--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package vim/8.0.0197-4+deb9u1
- From: James McCoy <jamessan@debian.org>
- Date: Sat, 30 Sep 2017 14:48:00 -0400
- Message-id: <150679728024.32203.90041159290095189.reportbug@freya.jamessan.com>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
* Backport upstream patches to fix CVE-2017-11109 (Closes: #867720)
+ 8.0.0703: Illegal memory access with empty :doau command
+ 8.0.0706: Crash when cancelling the cmdline window in Ex mode
+ 8.0.0707: Freeing wrong memory when manipulating buffers in autocommands
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.12.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diffstat for vim-8.0.0197 vim-8.0.0197
changelog | 9 +
patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch | 2
patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch | 2
patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch | 2
patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch | 6
patches/series | 3
patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch | 4
patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch | 6
patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch | 2
patches/upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch | 69 ++++++++++
patches/upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch | 42 ++++++
patches/upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch | 40 +++++
12 files changed, 175 insertions(+), 12 deletions(-)
diff -Nru vim-8.0.0197/debian/changelog vim-8.0.0197/debian/changelog
--- vim-8.0.0197/debian/changelog 2017-04-23 08:10:29.000000000 -0400
+++ vim-8.0.0197/debian/changelog 2017-09-30 14:21:38.000000000 -0400
@@ -1,3 +1,12 @@
+vim (2:8.0.0197-4+deb9u1) stretch; urgency=medium
+
+ * Backport upstream patches to fix CVE-2017-11109 (Closes: #867720)
+ + 8.0.0703: Illegal memory access with empty :doau command
+ + 8.0.0706: Crash when cancelling the cmdline window in Ex mode
+ + 8.0.0707: Freeing wrong memory when manipulating buffers in autocommands
+
+ -- James McCoy <jamessan@debian.org> Sat, 30 Sep 2017 14:21:38 -0400
+
vim (2:8.0.0197-4) unstable; urgency=medium
* Backport upstream patch v8.0.0550 to fix a regression in tag lookups for
diff -Nru vim-8.0.0197/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch vim-8.0.0197/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
--- vim-8.0.0197/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch 2017-04-23 08:10:29.000000000 -0400
+++ vim-8.0.0197/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch 2017-09-30 14:21:38.000000000 -0400
@@ -13,7 +13,7 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/runtime/filetype.vim b/runtime/filetype.vim
-index 9c9c808b4..13e2c0479 100644
+index 9c9c808..13e2c04 100644
--- a/runtime/filetype.vim
+++ b/runtime/filetype.vim
@@ -2227,7 +2227,7 @@ func! s:FTtex()
diff -Nru vim-8.0.0197/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch vim-8.0.0197/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
--- vim-8.0.0197/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch 2017-04-23 08:10:29.000000000 -0400
+++ vim-8.0.0197/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch 2017-09-30 14:21:38.000000000 -0400
@@ -8,7 +8,7 @@
1 file changed, 8 insertions(+)
diff --git a/runtime/scripts.vim b/runtime/scripts.vim
-index 276382808..d3101c6b7 100644
+index 2763828..d3101c6 100644
--- a/runtime/scripts.vim
+++ b/runtime/scripts.vim
@@ -332,6 +332,14 @@ else
diff -Nru vim-8.0.0197/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch vim-8.0.0197/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
--- vim-8.0.0197/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch 2017-04-23 08:10:29.000000000 -0400
+++ vim-8.0.0197/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch 2017-09-30 14:21:38.000000000 -0400
@@ -15,7 +15,7 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt
-index 88dca60b7..2520cc3d6 100644
+index 88dca60..2520cc3 100644
--- a/runtime/doc/options.txt
+++ b/runtime/doc/options.txt
@@ -5126,7 +5126,7 @@ A jump table for the options with a short description can be found at |Q_op|.
diff -Nru vim-8.0.0197/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch vim-8.0.0197/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
--- vim-8.0.0197/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch 2017-04-23 08:10:29.000000000 -0400
+++ vim-8.0.0197/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch 2017-09-30 14:21:38.000000000 -0400
@@ -17,7 +17,7 @@
3 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/main.c b/src/main.c
-index f3c471a85..0d7de4f2c 100644
+index f3c471a..0d7de4f 100644
--- a/src/main.c
+++ b/src/main.c
@@ -1729,6 +1729,10 @@ parse_command_name(mparm_T *parmp)
@@ -56,7 +56,7 @@
{
/* When no .vimrc file was found: source defaults.vim. */
diff --git a/src/os_unix.h b/src/os_unix.h
-index d28aa4dde..3a00e05df 100644
+index d28aa4d..3a00e05 100644
--- a/src/os_unix.h
+++ b/src/os_unix.h
@@ -213,6 +213,9 @@ typedef struct dsc$descriptor DESC;
@@ -70,7 +70,7 @@
# define SYS_VIMRC_FILE "$VIM/vimrc"
#endif
diff --git a/src/structs.h b/src/structs.h
-index 9c0e0468b..988ce660f 100644
+index 9c0e046..988ce66 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -3261,6 +3261,9 @@ typedef struct
diff -Nru vim-8.0.0197/debian/patches/series vim-8.0.0197/debian/patches/series
--- vim-8.0.0197/debian/patches/series 2017-04-23 08:10:29.000000000 -0400
+++ vim-8.0.0197/debian/patches/series 2017-09-30 14:21:38.000000000 -0400
@@ -10,3 +10,6 @@
upstream/patch-8.0.0378-possible-overflow-when-reading-corrupted-u.patch
upstream/patch-8.0.0550-cannot-parse-some-etags-format-tags-file.patch
upstream/Update-releases-in-deb-changelog-sources-syntax-files.patch
+upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch
+upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch
+upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch
diff -Nru vim-8.0.0197/debian/patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch vim-8.0.0197/debian/patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch
--- vim-8.0.0197/debian/patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch 2017-04-23 08:10:29.000000000 -0400
+++ vim-8.0.0197/debian/patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch 2017-09-30 14:21:38.000000000 -0400
@@ -8,7 +8,7 @@
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/runtime/syntax/debchangelog.vim b/runtime/syntax/debchangelog.vim
-index a10e4ad34..eb02aaf4a 100644
+index a10e4ad..eb02aaf 100644
--- a/runtime/syntax/debchangelog.vim
+++ b/runtime/syntax/debchangelog.vim
@@ -3,7 +3,7 @@
@@ -30,7 +30,7 @@
syn match debchangelogCloses contained "closes:\_s*\(bug\)\=#\=\_s\=\d\+\(,\_s*\(bug\)\=#\=\_s\=\d\+\)*"
syn match debchangelogLP contained "\clp:\s\+#\d\+\(,\s*#\d\+\)*"
diff --git a/runtime/syntax/debsources.vim b/runtime/syntax/debsources.vim
-index 277794497..390c43035 100644
+index 2777944..390c430 100644
--- a/runtime/syntax/debsources.vim
+++ b/runtime/syntax/debsources.vim
@@ -2,7 +2,7 @@
diff -Nru vim-8.0.0197/debian/patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch vim-8.0.0197/debian/patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch
--- vim-8.0.0197/debian/patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch 2017-04-23 08:10:29.000000000 -0400
+++ vim-8.0.0197/debian/patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch 2017-09-30 14:21:38.000000000 -0400
@@ -8,7 +8,7 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/runtime/syntax/debcontrol.vim b/runtime/syntax/debcontrol.vim
-index b52c496c9..b1bc9f8bf 100644
+index b52c496..b1bc9f8 100644
--- a/runtime/syntax/debcontrol.vim
+++ b/runtime/syntax/debcontrol.vim
@@ -38,7 +38,7 @@ unlet s:kernels s:archs s:pairs
diff -Nru vim-8.0.0197/debian/patches/upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch vim-8.0.0197/debian/patches/upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch
--- vim-8.0.0197/debian/patches/upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch 1969-12-31 19:00:00.000000000 -0500
+++ vim-8.0.0197/debian/patches/upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch 2017-09-30 14:21:38.000000000 -0400
@@ -0,0 +1,69 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 9 Jul 2017 11:07:16 +0200
+Subject: patch 8.0.0703: illegal memory access with empty :doau command
+
+Problem: Illegal memory access with empty :doau command.
+Solution: Check the event for being out of range. (James McCoy)
+---
+ src/fileio.c | 7 ++++---
+ src/testdir/test_autocmd.vim | 4 ++++
+ src/version.c | 2 ++
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/fileio.c b/src/fileio.c
+index aeb53b5..d305c82 100644
+--- a/src/fileio.c
++++ b/src/fileio.c
+@@ -8790,7 +8790,7 @@ do_doautocmd(
+ /*
+ * Loop over the events.
+ */
+- while (*arg && !vim_iswhite(*arg))
++ while (*arg && !ends_excmd(*arg) && !vim_iswhite(*arg))
+ if (apply_autocmds_group(event_name2nr(arg, &arg),
+ fname, NULL, TRUE, group, curbuf, NULL))
+ nothing_done = FALSE;
+@@ -9306,7 +9306,8 @@ apply_autocmds_group(
+ * Quickly return if there are no autocommands for this event or
+ * autocommands are blocked.
+ */
+- if (first_autopat[(int)event] == NULL || autocmd_blocked > 0)
++ if (event == NUM_EVENTS || first_autopat[(int)event] == NULL
++ || autocmd_blocked > 0)
+ goto BYPASS_AU;
+
+ /*
+@@ -9379,7 +9380,7 @@ apply_autocmds_group(
+ {
+ if (event == EVENT_COLORSCHEME || event == EVENT_OPTIONSET)
+ autocmd_fname = NULL;
+- else if (fname != NULL && *fname != NUL)
++ else if (fname != NULL && !ends_excmd(*fname))
+ autocmd_fname = fname;
+ else if (buf != NULL)
+ autocmd_fname = buf->b_ffname;
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index 566a07c..2a783f4 100644
+--- a/src/testdir/test_autocmd.vim
++++ b/src/testdir/test_autocmd.vim
+@@ -341,3 +341,7 @@ func Test_BufEnter()
+ call delete('Xdir', 'd')
+ au! BufEnter
+ endfunc
++
++func Test_empty_doau()
++ doau \|
++endfunc
+diff --git a/src/version.c b/src/version.c
+index b10438e..6781ef2 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -771,6 +771,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 703,
++/**/
+ 550,
+ /**/
+ 378,
diff -Nru vim-8.0.0197/debian/patches/upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch vim-8.0.0197/debian/patches/upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch
--- vim-8.0.0197/debian/patches/upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch 1969-12-31 19:00:00.000000000 -0500
+++ vim-8.0.0197/debian/patches/upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch 2017-09-30 14:21:38.000000000 -0400
@@ -0,0 +1,42 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 11 Jul 2017 15:11:57 +0200
+Subject: patch 8.0.0706: crash when cancelling the cmdline window in Ex mode
+
+Problem: Crash when cancelling the cmdline window in Ex mode. (James McCoy)
+Solution: Do not set cmdbuff to NULL, make it empty.
+---
+ src/ex_getln.c | 6 ++++++
+ src/version.c | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 581c444..f0a4329 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -7003,7 +7003,13 @@ ex_window(void)
+ else
+ ccline.cmdbuff = vim_strsave(ml_get_curline());
+ if (ccline.cmdbuff == NULL)
++ {
++ ccline.cmdbuff = vim_strsave((char_u *)"");
++ ccline.cmdlen = 0;
++ ccline.cmdbufflen = 1;
++ ccline.cmdpos = 0;
+ cmdwin_result = Ctrl_C;
++ }
+ else
+ {
+ ccline.cmdlen = (int)STRLEN(ccline.cmdbuff);
+diff --git a/src/version.c b/src/version.c
+index 6781ef2..6986625 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -771,6 +771,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 706,
++/**/
+ 703,
+ /**/
+ 550,
diff -Nru vim-8.0.0197/debian/patches/upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch vim-8.0.0197/debian/patches/upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch
--- vim-8.0.0197/debian/patches/upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch 1969-12-31 19:00:00.000000000 -0500
+++ vim-8.0.0197/debian/patches/upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch 2017-09-30 14:21:38.000000000 -0400
@@ -0,0 +1,40 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 11 Jul 2017 18:28:46 +0200
+Subject: patch 8.0.0707: freeing wrong memory with certain autocommands
+
+Problem: Freeing wrong memory when manipulating buffers in autocommands.
+ (James McCoy)
+Solution: Also set the w_s pointer if w_buffer was NULL.
+---
+ src/ex_cmds.c | 4 ++--
+ src/version.c | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 00cac92..628d27b 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -3967,8 +3967,8 @@ do_ecmd(
+ * <VN> We could instead free the synblock
+ * and re-attach to buffer, perhaps.
+ */
+- if (curwin->w_buffer != NULL
+- && curwin->w_s == &(curwin->w_buffer->b_s))
++ if (curwin->w_buffer == NULL
++ || curwin->w_s == &(curwin->w_buffer->b_s))
+ curwin->w_s = &(buf->b_s);
+ #endif
+ curwin->w_buffer = buf;
+diff --git a/src/version.c b/src/version.c
+index 6986625..59ef8b2 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -771,6 +771,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 707,
++/**/
+ 706,
+ /**/
+ 703,
diff -Nru vim-8.0.0197/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch vim-8.0.0197/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch
--- vim-8.0.0197/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch 2017-04-23 08:10:29.000000000 -0400
+++ vim-8.0.0197/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch 2017-09-30 14:21:38.000000000 -0400
@@ -23,7 +23,7 @@
3 files changed, 19 insertions(+)
diff --git a/src/config.h.in b/src/config.h.in
-index 38b0ccf53..ab8f20207 100644
+index 38b0ccf..ab8f202 100644
--- a/src/config.h.in
+++ b/src/config.h.in
@@ -30,6 +30,9 @@
@@ -37,7 +37,7 @@
#undef HAVE_ATTRIBUTE_UNUSED
diff --git a/src/configure.ac b/src/configure.ac
-index 1706a8d9a..9cf8b9615 100644
+index 1706a8d..9cf8b96 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -29,6 +29,16 @@ dnl in autoconf needs it, where it uses STDC_HEADERS.
@@ -58,7 +58,7 @@
AC_MSG_CHECKING(--enable-fail-if-missing argument)
diff --git a/src/version.c b/src/version.c
-index 71c04506f..dacb42db0 100644
+index 71c0450..dacb42d 100644
--- a/src/version.c
+++ b/src/version.c
@@ -44,11 +44,17 @@ make_version(void)
--- End Message ---