--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package vim/2:7.4.488-7+deb8u3
- From: James McCoy <jamessan@debian.org>
- Date: Tue, 07 Mar 2017 08:02:53 -0500
- Message-id: <148889177378.771.17667935128101842326.reportbug@freya.jamessan.com>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
This upload would fix two no-dsa CVEs (CVE-2017-6349, CVE-2017-6350) for
Vim. Debdiff attached.
-- System Information:
Debian Release: 9.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diffstat for vim-7.4.488 vim-7.4.488
changelog | 8 +++++
patches/series | 2 +
patches/upstream/v8-0-0377.patch | 45 ++++++++++++++++++++++++++++++++
patches/upstream/v8-0-0378.patch | 54 +++++++++++++++++++++++++++++++++++++++
4 files changed, 109 insertions(+)
diff -Nru vim-7.4.488/debian/changelog vim-7.4.488/debian/changelog
--- vim-7.4.488/debian/changelog 2017-02-12 20:02:50.000000000 -0500
+++ vim-7.4.488/debian/changelog 2017-03-06 23:52:28.000000000 -0500
@@ -1,3 +1,11 @@
+vim (2:7.4.488-7+deb8u3) jessie; urgency=medium
+
+ * Backport upstream patches v8.0.0377 & v8.0.0378, to fix buffer overflows
+ when reading corrupted undo files. (Closes: #856266, CVE-2017-6349,
+ CVE-2017-6350)
+
+ -- James McCoy <jamessan@debian.org> Mon, 06 Mar 2017 23:52:28 -0500
+
vim (2:7.4.488-7+deb8u2) jessie-security; urgency=high
* Backport patch 8.0.0322 to fix a buffer overflow if a spellfile has an
diff -Nru vim-7.4.488/debian/patches/series vim-7.4.488/debian/patches/series
--- vim-7.4.488/debian/patches/series 2017-02-12 19:59:43.000000000 -0500
+++ vim-7.4.488/debian/patches/series 2017-03-06 23:46:47.000000000 -0500
@@ -10,3 +10,5 @@
debian/extra-tex-detection.patch
upstream/v8-0-0056.patch
upstream/v8-0-0322.patch
+upstream/v8-0-0377.patch
+upstream/v8-0-0378.patch
diff -Nru vim-7.4.488/debian/patches/upstream/v8-0-0377.patch vim-7.4.488/debian/patches/upstream/v8-0-0377.patch
--- vim-7.4.488/debian/patches/upstream/v8-0-0377.patch 1969-12-31 19:00:00.000000000 -0500
+++ vim-7.4.488/debian/patches/upstream/v8-0-0377.patch 2017-03-06 23:51:37.000000000 -0500
@@ -0,0 +1,45 @@
+commit 3eb1637b1bba19519885dd6d377bd5596e91d22c
+Author: Bram Moolenaar <Bram@vim.org>
+Date: Sun Feb 26 18:11:36 2017 +0100
+
+ patch 8.0.0377: possible overflow when reading corrupted undo file
+
+ Problem: Possible overflow when reading corrupted undo file.
+ Solution: Check if allocated size is not too big. (King)
+
+diff --git a/src/undo.c b/src/undo.c
+index b69f31872..ba7c0b83c 100644
+--- a/src/undo.c
++++ b/src/undo.c
+@@ -1836,7 +1836,7 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name)
+ linenr_T line_lnum;
+ colnr_T line_colnr;
+ linenr_T line_count;
+- int num_head = 0;
++ long num_head = 0;
+ long old_header_seq, new_header_seq, cur_header_seq;
+ long seq_last, seq_cur;
+ long last_save_nr = 0;
+@@ -2023,7 +2023,8 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name)
+ * When there are no headers uhp_table is NULL. */
+ if (num_head > 0)
+ {
+- uhp_table = (u_header_T **)U_ALLOC_LINE(
++ if (num_head < LONG_MAX / (long)sizeof(u_header_T *))
++ uhp_table = (u_header_T **)U_ALLOC_LINE(
+ num_head * sizeof(u_header_T *));
+ if (uhp_table == NULL)
+ goto error;
+diff --git a/src/version.c b/src/version.c
+index 8d1454197..c79020b21 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -1733,6 +1733,8 @@ static char *(features[]) =
+ static char *(extra_patches[]) =
+ { /* Add your patch description below this line */
+ /**/
++ "8.0.0377",
++/**/
+ "8.0.0322",
+ /**/
+ "8.0.0056",
diff -Nru vim-7.4.488/debian/patches/upstream/v8-0-0378.patch vim-7.4.488/debian/patches/upstream/v8-0-0378.patch
--- vim-7.4.488/debian/patches/upstream/v8-0-0378.patch 1969-12-31 19:00:00.000000000 -0500
+++ vim-7.4.488/debian/patches/upstream/v8-0-0378.patch 2017-03-06 23:52:12.000000000 -0500
@@ -0,0 +1,54 @@
+commit 0c8485f0e4931463c0f7986e1ea84a7d79f10c75
+Author: Bram Moolenaar <Bram@vim.org>
+Date: Sun Feb 26 18:17:10 2017 +0100
+
+ patch 8.0.0378: possible overflow when reading corrupted undo file
+
+ Problem: Another possible overflow when reading corrupted undo file.
+ Solution: Check if allocated size is not too big. (King)
+
+diff --git a/src/undo.c b/src/undo.c
+index ba7c0b83c..5b953795e 100644
+--- a/src/undo.c
++++ b/src/undo.c
+@@ -1423,7 +1423,7 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
+ {
+ int i;
+ u_entry_T *uep;
+- char_u **array;
++ char_u **array = NULL;
+ char_u *line;
+ int line_len;
+
+@@ -1440,7 +1440,8 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
+ uep->ue_size = undo_read_4c(bi);
+ if (uep->ue_size > 0)
+ {
+- array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
++ if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *))
++ array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
+ if (array == NULL)
+ {
+ *error = TRUE;
+@@ -1448,8 +1449,6 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
+ }
+ vim_memset(array, 0, sizeof(char_u *) * uep->ue_size);
+ }
+- else
+- array = NULL;
+ uep->ue_array = array;
+
+ for (i = 0; i < uep->ue_size; ++i)
+diff --git a/src/version.c b/src/version.c
+index c79020b21..026b82981 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -1733,6 +1733,8 @@ static char *(features[]) =
+ static char *(extra_patches[]) =
+ { /* Add your patch description below this line */
+ /**/
++ "8.0.0378",
++/**/
+ "8.0.0377",
+ /**/
+ "8.0.0322",
--- End Message ---