[vim] 01/02: Backport v8.0.0322, buffer overflow mitigation
James McCoy
jamessan at debian.org
Sun Feb 26 20:12:02 UTC 2017
This is an automated email from the git hooks/post-receive script.
jamessan pushed a commit to branch debian/sid
in repository vim.
commit 679bd6e93858c7585999d86843a24f87c1018bb9
Author: James McCoy <jamessan at debian.org>
Date: Sun Feb 12 18:04:12 2017 -0500
Backport v8.0.0322, buffer overflow mitigation
Signed-off-by: James McCoy <jamessan at debian.org>
---
debian/changelog | 7 ++++
debian/patches/series | 1 +
...ossible-overflow-with-corrupted-spell-fil.patch | 39 ++++++++++++++++++++++
3 files changed, 47 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index a482e64..9f04e66 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+vim (2:8.0.0197-2) UNRELEASED; urgency=high
+
+ * Backport upstream patch v8.0.0322, to fix buffer overflow if a spellfile
+ has an invalid length in it. (Closes: #854969, CVE-2017-5953)
+
+ -- James McCoy <jamessan at debian.org> Sun, 12 Feb 2017 14:41:48 -0500
+
vim (2:8.0.0197-1) unstable; urgency=medium
[ upstream ]
diff --git a/debian/patches/series b/debian/patches/series
index f46b624..d4353ba 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch
upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch
+upstream/patch-8.0.0322-possible-overflow-with-corrupted-spell-fil.patch
diff --git a/debian/patches/upstream/patch-8.0.0322-possible-overflow-with-corrupted-spell-fil.patch b/debian/patches/upstream/patch-8.0.0322-possible-overflow-with-corrupted-spell-fil.patch
new file mode 100644
index 0000000..4e6a728
--- /dev/null
+++ b/debian/patches/upstream/patch-8.0.0322-possible-overflow-with-corrupted-spell-fil.patch
@@ -0,0 +1,39 @@
+From: Bram Moolenaar <Bram at vim.org>
+Date: Thu, 9 Feb 2017 21:07:12 +0100
+Subject: patch 8.0.0322: possible overflow with corrupted spell file
+
+Problem: Possible overflow with spell file where the tree length is
+ corrupted.
+Solution: Check for an invalid length (suggested by shqking)
+---
+ src/spellfile.c | 3 +++
+ src/version.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/src/spellfile.c b/src/spellfile.c
+index c7d87c6..8b1a3a6 100644
+--- a/src/spellfile.c
++++ b/src/spellfile.c
+@@ -1595,6 +1595,9 @@ spell_read_tree(
+ len = get4c(fd);
+ if (len < 0)
+ return SP_TRUNCERROR;
++ if (len >= 0x3ffffff)
++ /* Invalid length, multiply with sizeof(int) would overflow. */
++ return SP_FORMERROR;
+ if (len > 0)
+ {
+ /* Allocate the byte array. */
+diff --git a/src/version.c b/src/version.c
+index dacb42d..c851d87 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -771,6 +771,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 322,
++/**/
+ 197,
+ /**/
+ 196,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-vim/vim.git
More information about the pkg-vim-maintainers
mailing list