CVE-2017-5953: Tree length values not validated properly when handling a spell file
---
main/vim/APKBUILD | 15 +++++++++++----
main/vim/CVE-2017-5953.patch | 28 ++++++++++++++++++++++++++++
2 files changed, 39 insertions(+), 4 deletions(-)
create mode 100644 main/vim/CVE-2017-5953.patch
diff --git a/main/vim/APKBUILD b/main/vim/APKBUILD
index 5677b91..c17c85a 100644
--- a/main/vim/APKBUILD
+++ b/main/vim/APKBUILD
@@ -1,9 +1,10 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=vim
pkgver=7.4.1831
-pkgrel=2
+pkgrel=3
pkgdesc="advanced text editor"
url="http://www.vim.org"
arch="all"
@@ -14,11 +15,14 @@ subpackages="$pkgname-doc ${pkgname}diff"
source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/v$pkgver.tar.gz
vimrc
CVE-2016-1248.patch
+ CVE-2017-5953.patch
"
_builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
+# 7.4.1831-r3:
+# - CVE-2017-5953
# 7.4.1831-r2:
# - CVE-2016-1248
@@ -71,10 +75,13 @@ vimdiff() {
md5sums="95e9b459dd52e92011f1438c7a7b2435 vim-7.4.1831.tar.gz
97aecde2ab504e543a96bec84b3b5638 vimrc
-65cd79792f8150130c4aafb7842b80cf CVE-2016-1248.patch"
+65cd79792f8150130c4aafb7842b80cf CVE-2016-1248.patch
+9ef01e90bbb56924265c7306ae9f58c3 CVE-2017-5953.patch"
sha256sums="e5b7e5acd84e1430f9b9bc51006a57defaaf2678f875c73bb323ec5492041d77 vim-7.4.1831.tar.gz
7ac7e5fd75fe315fd8b3ca4172056ebb9f06df0b5985d3ff88133dfcdd87076b vimrc
-b8d1227a41d6f7f596f3bf45dfaf9d0dbbbcf091c5f145c95d464986031446e5 CVE-2016-1248.patch"
+b8d1227a41d6f7f596f3bf45dfaf9d0dbbbcf091c5f145c95d464986031446e5 CVE-2016-1248.patch
+79dfa7c82565efe85f5cbcc889aa45cc46f2c6a83c58b35b834e05b54367c44d CVE-2017-5953.patch"
sha512sums="a424d19409ba3b25438bd929a18b19a05913dc227996406c090cda29b69e90bf0e8358036602f3dffac01dddaa1ecbbbd832fa02515a250a664f77b24631f9fe vim-7.4.1831.tar.gz
d9586b777881973cb5e48e18750336a522ed72c3127b2d6b6991e2b943468ca5b694476e7fa39ab469178c1375fc8f52627484e0fe377aea5811a513e35a7b02 vimrc
-e773f8c497364930dea10585af5888f12ea7be1effb23461df9f92c10c2c0e9e55e127b9465f62a20c03e08ab77f9c9f140f50277d7c9cc5c318e84725434d18 CVE-2016-1248.patch"
+e773f8c497364930dea10585af5888f12ea7be1effb23461df9f92c10c2c0e9e55e127b9465f62a20c03e08ab77f9c9f140f50277d7c9cc5c318e84725434d18 CVE-2016-1248.patch
+e9f2bef38bf5257857f2936d6e3e7d7564d97701bf2f89ad1fd56ff7d0f7f8d722801b4c6ace859101e7611e74d48bf052f6cca9e2b6b4720d9adc1a1d38e2cf CVE-2017-5953.patch"
diff --git a/main/vim/CVE-2017-5953.patch b/main/vim/CVE-2017-5953.patch
new file mode 100644
index 0000000..26e8abe
--- /dev/null
+++ b/main/vim/CVE-2017-5953.patch
@@ -0,0 +1,28 @@
+Source:
+https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d
+Script was adjusted for vim-7.4.1831
+
+commit 399c297aa93afe2c0a39e2a1b3f972aebba44c9d
+Author: Bram Moolenaar <Bram@vim.org>
+Date: Thu Feb 9 21:07:12 2017 +0100
+
+ patch 8.0.0322: possible overflow with corrupted spell file
+
+ Problem: Possible overflow with spell file where the tree length is
+ corrupted.
+ Solution: Check for an invalid length (suggested by shqking)
+
+diff --git a/src/spell.c b/src/spell.c
+index c7d87c6c7..8b1a3a633 100644
+--- a/src/spell.c
++++ b/src/spell.c
+@@ -1595,6 +1595,9 @@ spell_read_tree(
+ len = get4c(fd);
+ if (len < 0)
+ return SP_TRUNCERROR;
++ if (len >= 0x3ffffff)
++ /* Invalid length, multiply with sizeof(int) would overflow. */
++ return SP_FORMERROR;
+ if (len > 0)
+ {
+ /* Allocate the byte array. */
--
2.8.3
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---