X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-lf0-f65.google.com (mail-lf0-f65.google.com [209.85.215.65]) by lists.alpinelinux.org (Postfix) with ESMTP id 750E45C4F40 for ; Thu, 16 Feb 2017 07:08:41 +0000 (GMT) Received: by mail-lf0-f65.google.com with SMTP id h65so676252lfi.3 for ; Wed, 15 Feb 2017 23:08:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=7K2upMGPgEzNZC3oCNOwODRQj4eNZkc9w+pgOsGFSDo=; b=pyWtxjQsLbpYMxnJht8oJBubfa+D+ZmmfnKN1J/q1TK1WG1Dpgej40whffZj4V5md1 oAsEa1X9h/ZtI6RT+QIAG43AzJGBlIhsJEqRab6nPY11/U84N+x6S1mv6vFWF1TP9JWy 2+SF7WQ97vNBvZBCl3QxUpGkTZTHPDbhNUrCcZUvx+M052kMHneGF/ksJGRj044yVYTk MUTLRDWp2xrC3sX1p+C/RauKOjYXmZMTcOt/oiSBaQDsmxvPqElT8JCRM1v20gkZTbkZ FW00NQ0M6h4x4MrJA6qugHDpp+LBJsjF9rJBaAb6pbF5xKxQ7tzxQ1X/8OinG0TqaTS4 RHMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=7K2upMGPgEzNZC3oCNOwODRQj4eNZkc9w+pgOsGFSDo=; b=QvVfY4fD4YcewVSE+jfptAUdqx3uQZXNf+sVrZeUd0Ie+UPd5Z1WhJe44vHNIFPZ7H R4a3bwzhYUfsAIQMRYEfltUNXlWTxiIFkol21elzN2p4iyocklpF02gWywhAb/8f6TKk udofrhAYgDi3ADyn7Ffv8yE7qCO7d5wUjXC9cDcUDPVJmhl4LO1YaK8GzJkzUmCIRsJK BVHkzuwd5oz4QKWuqHHzdsqUpaiZK71y37Jz0zMLpLqktqqqUee9s6u3AcOGluJLLWsz PKtyeT67mEl7J+JS1knAKdYKSWbhAHn7Xh8rdVpcZTGFuQ3Phz/HYbVfbz0S2LFuKlc6 9mbw== X-Gm-Message-State: AMke39k9M4LkPD1qnTT+fvs3XdRhMviyAx1X3Db/PA3DBqBLpfP8szx7qWQoqXgBnyW6bA== X-Received: by 10.46.77.27 with SMTP id a27mr204157ljb.104.1487228920691; Wed, 15 Feb 2017 23:08:40 -0800 (PST) Received: from v3-2.util.wtbts.net ([83.145.235.199]) by smtp.gmail.com with ESMTPSA id 70sm1490846lfw.11.2017.02.15.23.08.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 15 Feb 2017 23:08:40 -0800 (PST) From: Sergei Lukin To: alpine-aports@lists.alpinelinux.org Cc: Sergei Lukin Subject: [alpine-aports] [PATCH v3.2] main/vim: security fixes #6866 Date: Thu, 16 Feb 2017 07:07:57 +0000 Message-Id: <1487228877-4764-1-git-send-email-sergej.lukin@gmail.com> X-Mailer: git-send-email 2.4.11 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: CVE-2017-5953: Tree length values not validated properly when handling a spell file --- main/vim/APKBUILD | 13 ++++++++++--- main/vim/CVE-2017-5953.patch | 28 ++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 main/vim/CVE-2017-5953.patch diff --git a/main/vim/APKBUILD b/main/vim/APKBUILD index 263d5bf..f3e5fa8 100644 --- a/main/vim/APKBUILD +++ b/main/vim/APKBUILD @@ -1,3 +1,4 @@ +# Contributor: Sergei Lukin # Maintainer: Natanael Copa pkgname=vim pkgver=7.4.712 @@ -16,10 +17,13 @@ subpackages="$pkgname-doc ${pkgname}diff" source="http://dev.alpinelinux.org/archive/vim/vim-$pkgver.tar.gz vimrc CVE-2016-1248.patch + CVE-2017-5953.patch " _builddir="$srcdir"/vim-v${pkgver//./-} # secfixes: +# 7.4.712-r2: +# - CVE-2017-5953 # 7.4.712-r1: # - CVE-2016-1248 @@ -67,10 +71,13 @@ vimdiff() { md5sums="ad8543cadbadb7f3a71d35296ce3612f vim-7.4.712.tar.gz 97aecde2ab504e543a96bec84b3b5638 vimrc -65cd79792f8150130c4aafb7842b80cf CVE-2016-1248.patch" +65cd79792f8150130c4aafb7842b80cf CVE-2016-1248.patch +9ef01e90bbb56924265c7306ae9f58c3 CVE-2017-5953.patch" sha256sums="7fe2a9cb24b258a725c5a95f052b62f341aac122aab1243a9a270eff722a37e3 vim-7.4.712.tar.gz 7ac7e5fd75fe315fd8b3ca4172056ebb9f06df0b5985d3ff88133dfcdd87076b vimrc -b8d1227a41d6f7f596f3bf45dfaf9d0dbbbcf091c5f145c95d464986031446e5 CVE-2016-1248.patch" +b8d1227a41d6f7f596f3bf45dfaf9d0dbbbcf091c5f145c95d464986031446e5 CVE-2016-1248.patch +79dfa7c82565efe85f5cbcc889aa45cc46f2c6a83c58b35b834e05b54367c44d CVE-2017-5953.patch" sha512sums="db0e20b3b43ec4033aa057a2676d2a294d12139ecfa7be2403a54e2b0d869e5ba6a606f7dd964752c802129c6e95afee7da2e48f5605c7f64041aa8fb2354aa7 vim-7.4.712.tar.gz d9586b777881973cb5e48e18750336a522ed72c3127b2d6b6991e2b943468ca5b694476e7fa39ab469178c1375fc8f52627484e0fe377aea5811a513e35a7b02 vimrc -e773f8c497364930dea10585af5888f12ea7be1effb23461df9f92c10c2c0e9e55e127b9465f62a20c03e08ab77f9c9f140f50277d7c9cc5c318e84725434d18 CVE-2016-1248.patch" +e773f8c497364930dea10585af5888f12ea7be1effb23461df9f92c10c2c0e9e55e127b9465f62a20c03e08ab77f9c9f140f50277d7c9cc5c318e84725434d18 CVE-2016-1248.patch +e9f2bef38bf5257857f2936d6e3e7d7564d97701bf2f89ad1fd56ff7d0f7f8d722801b4c6ace859101e7611e74d48bf052f6cca9e2b6b4720d9adc1a1d38e2cf CVE-2017-5953.patch" diff --git a/main/vim/CVE-2017-5953.patch b/main/vim/CVE-2017-5953.patch new file mode 100644 index 0000000..26e8abe --- /dev/null +++ b/main/vim/CVE-2017-5953.patch @@ -0,0 +1,28 @@ +Source: +https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d +Script was adjusted for vim-7.4.1831 + +commit 399c297aa93afe2c0a39e2a1b3f972aebba44c9d +Author: Bram Moolenaar +Date: Thu Feb 9 21:07:12 2017 +0100 + + patch 8.0.0322: possible overflow with corrupted spell file + + Problem: Possible overflow with spell file where the tree length is + corrupted. + Solution: Check for an invalid length (suggested by shqking) + +diff --git a/src/spell.c b/src/spell.c +index c7d87c6c7..8b1a3a633 100644 +--- a/src/spell.c ++++ b/src/spell.c +@@ -1595,6 +1595,9 @@ spell_read_tree( + len = get4c(fd); + if (len < 0) + return SP_TRUNCERROR; ++ if (len >= 0x3ffffff) ++ /* Invalid length, multiply with sizeof(int) would overflow. */ ++ return SP_FORMERROR; + if (len > 0) + { + /* Allocate the byte array. */ -- 2.4.11 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---