.
CVE for the last 3 months:
Vim: 57
Linux Kernel: 108
Should we stop using Linux Kernel ?
Who knows?
BUT I cannot help to not notice that latest kernel on Slackware 15.0 is 5.15.63 while the latest from its LTS series is 5.15.70 . And please note that I talk about kernel releases, NOT about patches grabbed from Mr. Torvalds' personal git repository.
Maybe our BDFL can enlighten us WHY we have the VIM Of The Day , but not also the Kernel Of The Day in the Slackware 15.0 ?
And, again: no love yet for the XWayland server?
Hence, the huge attention which VIM gets from Slackware's part (compared with other, even more important packages, like the Kernel) makes me highly suspicious about it and its code quality.
Last edited by LuckyCyborg; 09-24-2022 at 09:37 PM.
Hence, the huge attention which VIM gets from Slackware's part (compared with other, even more important packages, like the Kernel) makes me highly suspicious about it and its code quality.
As I am
Either they code very badly, or they like easy money (as suggested by Mr. Volkerding)
I talk about the VIM's code quality, which seems to be so questionable and ridiculous, that the VIM needs to receive daily security updates in the stable release of Slackware 15.0 - in a stable release the software shouldn't be updated every day, right? OR I miss something?
No matter how useful is a software, even it's presence in the system seems highly dangerous, considering that it receive a CVE every day and those CVEs seems so dangerous that they need to be fixed ASAP.
CVE's are created when an exploit is FOUND. Not when it first makes its way into the software. Somebody decided to audit an app that everyone assumes to be secure and found a few things, what's the problem here?
How many times does Pat have to update mozilla-firefox? I don't see you ranting about that. bind? httpd? curl? sendmail? THE KERNEL ITSELF?? You complain about the frequency of updates, but here you are on a website running a LAMP stack.
If this really is an issue for you, delete your LQ account, unplug from the internet and go live in the woods. Grow a nice big beard and come down to the city once every year to trade pelts for salt. Because nothing in Slackware is safe enough for your needs.
Or better yet, download the source code for VIM and fix it yourself. A man as smart as yourself should have no problem fixing all the problems with vim's code quality.
CVE's are created when an exploit is FOUND. Not when it first makes its way into the software. Somebody decided to audit an app that everyone assumes to be secure and found a few things, what's the problem here?
The problem here is the overwhelming attention which VIM gets, in comparation with more important packages, like... the kernel?
Since Aug 26, 2022 when was pushed the last 5.15.63 kernel in Slackware 15.0 there was released another 7 (seven) releases up to today 5.15.70 and yet no one entered the game.
While the 5.15.63 released for stable Slackware 15.0 even seems like that have issues in particular 32bit kernels. See there an example:
And still no love for the XWayland server and its known vulnerabilities.
If every software would have get equal attention, I would never complained.
BUT, we got VIM, VIM, VIM, VIM, VIM, VIM, VIM, VIM, VIM, VIM, and again VIM. No kernels, no XWayland server, God knows what other not.
Then I believe that I'm entitled to ask: WTF is wrong with VIM? It's the VIM's CVEs more important that the kernel's CVEs?
Quote:
Originally Posted by Pithium
How many times does Pat have to update mozilla-firefox? I don't see you ranting about that.
When the Mozilla Firefox will get daily updates in the stable Slackware 15.0 you can trust me that I will ask: WTF is wrong with Mozilla Firefox?
Quote:
Originally Posted by Pithium
bind? httpd? curl? sendmail? THE KERNEL ITSELF?? You complain about the frequency of updates, but here you are on a website running a LAMP stack.
If this really is an issue for you, delete your LQ account, unplug from the internet and go live in the woods. Grow a nice big beard and come down to the city once every year to trade pelts for salt. Because nothing in Slackware is safe enough for your needs.
Or better yet, download the source code for VIM and fix it yourself. A man as smart as yourself should have no problem fixing all the problems with vim's code quality.
I may ask you if you have been raised and educated in a communist country? Because what you did here is exactly what is a "Soviet Argument" ...
For those does not know what's a Soviet Argument: it's a speech style used when someone raise an issue, where someone else (like you) responds by not attacking the raised issue, but the complainer himself, his quirks and past. Usually it's accompanied with a "sending to woods" as a ritualistic claim that the complainer is not worth to live in his community, unless solves the issue himself.
Yeah, in the Soviet Union that's how they did with the people raising issues. They sent them into woods. Sometimes, that happened literally. In Siberia.
Last edited by LuckyCyborg; 09-25-2022 at 12:03 PM.
It seems that we have given the same attention ;-)
I do not talk about -current, as it's the development tree. I will not complain about -current even it goes mass-rebuild daily for months. Because it's -current and I've assumed the risks of using it.
My issue is the stable tree of Slackware 15.0 where the kernel CVE's seems to have updates in batches, the XWayland server is not fixed yet after months, while the VIM is uber-updated. Daily.
Code:
Fri Aug 26 04:02:20 UTC 2022
patches/packages/linux-5.15.63/*: Upgraded.
These updates fix various bugs and security issues.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:
Fixed in 5.15.39:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1974
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1734
Fixed in 5.15.40:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1943
Fixed in 5.15.41:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28893
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32296
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1012
Fixed in 5.15.42:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1652
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21499
Fixed in 5.15.44:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1789
Fixed in 5.15.45:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1966
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32250
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1972
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2503
Fixed in 5.15.46:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1184
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1973
Fixed in 5.15.47:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34495
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32981
Fixed in 5.15.48:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21166
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21123
Fixed in 5.15.53:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2318
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33741
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26365
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33744
Fixed in 5.15.54:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33655
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918
Fixed in 5.15.56:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36123
Fixed in 5.15.57:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29901
Fixed in 5.15.58:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21505
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1462
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36879
Fixed in 5.15.59:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946
Fixed in 5.15.60:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26373
Fixed in 5.15.61:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2586
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2585
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1679
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2588
(* Security fix *)
We can't have something like this also for VIM's CVEs? Nope? They are that dangerous, then?
Last edited by LuckyCyborg; 09-25-2022 at 12:32 PM.
I do not talk about -current, as it's the development tree. I will not complain about -current even it goes mass-rebuild daily for months. Because it's -current and I've assumed the risks of using it.
My issue is the stable tree of Slackware 15.0 where the kernel CVE's seems to have updates in batches, the XWayland server is not fixed yet after months, while the VIM is uber-updated. Daily.
We can't have something like this also for VIM's CVEs? Nope? They are that dangerous, then?
I understand what you mean, but there is no need to give false arguments.
Vim is updated once a week at best. More or less
6/09 - 10/09 - 14/09 - 18/09 - 23/09
Since Aug 26, 2022 when was pushed the last 5.15.63 kernel in Slackware 15.0 there was released another 7 (seven) releases up to today 5.15.70 and yet no one entered the game.
I can't say for sure how the choice is made which kernels should make it into Slackware security patches. However, I can say for sure that a comparison between the number of CVEs in an application like vim with the number of CVEs in the Linux kernel is not completely fair.
The Linux kernel is a rather large code base and of course it will contain more bugs. However, all CVEs in the Linux kernel does not apply to all Linux users. Some parts of the Linux source code goes into the compiled kernel. Some parts of the Linux source code goes into kernel modules. Depending upon your configuration, some parts of the Linux source code does not get compiled at all. Even most of the modules that you have compiled and installed will probably not be loaded.
Again, I can't say for sure how the choices are made, but it could be that some kernel CVEs are ignored simply because they do not apply to any of the original Slackware kernel configurations.
What are we crying about? A text editor used by sysadmins all over the world is getting security updates? Say it isn't so!
The complaint by the original poster was that the pushed updates overwrites customized configuration files. This is annoying for any package doing so. I have a custom package which modifies the dpms settings in /etc/X11/app-defaults/XScreenSaver , every time xscreensaver is updated with a new package my custom settings are overwritten. If I remember right there was an agreement between Slackware and xscreensaver that Slackware were allowed to remove the update nag screen from xscreensaver if new releases of xscreensaver were pushed as Slackare updates. With such an agreement it would be nice if the xscrensaver configuration file had some kind of support of including files with custom settings.
The complaint by the original poster was that the pushed updates overwrites customized configuration files. This is annoying for any package doing so. I have a custom package which modifies the dpms settings in /etc/X11/app-defaults/XScreenSaver , every time xscreensaver is updated with a new package my custom settings are overwritten. If I remember right there was an agreement between Slackware and xscreensaver that Slackware were allowed to remove the update nag screen from xscreensaver if new releases of xscreensaver were pushed as Slackare updates. With such an agreement it would be nice if the xscrensaver configuration file had some kind of support of including files with custom settings.
regards Henrik
As with Vim, it's up to the user, not the software, to deal with custom config files
Code:
! These resources, when placed in the system-wide app-defaults directory
! (e.g., /usr/lib/X11/app-defaults/XScreenSaver) will provide the default
! settings for new users. However, if you have a ".xscreensaver" file in
! your home directory, the settings in that file take precedence.
Last edited by marav; 09-26-2022 at 03:18 AM.
Reason: typo
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
