Bug#857041: jessie-pu: package vim/2:7.4.488-7+deb8u3

2017-03-29 Thread Adam D. Barratt 
Control: tags -1 + pending

On Thu, 2017-03-09 at 19:19 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Tue, 2017-03-07 at 08:02 -0500, James McCoy wrote:
> > This upload would fix two no-dsa CVEs (CVE-2017-6349, CVE-2017-6350) for
> > Vim.  Debdiff attached.
> 
> Please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#857041: jessie-pu: package vim/2:7.4.488-7+deb8u3

2017-03-09 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Tue, 2017-03-07 at 08:02 -0500, James McCoy wrote:
> This upload would fix two no-dsa CVEs (CVE-2017-6349, CVE-2017-6350) for
> Vim.  Debdiff attached.

Please go ahead.

Regards,

Adam

Bug#857041: jessie-pu: package vim/2:7.4.488-7+deb8u3

2017-03-07 Thread James McCoy 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This upload would fix two no-dsa CVEs (CVE-2017-6349, CVE-2017-6350) for
Vim.  Debdiff attached.

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diffstat for vim-7.4.488 vim-7.4.488

 changelog|8 +
 patches/series   |2 +
 patches/upstream/v8-0-0377.patch |   45 
 patches/upstream/v8-0-0378.patch |   54 +++
 4 files changed, 109 insertions(+)

diff -Nru vim-7.4.488/debian/changelog vim-7.4.488/debian/changelog
--- vim-7.4.488/debian/changelog2017-02-12 20:02:50.0 -0500
+++ vim-7.4.488/debian/changelog2017-03-06 23:52:28.0 -0500
@@ -1,3 +1,11 @@
+vim (2:7.4.488-7+deb8u3) jessie; urgency=medium
+
+  * Backport upstream patches v8.0.0377 & v8.0.0378, to fix buffer overflows
+when reading corrupted undo files.  (Closes: #856266, CVE-2017-6349,
+CVE-2017-6350)
+
+ -- James McCoy   Mon, 06 Mar 2017 23:52:28 -0500
+
 vim (2:7.4.488-7+deb8u2) jessie-security; urgency=high
 
   * Backport patch 8.0.0322 to fix a buffer overflow if a spellfile has an
diff -Nru vim-7.4.488/debian/patches/series vim-7.4.488/debian/patches/series
--- vim-7.4.488/debian/patches/series   2017-02-12 19:59:43.0 -0500
+++ vim-7.4.488/debian/patches/series   2017-03-06 23:46:47.0 -0500
@@ -10,3 +10,5 @@
 debian/extra-tex-detection.patch
 upstream/v8-0-0056.patch
 upstream/v8-0-0322.patch
+upstream/v8-0-0377.patch
+upstream/v8-0-0378.patch
diff -Nru vim-7.4.488/debian/patches/upstream/v8-0-0377.patch 
vim-7.4.488/debian/patches/upstream/v8-0-0377.patch
--- vim-7.4.488/debian/patches/upstream/v8-0-0377.patch 1969-12-31 
19:00:00.0 -0500
+++ vim-7.4.488/debian/patches/upstream/v8-0-0377.patch 2017-03-06 
23:51:37.0 -0500
@@ -0,0 +1,45 @@
+commit 3eb1637b1bba19519885dd6d377bd5596e91d22c
+Author: Bram Moolenaar 
+Date:   Sun Feb 26 18:11:36 2017 +0100
+
+patch 8.0.0377: possible overflow when reading corrupted undo file
+
+Problem:Possible overflow when reading corrupted undo file.
+Solution:   Check if allocated size is not too big. (King)
+
+diff --git a/src/undo.c b/src/undo.c
+index b69f31872..ba7c0b83c 100644
+--- a/src/undo.c
 b/src/undo.c
+@@ -1836,7 +1836,7 @@ u_read_undo(char_u *name, char_u *hash, char_u 
*orig_name)
+ linenr_T  line_lnum;
+ colnr_T   line_colnr;
+ linenr_T  line_count;
+-int   num_head = 0;
++long  num_head = 0;
+ long  old_header_seq, new_header_seq, cur_header_seq;
+ long  seq_last, seq_cur;
+ long  last_save_nr = 0;
+@@ -2023,7 +2023,8 @@ u_read_undo(char_u *name, char_u *hash, char_u 
*orig_name)
+  * When there are no headers uhp_table is NULL. */
+ if (num_head > 0)
+ {
+-  uhp_table = (u_header_T **)U_ALLOC_LINE(
++  if (num_head < LONG_MAX / (long)sizeof(u_header_T *))
++  uhp_table = (u_header_T **)U_ALLOC_LINE(
+num_head * sizeof(u_header_T *));
+   if (uhp_table == NULL)
+   goto error;
+diff --git a/src/version.c b/src/version.c
+index 8d1454197..c79020b21 100644
+--- a/src/version.c
 b/src/version.c
+@@ -1733,6 +1733,8 @@ static char *(features[]) =
+ static char *(extra_patches[]) =
+ {   /* Add your patch description below this line */
+ /**/
++"8.0.0377",
++/**/
+ "8.0.0322",
+ /**/
+ "8.0.0056",
diff -Nru vim-7.4.488/debian/patches/upstream/v8-0-0378.patch 
vim-7.4.488/debian/patches/upstream/v8-0-0378.patch
--- vim-7.4.488/debian/patches/upstream/v8-0-0378.patch 1969-12-31 
19:00:00.0 -0500
+++ vim-7.4.488/debian/patches/upstream/v8-0-0378.patch 2017-03-06 
23:52:12.0 -0500
@@ -0,0 +1,54 @@
+commit 0c8485f0e4931463c0f7986e1ea84a7d79f10c75
+Author: Bram Moolenaar 
+Date:   Sun Feb 26 18:17:10 2017 +0100
+
+patch 8.0.0378: possible overflow when reading corrupted undo file
+
+Problem:Another possible overflow when reading corrupted undo file.
+Solution:   Check if allocated size is not too big. (King)
+
+diff --git a/src/undo.c b/src/undo.c
+index ba7c0b83c..5b953795e 100644
+--- a/src/undo.c
 b/src/undo.c
+@@ -1423,7 +1423,7 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u 
*file_name)
+ {
+ int   i;
+ u_entry_T *uep;
+-char_u**array;
++char_u**array = NULL;
+ char_u*line;
+ int   line_len;
+ 
+@@ -1440,7 +1440,8 @@ unserialize_uep(bufinfo_T *bi, int