Collection of vulnerabilities in Vim reported by rdancer

This bug was fixed in the package vim - 1:7.1.314-3ubuntu1

---------------
vim (1:7.1.314-3ubuntu1) intrepid; urgency=low

  * Resynchronise with Debian. Remaining changes:
    - Enable detection of GNU screen as a mouse-capable terminal.
    - Add NoDisplay=true to gvim.desktop.
    - Drop vim-lesstif package and lesstif2-dev build-dependency.
    - Build-depend on libxt-dev.
    - Enable Python interpreter on basic builds.
    - Create a .pot file for translations.
    - Disable autoindent, line-wrapping, and backup files by default.
  * Fixes various vulnerabilities due to improper quoting of 'execute'
    arguments (LP: #240216).
  * Drop fixes for upgrade problems from Ubuntu 6.06 LTS; direct upgrades
    from 6.06 to 8.10 will not be supported.

vim (1:7.1.314-3) unstable; urgency=high

  * Update runtime files affected by the filename escape vulnerability.
    (CVE 2008-2712, Closes: #486502)
  * debian/vim-runtime.preinst:
    - Only add the diversions if the preinst is called with the "install" or
      "upgrade" (to handle the previous mishandling in postrm) arguments.
  * debian/vim-runtime.postrm:
    - Only remove the diversions if the postrm is called with the "remove"
      argument. (Closes: #486446)
  * runtime/menu.vim:
    - Escape the buffer name when using the "Window -> Split File Explorer"
      menu item. (Closes: #486417)

vim (1:7.1.314-2) unstable; urgency=low

  * debian/rules:
    - Tell configure to only check the GUI toolkit specific to the variant
      being built. (Closes: #486319, #486336)
  * runtime/ftplugin/debchangelog.vim:
    - Merge Launchpad bug completion from Ubuntu.
    - Specify the full path when calling apt-listbugs instead of relying on
      /usr/sbin being in the user's path.
    - Improve error handling for Launchpad bug completion.

vim (1:7.1.314-1) unstable; urgency=low

  * New upstream patches (294 - 314), see README.gz for details.
    - SELinux support merged upstream
  * Update NetRW to version 125n (pre-release).
    - Calculate length of multi-byte strings properly. (Closes: #474609)
    - Display/navigate symlinks to directories properly. (Closes: #474980)
  * Update vim-git runtime files.
  * debian/update-patches:
    - Fix determination of patch level from last commit.
    - Use debian:debian/README to determine current patch level.
    - Don't exit on error since that prevents correcting merges.
    - Use a standard commit message for debian/README.
  * runtime/ftplugin/debchangelog.vim:
    - NewVersion() should only call foldopen if folding is enabled.
  * runtime/macros/justify.vim:
    - Calculate strlen for multi-byte strings properly. (Closes: #481115)
  * debian/rules:
    - Make use of upstream's "shadow" directories so the variants can be built
      in parallel.
    - Remove .NOTPARALLEL to allow parallel building.
    - Remove useless dh_shlibdeps call in the binary-indep target.
    - Remove autoconf-stamp target since we're no longer patching configure.
  * debian/vim-runtime.install:
    - Add new gvimtutor to vim-runtime package.
  * Very carefully divert vim-tiny's help.txt and helptags so they will still
    be in place if vim-runtime is removed.
  * d...

Can we expect a backport to Hardy for this security vulnerability?

Any update or information on when we can expect something for Hardy and Dapper?

see also:

http://thread.gmane.org/gmane.linux.debian.devel.release/25200/focus=25640

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Any update for this on Dapper, Gutsy, or Hardy?

These were all fixed in http://www.ubuntu.com/usn/USN-712-1.

The bug has been fixed in Gentoo, but it looks like they forgot to publish a GLSA. Until then they will not close the bug in their bugtracker.