Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
This upload would fix two no-dsa CVEs (CVE-2017-6349, CVE-2017-6350) for Vim. Debdiff attached. -- System Information: Debian Release: 9.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diffstat for vim-7.4.488 vim-7.4.488 changelog | 8 +++++ patches/series | 2 + patches/upstream/v8-0-0377.patch | 45 ++++++++++++++++++++++++++++++++ patches/upstream/v8-0-0378.patch | 54 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 109 insertions(+) diff -Nru vim-7.4.488/debian/changelog vim-7.4.488/debian/changelog --- vim-7.4.488/debian/changelog 2017-02-12 20:02:50.000000000 -0500 +++ vim-7.4.488/debian/changelog 2017-03-06 23:52:28.000000000 -0500 @@ -1,3 +1,11 @@ +vim (2:7.4.488-7+deb8u3) jessie; urgency=medium + + * Backport upstream patches v8.0.0377 & v8.0.0378, to fix buffer overflows + when reading corrupted undo files. (Closes: #856266, CVE-2017-6349, + CVE-2017-6350) + + -- James McCoy <[email protected]> Mon, 06 Mar 2017 23:52:28 -0500 + vim (2:7.4.488-7+deb8u2) jessie-security; urgency=high * Backport patch 8.0.0322 to fix a buffer overflow if a spellfile has an diff -Nru vim-7.4.488/debian/patches/series vim-7.4.488/debian/patches/series --- vim-7.4.488/debian/patches/series 2017-02-12 19:59:43.000000000 -0500 +++ vim-7.4.488/debian/patches/series 2017-03-06 23:46:47.000000000 -0500 @@ -10,3 +10,5 @@ debian/extra-tex-detection.patch upstream/v8-0-0056.patch upstream/v8-0-0322.patch +upstream/v8-0-0377.patch +upstream/v8-0-0378.patch diff -Nru vim-7.4.488/debian/patches/upstream/v8-0-0377.patch vim-7.4.488/debian/patches/upstream/v8-0-0377.patch --- vim-7.4.488/debian/patches/upstream/v8-0-0377.patch 1969-12-31 19:00:00.000000000 -0500 +++ vim-7.4.488/debian/patches/upstream/v8-0-0377.patch 2017-03-06 23:51:37.000000000 -0500 @@ -0,0 +1,45 @@ +commit 3eb1637b1bba19519885dd6d377bd5596e91d22c +Author: Bram Moolenaar <[email protected]> +Date: Sun Feb 26 18:11:36 2017 +0100 + + patch 8.0.0377: possible overflow when reading corrupted undo file + + Problem: Possible overflow when reading corrupted undo file. + Solution: Check if allocated size is not too big. (King) + +diff --git a/src/undo.c b/src/undo.c +index b69f31872..ba7c0b83c 100644 +--- a/src/undo.c ++++ b/src/undo.c +@@ -1836,7 +1836,7 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name) + linenr_T line_lnum; + colnr_T line_colnr; + linenr_T line_count; +- int num_head = 0; ++ long num_head = 0; + long old_header_seq, new_header_seq, cur_header_seq; + long seq_last, seq_cur; + long last_save_nr = 0; +@@ -2023,7 +2023,8 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name) + * When there are no headers uhp_table is NULL. */ + if (num_head > 0) + { +- uhp_table = (u_header_T **)U_ALLOC_LINE( ++ if (num_head < LONG_MAX / (long)sizeof(u_header_T *)) ++ uhp_table = (u_header_T **)U_ALLOC_LINE( + num_head * sizeof(u_header_T *)); + if (uhp_table == NULL) + goto error; +diff --git a/src/version.c b/src/version.c +index 8d1454197..c79020b21 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -1733,6 +1733,8 @@ static char *(features[]) = + static char *(extra_patches[]) = + { /* Add your patch description below this line */ + /**/ ++ "8.0.0377", ++/**/ + "8.0.0322", + /**/ + "8.0.0056", diff -Nru vim-7.4.488/debian/patches/upstream/v8-0-0378.patch vim-7.4.488/debian/patches/upstream/v8-0-0378.patch --- vim-7.4.488/debian/patches/upstream/v8-0-0378.patch 1969-12-31 19:00:00.000000000 -0500 +++ vim-7.4.488/debian/patches/upstream/v8-0-0378.patch 2017-03-06 23:52:12.000000000 -0500 @@ -0,0 +1,54 @@ +commit 0c8485f0e4931463c0f7986e1ea84a7d79f10c75 +Author: Bram Moolenaar <[email protected]> +Date: Sun Feb 26 18:17:10 2017 +0100 + + patch 8.0.0378: possible overflow when reading corrupted undo file + + Problem: Another possible overflow when reading corrupted undo file. + Solution: Check if allocated size is not too big. (King) + +diff --git a/src/undo.c b/src/undo.c +index ba7c0b83c..5b953795e 100644 +--- a/src/undo.c ++++ b/src/undo.c +@@ -1423,7 +1423,7 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name) + { + int i; + u_entry_T *uep; +- char_u **array; ++ char_u **array = NULL; + char_u *line; + int line_len; + +@@ -1440,7 +1440,8 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name) + uep->ue_size = undo_read_4c(bi); + if (uep->ue_size > 0) + { +- array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size); ++ if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *)) ++ array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size); + if (array == NULL) + { + *error = TRUE; +@@ -1448,8 +1449,6 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name) + } + vim_memset(array, 0, sizeof(char_u *) * uep->ue_size); + } +- else +- array = NULL; + uep->ue_array = array; + + for (i = 0; i < uep->ue_size; ++i) +diff --git a/src/version.c b/src/version.c +index c79020b21..026b82981 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -1733,6 +1733,8 @@ static char *(features[]) = + static char *(extra_patches[]) = + { /* Add your patch description below this line */ + /**/ ++ "8.0.0378", ++/**/ + "8.0.0377", + /**/ + "8.0.0322",
