Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
This upload would fix two no-dsa CVEs (CVE-2017-6349, CVE-2017-6350) for
Vim. Debdiff attached.
-- System Information:
Debian Release: 9.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diffstat for vim-7.4.488 vim-7.4.488
changelog|8 +
patches/series |2 +
patches/upstream/v8-0-0377.patch | 45
patches/upstream/v8-0-0378.patch | 54 +++
4 files changed, 109 insertions(+)
diff -Nru vim-7.4.488/debian/changelog vim-7.4.488/debian/changelog
--- vim-7.4.488/debian/changelog2017-02-12 20:02:50.0 -0500
+++ vim-7.4.488/debian/changelog2017-03-06 23:52:28.0 -0500
@@ -1,3 +1,11 @@
+vim (2:7.4.488-7+deb8u3) jessie; urgency=medium
+
+ * Backport upstream patches v8.0.0377 & v8.0.0378, to fix buffer overflows
+when reading corrupted undo files. (Closes: #856266, CVE-2017-6349,
+CVE-2017-6350)
+
+ -- James McCoy Mon, 06 Mar 2017 23:52:28 -0500
+
vim (2:7.4.488-7+deb8u2) jessie-security; urgency=high
* Backport patch 8.0.0322 to fix a buffer overflow if a spellfile has an
diff -Nru vim-7.4.488/debian/patches/series vim-7.4.488/debian/patches/series
--- vim-7.4.488/debian/patches/series 2017-02-12 19:59:43.0 -0500
+++ vim-7.4.488/debian/patches/series 2017-03-06 23:46:47.0 -0500
@@ -10,3 +10,5 @@
debian/extra-tex-detection.patch
upstream/v8-0-0056.patch
upstream/v8-0-0322.patch
+upstream/v8-0-0377.patch
+upstream/v8-0-0378.patch
diff -Nru vim-7.4.488/debian/patches/upstream/v8-0-0377.patch
vim-7.4.488/debian/patches/upstream/v8-0-0377.patch
--- vim-7.4.488/debian/patches/upstream/v8-0-0377.patch 1969-12-31
19:00:00.0 -0500
+++ vim-7.4.488/debian/patches/upstream/v8-0-0377.patch 2017-03-06
23:51:37.0 -0500
@@ -0,0 +1,45 @@
+commit 3eb1637b1bba19519885dd6d377bd5596e91d22c
+Author: Bram Moolenaar
+Date: Sun Feb 26 18:11:36 2017 +0100
+
+patch 8.0.0377: possible overflow when reading corrupted undo file
+
+Problem:Possible overflow when reading corrupted undo file.
+Solution: Check if allocated size is not too big. (King)
+
+diff --git a/src/undo.c b/src/undo.c
+index b69f31872..ba7c0b83c 100644
+--- a/src/undo.c
b/src/undo.c
+@@ -1836,7 +1836,7 @@ u_read_undo(char_u *name, char_u *hash, char_u
*orig_name)
+ linenr_T line_lnum;
+ colnr_T line_colnr;
+ linenr_T line_count;
+-int num_head = 0;
++long num_head = 0;
+ long old_header_seq, new_header_seq, cur_header_seq;
+ long seq_last, seq_cur;
+ long last_save_nr = 0;
+@@ -2023,7 +2023,8 @@ u_read_undo(char_u *name, char_u *hash, char_u
*orig_name)
+ * When there are no headers uhp_table is NULL. */
+ if (num_head > 0)
+ {
+- uhp_table = (u_header_T **)U_ALLOC_LINE(
++ if (num_head < LONG_MAX / (long)sizeof(u_header_T *))
++ uhp_table = (u_header_T **)U_ALLOC_LINE(
+num_head * sizeof(u_header_T *));
+ if (uhp_table == NULL)
+ goto error;
+diff --git a/src/version.c b/src/version.c
+index 8d1454197..c79020b21 100644
+--- a/src/version.c
b/src/version.c
+@@ -1733,6 +1733,8 @@ static char *(features[]) =
+ static char *(extra_patches[]) =
+ { /* Add your patch description below this line */
+ /**/
++"8.0.0377",
++/**/
+ "8.0.0322",
+ /**/
+ "8.0.0056",
diff -Nru vim-7.4.488/debian/patches/upstream/v8-0-0378.patch
vim-7.4.488/debian/patches/upstream/v8-0-0378.patch
--- vim-7.4.488/debian/patches/upstream/v8-0-0378.patch 1969-12-31
19:00:00.0 -0500
+++ vim-7.4.488/debian/patches/upstream/v8-0-0378.patch 2017-03-06
23:52:12.0 -0500
@@ -0,0 +1,54 @@
+commit 0c8485f0e4931463c0f7986e1ea84a7d79f10c75
+Author: Bram Moolenaar
+Date: Sun Feb 26 18:17:10 2017 +0100
+
+patch 8.0.0378: possible overflow when reading corrupted undo file
+
+Problem:Another possible overflow when reading corrupted undo file.
+Solution: Check if allocated size is not too big. (King)
+
+diff --git a/src/undo.c b/src/undo.c
+index ba7c0b83c..5b953795e 100644
+--- a/src/undo.c
b/src/undo.c
+@@ -1423,7 +1423,7 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u
*file_name)
+ {
+ int i;
+ u_entry_T *uep;
+-char_u**array;
++char_u**array = NULL;
+ char_u*line;
+ int line_len;
+
+@@ -1440,7 +1440,8 @@ unserialize_uep(bufinfo_T *bi, int