Your message dated Thu, 28 May 2026 22:53:21 +0000
with message-id <[email protected]>
and subject line Bug#1137528: fixed in vifm 0.14.3-3
has caused the Debian Bug report #1137528,
regarding vifm: CVE-2026-8997
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137528: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137528
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vifm
Version: 0.14-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for vifm.
CVE-2026-8997[0]:
| vifm is vulnerable to a heap buffer overflow during the history
| merge process when saving the state file (vifminfo.json). This flaw
| occurs because the application lacks a runtime check on the length
| of history entries in release builds, potentially allowing a crafted
| long path or command in the history to cause memory corruption or
| application crashes. Releases from 0.12.1 to 0.14.3 (including) are
| considered vulnerable. This issue was fixed in commit 23063c7
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-8997
https://www.cve.org/CVERecord?id=CVE-2026-8997
[1] https://github.com/vifm/vifm/commit/23063c741f15a85621fd232dfc3ac5b779f6910d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: vifm
Source-Version: 0.14.3-3
Done: Kirill Rekhov <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vifm, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kirill Rekhov <[email protected]> (supplier of updated vifm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 27 May 2026 16:18:23 +0000
Source: vifm
Architecture: source
Version: 0.14.3-3
Distribution: unstable
Urgency: medium
Maintainer: Kirill Rekhov <[email protected]>
Changed-By: Kirill Rekhov <[email protected]>
Closes: 1137528
Changes:
vifm (0.14.3-3) unstable; urgency=medium
.
* Fix CVE-2026-8997: prevent heap buffer overflow in trie
(Closes: #1137528)
Checksums-Sha1:
ea8f7f4070a758b3982ca91e0458b1cbadc93c85 1905 vifm_0.14.3-3.dsc
d3a85e3f6f9b8d22aa9fa665def40e9f97c1ebf1 11088 vifm_0.14.3-3.debian.tar.xz
7ae65c020cf56ac06a720e3cfd62f7eb76f427a6 6319 vifm_0.14.3-3_amd64.buildinfo
Checksums-Sha256:
9c64463f5cd768622f71aa04481407441b96772141c3f7f97663ddc7828a03a9 1905
vifm_0.14.3-3.dsc
df0e8e90b4f48dcf1bcd01459f76814d540a170c5a968d63ba64fc80568b476b 11088
vifm_0.14.3-3.debian.tar.xz
e9bd4d4905080e477ebec8a0bb988b6b36cf0c7bb8d7eeb1942dd95ea468abf8 6319
vifm_0.14.3-3_amd64.buildinfo
Files:
c0ed9199ef90e2e2b936190ffdc87827 1905 utils optional vifm_0.14.3-3.dsc
43daf0818d21d7e260970664f88abdb2 11088 utils optional
vifm_0.14.3-3.debian.tar.xz
962e9ab832a3133711d45ffeef51935b 6319 utils optional
vifm_0.14.3-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEEJkB2nf2hqqD4Y9GuXyxZBVGc4KAFAmoY4BAWHGtyZWtob3Yu
ZGV2QGdtYWlsLmNvbQAKCRBfLFkFUZzgoML+D/98exg1QoES6VxmtH+wFGKzvyyQ
spPiX3mQZDYlqO+OYGvkNkj2CaAydKROoSli3eAleU1yL75yjNwozSHk/BZg0RoZ
9wuif+C+gpZ/5EqV/61cbX7BmyM4twR1nM0zBrL/7ktYnGhxH+1c0M+euVnEkruu
EQKflUFhrbCOoAiii+RDzy4mATtCfytsxdvxsHj38rw1i8ZdeAF9TZccL4JyjMj2
V+i9IV/IptOpOYnqONBstzN4UTKl8T74BNFuPWGXywNcJQVznurzCNBYtBWmlgU5
nbeHpcAZotzVl+MU0isGDX2hGqM4WFMqhJIhzPDb7vKFR/dTFEVyykwBHY/i1GbE
t6TgyXvyrSSGRsK5aeZDXgfASnd4T0XVYgJLbXAdtfrKqn2exuLybZnkZ/+8kjdQ
weK92ssozR0nTV7uwh6suxE6QxnbyuQ5ApHqOtvkcv+RT4W+dwpCLBm+PSjovVu8
K1+39xAb/q0TlRCvnh77g/V9se17jILHl/qmdyPkNQQjKXR+OsDP+0oTo+oXM4nJ
mX1IprHJ6UMMeUBUHdB438y+Hbwyzm0QxilOsKPvtsgnZQIYmC64eqMb5+FqMLLQ
fjpMiAX82u5MbBll6egw0K6PrNLc6p7jqpsIemeOIGmt19yNB9WXSCTVa2nyu/iF
Vt1Ne3BloDArJzvmrg==
=/AXH
-----END PGP SIGNATURE-----
pgpszVtZNAQoP.pgp
Description: PGP signature
--- End Message ---
