[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#860242: marked as done (unblock: neovim/0.1.7-4)

Your message dated Thu, 20 Apr 2017 05:46:00 +0000
with message-id <8dead053-2642-3250-64e3-1cfc7f2371af@thykier.net>
and subject line Re: Bug#860242: unblock: neovim/0.1.7-4
has caused the Debian Bug report #860242,
regarding unblock: neovim/0.1.7-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
860242: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860242
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package neovim

This upload includes fixes for CVE-2017-{5953,6349,6350}.

unblock neovim/0.1.7-4

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diffstat for neovim-0.1.7 neovim-0.1.7

 changelog                                                           |    9 ++
 patches/0001-debcherry-fixup-patch.patch                            |   32 +++++++-
 patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch           |    4 -
 patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch |    4 -
 patches/0004-vim-patch-8.0.0377.patch                               |   38 ++++++++++
 patches/0005-vim-patch-8.0.0378.patch                               |   37 +++++++++
 patches/series                                                      |    2 
 7 files changed, 118 insertions(+), 8 deletions(-)

diff -Nru neovim-0.1.7/debian/changelog neovim-0.1.7/debian/changelog
--- neovim-0.1.7/debian/changelog	2017-01-16 07:18:35.000000000 -0500
+++ neovim-0.1.7/debian/changelog	2017-04-10 08:15:38.000000000 -0400
@@ -1,3 +1,12 @@
+neovim (0.1.7-4) unstable; urgency=high
+
+  * Cherry-pick b338bb9d & 4af6c608 from upstream to fix buffer overflow if a
+    spellfile has an invalid length in it.  (CVE-2017-5953)
+  * Cherry-pick fb66a7c6 & ad66826a from upstream to fix buffer overflows when
+    reading corrupted undo files.  (CVE-2017-6349 & CVE-2017-6350)
+
+ -- James McCoy <jamessan@debian.org>  Mon, 10 Apr 2017 08:15:38 -0400
+
 neovim (0.1.7-3) unstable; urgency=medium
 
   * Disable global_spec.lua since it's rather flaky.
diff -Nru neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch
--- neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch	2017-01-16 07:18:35.000000000 -0500
+++ neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch	2017-04-10 08:15:38.000000000 -0400
@@ -1,8 +1,12 @@
-From 2ef123279cbff7afeb5546992dc34c902664b4db Mon Sep 17 00:00:00 2001
+From 5a06ba6f8d7c464ec319eac1a805575849203371 Mon Sep 17 00:00:00 2001
 From: James McCoy <jamessan@jamessan.com>
-Date: Mon, 16 Jan 2017 07:19:41 -0500
-Subject: [PATCH 1/3] debcherry fixup patch
+Date: Mon, 10 Apr 2017 08:16:34 -0400
+Subject: [PATCH 1/5] debcherry fixup patch
 
+53bde37a vim-patch:8.0.0376
+	 - no changes against upstream or conflicts
+aa0c704e vim-patch:8.0.0322
+	 - extra changes or conflicts
 7b3fc809 out_data_decide_throttle(): timeout instead of hard limit.
 	 - no changes against upstream or conflicts
 443f0387 out_data_decide_throttle(): Avoid too-small final chunk.
@@ -22,11 +26,12 @@
  src/nvim/main.c                       |   2 +-
  src/nvim/memory.c                     |  31 ++++---
  src/nvim/os/shell.c                   | 147 ++++++++++++++++++++++++++++++++--
+ src/nvim/spell.c                      |   6 +-
  test/functional/eval/execute_spec.lua |  17 ++--
  test/functional/terminal/helpers.lua  |   1 +
  test/functional/ui/output_spec.lua    |  21 +++++
  test/functional/ui/screen.lua         |  47 ++++++++---
- 10 files changed, 235 insertions(+), 49 deletions(-)
+ 11 files changed, 240 insertions(+), 50 deletions(-)
 
 diff --git a/runtime/doc/various.txt b/runtime/doc/various.txt
 index a1bf379d..3c147244 100644
@@ -353,6 +358,25 @@
    if (cnt) {
      rbuffer_consumed(buf, cnt);
    }
+diff --git a/src/nvim/spell.c b/src/nvim/spell.c
+index 7119ac6d..7dc9eb05 100644
+--- a/src/nvim/spell.c
++++ b/src/nvim/spell.c
+@@ -3589,9 +3589,13 @@ spell_read_tree (
+ 
+   // The tree size was computed when writing the file, so that we can
+   // allocate it as one long block. <nodecount>
+-  int len = get4c(fd);
++  long len = get4c(fd);
+   if (len < 0)
+     return SP_TRUNCERROR;
++  if ((size_t)len >= SIZE_MAX / sizeof(int)) {
++    // Invalid length, multiply with sizeof(int) would overflow.
++    return SP_FORMERROR;
++  }
+   if (len > 0) {
+     // Allocate the byte array.
+     bp = xmalloc(len);
 diff --git a/test/functional/eval/execute_spec.lua b/test/functional/eval/execute_spec.lua
 index b5b48143..fc13c0a7 100644
 --- a/test/functional/eval/execute_spec.lua
diff -Nru neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch
--- neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch	2017-01-16 07:18:35.000000000 -0500
+++ neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch	2017-04-10 08:15:38.000000000 -0400
@@ -1,7 +1,7 @@
-From 867ed903bffe6befb44208a34c8084db4ea44497 Mon Sep 17 00:00:00 2001
+From e54118bdb9165d11ebe6250ab08ff2e4b85e29d2 Mon Sep 17 00:00:00 2001
 From: "Justin M. Keyes" <justinkz@gmail.com>
 Date: Wed, 7 Dec 2016 14:01:51 +0100
-Subject: [PATCH 2/3] test: Handle SIGHUP in tty-test fixture.
+Subject: [PATCH 2/5] test: Handle SIGHUP in tty-test fixture.
 
 Closes #5727
 ---
diff -Nru neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch
--- neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch	2017-01-16 07:18:35.000000000 -0500
+++ neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch	2017-04-10 08:15:38.000000000 -0400
@@ -1,7 +1,7 @@
-From 630b72431209463f105435aae491818cf53a2ac7 Mon Sep 17 00:00:00 2001
+From d3babd790b7f67fa6ba590877961d49ae6e76826 Mon Sep 17 00:00:00 2001
 From: "Justin M. Keyes" <justinkz@gmail.com>
 Date: Mon, 3 Oct 2016 10:46:11 +0200
-Subject: [PATCH 3/3] tui: "backpressure": Drop messages to avoid flooding.
+Subject: [PATCH 3/5] tui: "backpressure": Drop messages to avoid flooding.
 
 Closes #1234
 
diff -Nru neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch
--- neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch	1969-12-31 19:00:00.000000000 -0500
+++ neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch	2017-04-10 08:15:38.000000000 -0400
@@ -0,0 +1,38 @@
+From 6e3b7e649e7b1e7c2158fdc03f6a9aa02583dcf1 Mon Sep 17 00:00:00 2001
+From: James McCoy <jamessan@jamessan.com>
+Date: Sat, 8 Apr 2017 21:22:11 -0400
+Subject: [PATCH 4/5] vim-patch:8.0.0377
+
+Problem:    Possible overflow when reading corrupted undo file.
+Solution:   Check if allocated size is not too big. (King)
+
+https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c
+
+CVE-2017-6349
+---
+ src/nvim/undo.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/nvim/undo.c b/src/nvim/undo.c
+index 4d56046b..11f4d556 100644
+--- a/src/nvim/undo.c
++++ b/src/nvim/undo.c
+@@ -76,6 +76,7 @@
+ #include <inttypes.h>
+ #include <limits.h>
+ #include <stdbool.h>
++#include <stdint.h>
+ #include <string.h>
+ #include <fcntl.h>
+ 
+@@ -1403,7 +1404,9 @@ void u_read_undo(char *name, char_u *hash, char_u *orig_name)
+   // sequence numbers of the headers.
+   // When there are no headers uhp_table is NULL.
+   if (num_head > 0) {
+-    uhp_table = xmalloc((size_t)num_head * sizeof(u_header_T *));
++    if ((size_t)num_head < SIZE_MAX / sizeof(*uhp_table)) {
++      uhp_table = xmalloc((size_t)num_head * sizeof(*uhp_table));
++    }
+   }
+ 
+   long num_read_uhps = 0;
diff -Nru neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch
--- neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch	1969-12-31 19:00:00.000000000 -0500
+++ neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch	2017-04-10 08:15:38.000000000 -0400
@@ -0,0 +1,37 @@
+From 64dd432e3e136a559d5959bc91504375f01e027d Mon Sep 17 00:00:00 2001
+From: James McCoy <jamessan@jamessan.com>
+Date: Sat, 8 Apr 2017 21:56:02 -0400
+Subject: [PATCH 5/5] vim-patch:8.0.0378
+
+Problem:    Another possible overflow when reading corrupted undo file.
+Solution:   Check if allocated size is not too big. (King)
+
+https://github.com/vim/vim/commit/0c8485f0e4931463c0f7986e1ea84a7d79f10c75
+
+CVE-2017-6350
+---
+ src/nvim/undo.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/nvim/undo.c b/src/nvim/undo.c
+index 11f4d556..d1a0bfdf 100644
+--- a/src/nvim/undo.c
++++ b/src/nvim/undo.c
+@@ -970,12 +970,12 @@ static u_entry_T *unserialize_uep(bufinfo_T * bi, bool *error,
+   uep->ue_lcount = undo_read_4c(bi);
+   uep->ue_size = undo_read_4c(bi);
+ 
+-  char_u **array;
++  char_u **array = NULL;
+   if (uep->ue_size > 0) {
+-    array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size);
+-    memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size);
+-  } else {
+-    array = NULL;
++    if ((size_t)uep->ue_size < SIZE_MAX / sizeof(char_u *)) {
++      array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size);
++      memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size);
++    }
+   }
+   uep->ue_array = array;
+ 
diff -Nru neovim-0.1.7/debian/patches/series neovim-0.1.7/debian/patches/series
--- neovim-0.1.7/debian/patches/series	2017-01-16 07:18:35.000000000 -0500
+++ neovim-0.1.7/debian/patches/series	2017-04-10 08:15:38.000000000 -0400
@@ -2,3 +2,5 @@
 0001-debcherry-fixup-patch.patch
 0002-test-Handle-SIGHUP-in-tty-test-fixture.patch
 0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch
+0004-vim-patch-8.0.0377.patch
+0005-vim-patch-8.0.0378.patch

--- End Message ---
--- Begin Message --- 
James McCoy:
> On Thu, Apr 13, 2017 at 08:13:31AM -0400, James McCoy wrote:
>> Please unblock package neovim
>>
>> This upload includes fixes for CVE-2017-{5953,6349,6350}.
>>
>> unblock neovim/0.1.7-4
> 
> Ping?
> 
>> [...]
> 
> Cheers,
> 

Thanks for the ping.

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: