Source: vim Version: 2:7.4.488-7 Severity: important Tags: patch upstream security
Hi, the following vulnerabilities were published for vim. CVE-2017-6349[0]: | An integer overflow at a u_read_undo memory allocation site would occur | for vim before patch 8.0.0377, if it does not properly validate values | for tree length when reading a corrupted undo file, which may lead to | resultant buffer overflows. CVE-2017-6350[1]: | An integer overflow at an unserialize_uep memory allocation site would | occur for vim before patch 8.0.0378, if it does not properly validate | values for tree length when reading a corrupted undo file, which may | lead to resultant buffer overflows. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-6349 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6349 [1] https://security-tracker.debian.org/tracker/CVE-2017-6350 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6350 Please adjust the affected versions in the BTS as needed. I would tend to say this is no-dsa (and thus scheduling a fix for jessie via a point release), but it would be good to have the fix straight to stretch as well. Regards, Salvatore _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
