Mail archive
alpine-aports

[alpine-aports] [PATCH v3.2] main/vim: security fixes #6866

From: Sergei Lukin <sergej.lukin_at_gmail.com>
Date: Thu, 16 Feb 2017 07:07:57 +0000

CVE-2017-5953: Tree length values not validated properly when handling a spell file
---
 main/vim/APKBUILD            | 13 ++++++++++---
 main/vim/CVE-2017-5953.patch | 28 ++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 main/vim/CVE-2017-5953.patch
diff --git a/main/vim/APKBUILD b/main/vim/APKBUILD
index 263d5bf..f3e5fa8 100644
--- a/main/vim/APKBUILD
+++ b/main/vim/APKBUILD
_at_@ -1,3 +1,4 @@
+# Contributor: Sergei Lukin <sergej.lukin_at_gmail.com>
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=vim
 pkgver=7.4.712
_at_@ -16,10 +17,13 @@ subpackages="$pkgname-doc ${pkgname}diff"
 source="http://dev.alpinelinux.org/archive/vim/vim-$pkgver.tar.gz
 	vimrc
 	CVE-2016-1248.patch
+	CVE-2017-5953.patch
 	"
 _builddir="$srcdir"/vim-v${pkgver//./-}
 
 # secfixes:
+#   7.4.712-r2:
+#   - CVE-2017-5953
 #   7.4.712-r1:
 #   - CVE-2016-1248
 
_at_@ -67,10 +71,13 @@ vimdiff() {
 
 md5sums="ad8543cadbadb7f3a71d35296ce3612f  vim-7.4.712.tar.gz
 97aecde2ab504e543a96bec84b3b5638  vimrc
-65cd79792f8150130c4aafb7842b80cf  CVE-2016-1248.patch"
+65cd79792f8150130c4aafb7842b80cf  CVE-2016-1248.patch
+9ef01e90bbb56924265c7306ae9f58c3  CVE-2017-5953.patch"
 sha256sums="7fe2a9cb24b258a725c5a95f052b62f341aac122aab1243a9a270eff722a37e3  vim-7.4.712.tar.gz
 7ac7e5fd75fe315fd8b3ca4172056ebb9f06df0b5985d3ff88133dfcdd87076b  vimrc
-b8d1227a41d6f7f596f3bf45dfaf9d0dbbbcf091c5f145c95d464986031446e5  CVE-2016-1248.patch"
+b8d1227a41d6f7f596f3bf45dfaf9d0dbbbcf091c5f145c95d464986031446e5  CVE-2016-1248.patch
+79dfa7c82565efe85f5cbcc889aa45cc46f2c6a83c58b35b834e05b54367c44d  CVE-2017-5953.patch"
 sha512sums="db0e20b3b43ec4033aa057a2676d2a294d12139ecfa7be2403a54e2b0d869e5ba6a606f7dd964752c802129c6e95afee7da2e48f5605c7f64041aa8fb2354aa7  vim-7.4.712.tar.gz
 d9586b777881973cb5e48e18750336a522ed72c3127b2d6b6991e2b943468ca5b694476e7fa39ab469178c1375fc8f52627484e0fe377aea5811a513e35a7b02  vimrc
-e773f8c497364930dea10585af5888f12ea7be1effb23461df9f92c10c2c0e9e55e127b9465f62a20c03e08ab77f9c9f140f50277d7c9cc5c318e84725434d18  CVE-2016-1248.patch"
+e773f8c497364930dea10585af5888f12ea7be1effb23461df9f92c10c2c0e9e55e127b9465f62a20c03e08ab77f9c9f140f50277d7c9cc5c318e84725434d18  CVE-2016-1248.patch
+e9f2bef38bf5257857f2936d6e3e7d7564d97701bf2f89ad1fd56ff7d0f7f8d722801b4c6ace859101e7611e74d48bf052f6cca9e2b6b4720d9adc1a1d38e2cf  CVE-2017-5953.patch"
diff --git a/main/vim/CVE-2017-5953.patch b/main/vim/CVE-2017-5953.patch
new file mode 100644
index 0000000..26e8abe
--- /dev/null
+++ b/main/vim/CVE-2017-5953.patch
_at_@ -0,0 +1,28 @@
+Source:
+https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d
+Script was adjusted for vim-7.4.1831
+
+commit 399c297aa93afe2c0a39e2a1b3f972aebba44c9d
+Author: Bram Moolenaar <Bram_at_vim.org>
+Date:   Thu Feb 9 21:07:12 2017 +0100
+
+    patch 8.0.0322: possible overflow with corrupted spell file
+    
+    Problem:    Possible overflow with spell file where the tree length is
+                corrupted.
+    Solution:   Check for an invalid length (suggested by shqking)
+
+diff --git a/src/spell.c b/src/spell.c
+index c7d87c6c7..8b1a3a633 100644
+--- a/src/spell.c
++++ b/src/spell.c
+_at_@ -1595,6 +1595,9 @@ spell_read_tree(
+     len = get4c(fd);
+     if (len < 0)
+ 	return SP_TRUNCERROR;
++    if (len >= 0x3ffffff)
++	/* Invalid length, multiply with sizeof(int) would overflow. */
++	return SP_FORMERROR;
+     if (len > 0)
+     {
+ 	/* Allocate the byte array. */
-- 
2.4.11
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Thu Feb 16 2017 - 07:07:57 GMT