[vim] 01/02: Backport upstream patches 8.0.070{3, 6, 7} for CVE-2017-11109
James McCoy
jamessan at debian.org
Sat Sep 30 23:47:19 UTC 2017
This is an automated email from the git hooks/post-receive script.
jamessan pushed a commit to branch debian/stretch
in repository vim.
commit dd7f8cb937013b8914dafc7aecb23d22efa1e61e
Author: James McCoy <jamessan at debian.org>
Date: Sat Sep 30 14:16:22 2017 -0400
Backport upstream patches 8.0.070{3,6,7} for CVE-2017-11109
Signed-off-by: James McCoy <jamessan at debian.org>
---
debian/changelog | 9 +++
...of-more-LaTeX-commands-for-tex-filetype-d.patch | 2 +-
...t-filetype-using-the-contents-of-the-file.patch | 2 +-
...s-decision-to-disable-modelines-by-defaul.patch | 2 +-
...ng-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch | 6 +-
debian/patches/series | 3 +
...pus-to-deb-changelog-sources-syntax-files.patch | 4 +-
...ing-compilation-date-in-SOURCE_DATE_EPOCH.patch | 6 +-
....vim-Add-sections-for-Rust-and-JavaScript.patch | 2 +-
...llegal-memory-access-with-empty-doau-comm.patch | 69 ++++++++++++++++++++++
...rash-when-cancelling-the-cmdline-window-i.patch | 42 +++++++++++++
...reeing-wrong-memory-with-certain-autocomm.patch | 40 +++++++++++++
12 files changed, 175 insertions(+), 12 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 978762c..b226232 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+vim (2:8.0.0197-4+deb9u1) UNRELEASED; urgency=medium
+
+ * Backport upstream patches to fix CVE-2017-11109 (Closes: #867720)
+ + 8.0.0703: Illegal memory access with empty :doau command
+ + 8.0.0706: Crash when cancelling the cmdline window in Ex mode
+ + 8.0.0707: Freeing wrong memory when manipulating buffers in autocommands
+
+ -- James McCoy <jamessan at debian.org> Sat, 30 Sep 2017 14:15:49 -0400
+
vim (2:8.0.0197-4) unstable; urgency=medium
* Backport upstream patch v8.0.0550 to fix a regression in tag lookups for
diff --git a/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch b/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
index 49027cc..faf3bee 100644
--- a/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
+++ b/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
@@ -13,7 +13,7 @@ Signed-off-by: James McCoy <jamessan at debian.org>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/runtime/filetype.vim b/runtime/filetype.vim
-index 9c9c808b4..13e2c0479 100644
+index 9c9c808..13e2c04 100644
--- a/runtime/filetype.vim
+++ b/runtime/filetype.vim
@@ -2227,7 +2227,7 @@ func! s:FTtex()
diff --git a/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch b/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
index dca240d..db591e4 100644
--- a/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
+++ b/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
@@ -8,7 +8,7 @@ Closes: #382541
1 file changed, 8 insertions(+)
diff --git a/runtime/scripts.vim b/runtime/scripts.vim
-index 276382808..d3101c6b7 100644
+index 2763828..d3101c6 100644
--- a/runtime/scripts.vim
+++ b/runtime/scripts.vim
@@ -332,6 +332,14 @@ else
diff --git a/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch b/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
index 26ea6c5..d8a8f12 100644
--- a/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
+++ b/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
@@ -15,7 +15,7 @@ Signed-off-by: James McCoy <jamessan at debian.org>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt
-index 88dca60b7..2520cc3d6 100644
+index 88dca60..2520cc3 100644
--- a/runtime/doc/options.txt
+++ b/runtime/doc/options.txt
@@ -5126,7 +5126,7 @@ A jump table for the options with a short description can be found at |Q_op|.
diff --git a/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch b/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
index c016771..2d74aca 100644
--- a/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
+++ b/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
@@ -17,7 +17,7 @@ Signed-off-by: James Vega <jamessan at debian.org>
3 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/main.c b/src/main.c
-index f3c471a85..0d7de4f2c 100644
+index f3c471a..0d7de4f 100644
--- a/src/main.c
+++ b/src/main.c
@@ -1729,6 +1729,10 @@ parse_command_name(mparm_T *parmp)
@@ -56,7 +56,7 @@ index f3c471a85..0d7de4f2c 100644
{
/* When no .vimrc file was found: source defaults.vim. */
diff --git a/src/os_unix.h b/src/os_unix.h
-index d28aa4dde..3a00e05df 100644
+index d28aa4d..3a00e05 100644
--- a/src/os_unix.h
+++ b/src/os_unix.h
@@ -213,6 +213,9 @@ typedef struct dsc$descriptor DESC;
@@ -70,7 +70,7 @@ index d28aa4dde..3a00e05df 100644
# define SYS_VIMRC_FILE "$VIM/vimrc"
#endif
diff --git a/src/structs.h b/src/structs.h
-index 9c0e0468b..988ce660f 100644
+index 9c0e046..988ce66 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -3261,6 +3261,9 @@ typedef struct
diff --git a/debian/patches/series b/debian/patches/series
index ce944e0..9113ba3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,6 @@ upstream/patch-8.0.0377-possible-overflow-when-reading-corrupted-u.patch
upstream/patch-8.0.0378-possible-overflow-when-reading-corrupted-u.patch
upstream/patch-8.0.0550-cannot-parse-some-etags-format-tags-file.patch
upstream/Update-releases-in-deb-changelog-sources-syntax-files.patch
+upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch
+upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch
+upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch
diff --git a/debian/patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch b/debian/patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch
index 2234e8c..3f2affa 100644
--- a/debian/patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch
+++ b/debian/patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch
@@ -8,7 +8,7 @@ Subject: Add Zesty Zapus to deb{changelog,sources} syntax files
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/runtime/syntax/debchangelog.vim b/runtime/syntax/debchangelog.vim
-index a10e4ad34..eb02aaf4a 100644
+index a10e4ad..eb02aaf 100644
--- a/runtime/syntax/debchangelog.vim
+++ b/runtime/syntax/debchangelog.vim
@@ -3,7 +3,7 @@
@@ -30,7 +30,7 @@ index a10e4ad34..eb02aaf4a 100644
syn match debchangelogCloses contained "closes:\_s*\(bug\)\=#\=\_s\=\d\+\(,\_s*\(bug\)\=#\=\_s\=\d\+\)*"
syn match debchangelogLP contained "\clp:\s\+#\d\+\(,\s*#\d\+\)*"
diff --git a/runtime/syntax/debsources.vim b/runtime/syntax/debsources.vim
-index 277794497..390c43035 100644
+index 2777944..390c430 100644
--- a/runtime/syntax/debsources.vim
+++ b/runtime/syntax/debsources.vim
@@ -2,7 +2,7 @@
diff --git a/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch b/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch
index 978c638..a43709b 100644
--- a/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch
+++ b/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch
@@ -23,7 +23,7 @@ preprocessor's __DATE__/__TIME__ symbols will be used.
3 files changed, 19 insertions(+)
diff --git a/src/config.h.in b/src/config.h.in
-index 38b0ccf53..ab8f20207 100644
+index 38b0ccf..ab8f202 100644
--- a/src/config.h.in
+++ b/src/config.h.in
@@ -30,6 +30,9 @@
@@ -37,7 +37,7 @@ index 38b0ccf53..ab8f20207 100644
#undef HAVE_ATTRIBUTE_UNUSED
diff --git a/src/configure.ac b/src/configure.ac
-index 1706a8d9a..9cf8b9615 100644
+index 1706a8d..9cf8b96 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -29,6 +29,16 @@ dnl in autoconf needs it, where it uses STDC_HEADERS.
@@ -58,7 +58,7 @@ index 1706a8d9a..9cf8b9615 100644
AC_MSG_CHECKING(--enable-fail-if-missing argument)
diff --git a/src/version.c b/src/version.c
-index 71c04506f..dacb42db0 100644
+index 71c0450..dacb42d 100644
--- a/src/version.c
+++ b/src/version.c
@@ -44,11 +44,17 @@ make_version(void)
diff --git a/debian/patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch b/debian/patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch
index 86ccc56..f7be789 100644
--- a/debian/patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch
+++ b/debian/patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch
@@ -8,7 +8,7 @@ Signed-off-by: James McCoy <jamessan at debian.org>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/runtime/syntax/debcontrol.vim b/runtime/syntax/debcontrol.vim
-index b52c496c9..b1bc9f8bf 100644
+index b52c496..b1bc9f8 100644
--- a/runtime/syntax/debcontrol.vim
+++ b/runtime/syntax/debcontrol.vim
@@ -38,7 +38,7 @@ unlet s:kernels s:archs s:pairs
diff --git a/debian/patches/upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch b/debian/patches/upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch
new file mode 100644
index 0000000..0173497
--- /dev/null
+++ b/debian/patches/upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch
@@ -0,0 +1,69 @@
+From: Bram Moolenaar <Bram at vim.org>
+Date: Sun, 9 Jul 2017 11:07:16 +0200
+Subject: patch 8.0.0703: illegal memory access with empty :doau command
+
+Problem: Illegal memory access with empty :doau command.
+Solution: Check the event for being out of range. (James McCoy)
+---
+ src/fileio.c | 7 ++++---
+ src/testdir/test_autocmd.vim | 4 ++++
+ src/version.c | 2 ++
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/fileio.c b/src/fileio.c
+index aeb53b5..d305c82 100644
+--- a/src/fileio.c
++++ b/src/fileio.c
+@@ -8790,7 +8790,7 @@ do_doautocmd(
+ /*
+ * Loop over the events.
+ */
+- while (*arg && !vim_iswhite(*arg))
++ while (*arg && !ends_excmd(*arg) && !vim_iswhite(*arg))
+ if (apply_autocmds_group(event_name2nr(arg, &arg),
+ fname, NULL, TRUE, group, curbuf, NULL))
+ nothing_done = FALSE;
+@@ -9306,7 +9306,8 @@ apply_autocmds_group(
+ * Quickly return if there are no autocommands for this event or
+ * autocommands are blocked.
+ */
+- if (first_autopat[(int)event] == NULL || autocmd_blocked > 0)
++ if (event == NUM_EVENTS || first_autopat[(int)event] == NULL
++ || autocmd_blocked > 0)
+ goto BYPASS_AU;
+
+ /*
+@@ -9379,7 +9380,7 @@ apply_autocmds_group(
+ {
+ if (event == EVENT_COLORSCHEME || event == EVENT_OPTIONSET)
+ autocmd_fname = NULL;
+- else if (fname != NULL && *fname != NUL)
++ else if (fname != NULL && !ends_excmd(*fname))
+ autocmd_fname = fname;
+ else if (buf != NULL)
+ autocmd_fname = buf->b_ffname;
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index 566a07c..2a783f4 100644
+--- a/src/testdir/test_autocmd.vim
++++ b/src/testdir/test_autocmd.vim
+@@ -341,3 +341,7 @@ func Test_BufEnter()
+ call delete('Xdir', 'd')
+ au! BufEnter
+ endfunc
++
++func Test_empty_doau()
++ doau \|
++endfunc
+diff --git a/src/version.c b/src/version.c
+index b10438e..6781ef2 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -771,6 +771,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 703,
++/**/
+ 550,
+ /**/
+ 378,
diff --git a/debian/patches/upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch b/debian/patches/upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch
new file mode 100644
index 0000000..56eb6bb
--- /dev/null
+++ b/debian/patches/upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch
@@ -0,0 +1,42 @@
+From: Bram Moolenaar <Bram at vim.org>
+Date: Tue, 11 Jul 2017 15:11:57 +0200
+Subject: patch 8.0.0706: crash when cancelling the cmdline window in Ex mode
+
+Problem: Crash when cancelling the cmdline window in Ex mode. (James McCoy)
+Solution: Do not set cmdbuff to NULL, make it empty.
+---
+ src/ex_getln.c | 6 ++++++
+ src/version.c | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 581c444..f0a4329 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -7003,7 +7003,13 @@ ex_window(void)
+ else
+ ccline.cmdbuff = vim_strsave(ml_get_curline());
+ if (ccline.cmdbuff == NULL)
++ {
++ ccline.cmdbuff = vim_strsave((char_u *)"");
++ ccline.cmdlen = 0;
++ ccline.cmdbufflen = 1;
++ ccline.cmdpos = 0;
+ cmdwin_result = Ctrl_C;
++ }
+ else
+ {
+ ccline.cmdlen = (int)STRLEN(ccline.cmdbuff);
+diff --git a/src/version.c b/src/version.c
+index 6781ef2..6986625 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -771,6 +771,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 706,
++/**/
+ 703,
+ /**/
+ 550,
diff --git a/debian/patches/upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch b/debian/patches/upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch
new file mode 100644
index 0000000..873a87e
--- /dev/null
+++ b/debian/patches/upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch
@@ -0,0 +1,40 @@
+From: Bram Moolenaar <Bram at vim.org>
+Date: Tue, 11 Jul 2017 18:28:46 +0200
+Subject: patch 8.0.0707: freeing wrong memory with certain autocommands
+
+Problem: Freeing wrong memory when manipulating buffers in autocommands.
+ (James McCoy)
+Solution: Also set the w_s pointer if w_buffer was NULL.
+---
+ src/ex_cmds.c | 4 ++--
+ src/version.c | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 00cac92..628d27b 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -3967,8 +3967,8 @@ do_ecmd(
+ * <VN> We could instead free the synblock
+ * and re-attach to buffer, perhaps.
+ */
+- if (curwin->w_buffer != NULL
+- && curwin->w_s == &(curwin->w_buffer->b_s))
++ if (curwin->w_buffer == NULL
++ || curwin->w_s == &(curwin->w_buffer->b_s))
+ curwin->w_s = &(buf->b_s);
+ #endif
+ curwin->w_buffer = buf;
+diff --git a/src/version.c b/src/version.c
+index 6986625..59ef8b2 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -771,6 +771,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 707,
++/**/
+ 706,
+ /**/
+ 703,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-vim/vim.git
More information about the pkg-vim-maintainers
mailing list