Bug#860242: unblock: neovim/0.1.7-4

James McCoy Thu, 13 Apr 2017 05:15:44 -0700

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock


Please unblock package neovim

This upload includes fixes for CVE-2017-{5953,6349,6350}.

unblock neovim/0.1.7-4

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diffstat for neovim-0.1.7 neovim-0.1.7

 changelog                                                           |    9 ++
 patches/0001-debcherry-fixup-patch.patch                            |   32 
+++++++-
 patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch           |    4 -
 patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch |    4 -
 patches/0004-vim-patch-8.0.0377.patch                               |   38 
++++++++++
 patches/0005-vim-patch-8.0.0378.patch                               |   37 
+++++++++
 patches/series                                                      |    2 
 7 files changed, 118 insertions(+), 8 deletions(-)

diff -Nru neovim-0.1.7/debian/changelog neovim-0.1.7/debian/changelog
--- neovim-0.1.7/debian/changelog       2017-01-16 07:18:35.000000000 -0500
+++ neovim-0.1.7/debian/changelog       2017-04-10 08:15:38.000000000 -0400
@@ -1,3 +1,12 @@
+neovim (0.1.7-4) unstable; urgency=high
+
+  * Cherry-pick b338bb9d & 4af6c608 from upstream to fix buffer overflow if a
+    spellfile has an invalid length in it.  (CVE-2017-5953)
+  * Cherry-pick fb66a7c6 & ad66826a from upstream to fix buffer overflows when
+    reading corrupted undo files.  (CVE-2017-6349 & CVE-2017-6350)
+
+ -- James McCoy <james...@debian.org>  Mon, 10 Apr 2017 08:15:38 -0400
+
 neovim (0.1.7-3) unstable; urgency=medium
 
   * Disable global_spec.lua since it's rather flaky.
diff -Nru neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch 
neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch
--- neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch        
2017-01-16 07:18:35.000000000 -0500
+++ neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch        
2017-04-10 08:15:38.000000000 -0400
@@ -1,8 +1,12 @@
-From 2ef123279cbff7afeb5546992dc34c902664b4db Mon Sep 17 00:00:00 2001
+From 5a06ba6f8d7c464ec319eac1a805575849203371 Mon Sep 17 00:00:00 2001
 From: James McCoy <james...@jamessan.com>
-Date: Mon, 16 Jan 2017 07:19:41 -0500
-Subject: [PATCH 1/3] debcherry fixup patch
+Date: Mon, 10 Apr 2017 08:16:34 -0400
+Subject: [PATCH 1/5] debcherry fixup patch
 
+53bde37a vim-patch:8.0.0376
+        - no changes against upstream or conflicts
+aa0c704e vim-patch:8.0.0322
+        - extra changes or conflicts
 7b3fc809 out_data_decide_throttle(): timeout instead of hard limit.
         - no changes against upstream or conflicts
 443f0387 out_data_decide_throttle(): Avoid too-small final chunk.
@@ -22,11 +26,12 @@
  src/nvim/main.c                       |   2 +-
  src/nvim/memory.c                     |  31 ++++---
  src/nvim/os/shell.c                   | 147 ++++++++++++++++++++++++++++++++--
+ src/nvim/spell.c                      |   6 +-
  test/functional/eval/execute_spec.lua |  17 ++--
  test/functional/terminal/helpers.lua  |   1 +
  test/functional/ui/output_spec.lua    |  21 +++++
  test/functional/ui/screen.lua         |  47 ++++++++---
- 10 files changed, 235 insertions(+), 49 deletions(-)
+ 11 files changed, 240 insertions(+), 50 deletions(-)
 
 diff --git a/runtime/doc/various.txt b/runtime/doc/various.txt
 index a1bf379d..3c147244 100644
@@ -353,6 +358,25 @@
    if (cnt) {
      rbuffer_consumed(buf, cnt);
    }
+diff --git a/src/nvim/spell.c b/src/nvim/spell.c
+index 7119ac6d..7dc9eb05 100644
+--- a/src/nvim/spell.c
++++ b/src/nvim/spell.c
+@@ -3589,9 +3589,13 @@ spell_read_tree (
+ 
+   // The tree size was computed when writing the file, so that we can
+   // allocate it as one long block. <nodecount>
+-  int len = get4c(fd);
++  long len = get4c(fd);
+   if (len < 0)
+     return SP_TRUNCERROR;
++  if ((size_t)len >= SIZE_MAX / sizeof(int)) {
++    // Invalid length, multiply with sizeof(int) would overflow.
++    return SP_FORMERROR;
++  }
+   if (len > 0) {
+     // Allocate the byte array.
+     bp = xmalloc(len);
 diff --git a/test/functional/eval/execute_spec.lua 
b/test/functional/eval/execute_spec.lua
 index b5b48143..fc13c0a7 100644
 --- a/test/functional/eval/execute_spec.lua
diff -Nru 
neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch 
neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch
--- 
neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch   
    2017-01-16 07:18:35.000000000 -0500
+++ 
neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch   
    2017-04-10 08:15:38.000000000 -0400
@@ -1,7 +1,7 @@
-From 867ed903bffe6befb44208a34c8084db4ea44497 Mon Sep 17 00:00:00 2001
+From e54118bdb9165d11ebe6250ab08ff2e4b85e29d2 Mon Sep 17 00:00:00 2001
 From: "Justin M. Keyes" <justi...@gmail.com>
 Date: Wed, 7 Dec 2016 14:01:51 +0100
-Subject: [PATCH 2/3] test: Handle SIGHUP in tty-test fixture.
+Subject: [PATCH 2/5] test: Handle SIGHUP in tty-test fixture.
 
 Closes #5727
 ---
diff -Nru 
neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch
 
neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch
--- 
neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch
     2017-01-16 07:18:35.000000000 -0500
+++ 
neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch
     2017-04-10 08:15:38.000000000 -0400
@@ -1,7 +1,7 @@
-From 630b72431209463f105435aae491818cf53a2ac7 Mon Sep 17 00:00:00 2001
+From d3babd790b7f67fa6ba590877961d49ae6e76826 Mon Sep 17 00:00:00 2001
 From: "Justin M. Keyes" <justi...@gmail.com>
 Date: Mon, 3 Oct 2016 10:46:11 +0200
-Subject: [PATCH 3/3] tui: "backpressure": Drop messages to avoid flooding.
+Subject: [PATCH 3/5] tui: "backpressure": Drop messages to avoid flooding.
 
 Closes #1234
 
diff -Nru neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch 
neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch
--- neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch   1969-12-31 
19:00:00.000000000 -0500
+++ neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch   2017-04-10 
08:15:38.000000000 -0400
@@ -0,0 +1,38 @@
+From 6e3b7e649e7b1e7c2158fdc03f6a9aa02583dcf1 Mon Sep 17 00:00:00 2001
+From: James McCoy <james...@jamessan.com>
+Date: Sat, 8 Apr 2017 21:22:11 -0400
+Subject: [PATCH 4/5] vim-patch:8.0.0377
+
+Problem:    Possible overflow when reading corrupted undo file.
+Solution:   Check if allocated size is not too big. (King)
+
+https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c
+
+CVE-2017-6349
+---
+ src/nvim/undo.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/nvim/undo.c b/src/nvim/undo.c
+index 4d56046b..11f4d556 100644
+--- a/src/nvim/undo.c
++++ b/src/nvim/undo.c
+@@ -76,6 +76,7 @@
+ #include <inttypes.h>
+ #include <limits.h>
+ #include <stdbool.h>
++#include <stdint.h>
+ #include <string.h>
+ #include <fcntl.h>
+ 
+@@ -1403,7 +1404,9 @@ void u_read_undo(char *name, char_u *hash, char_u 
*orig_name)
+   // sequence numbers of the headers.
+   // When there are no headers uhp_table is NULL.
+   if (num_head > 0) {
+-    uhp_table = xmalloc((size_t)num_head * sizeof(u_header_T *));
++    if ((size_t)num_head < SIZE_MAX / sizeof(*uhp_table)) {
++      uhp_table = xmalloc((size_t)num_head * sizeof(*uhp_table));
++    }
+   }
+ 
+   long num_read_uhps = 0;
diff -Nru neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch 
neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch
--- neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch   1969-12-31 
19:00:00.000000000 -0500
+++ neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch   2017-04-10 
08:15:38.000000000 -0400
@@ -0,0 +1,37 @@
+From 64dd432e3e136a559d5959bc91504375f01e027d Mon Sep 17 00:00:00 2001
+From: James McCoy <james...@jamessan.com>
+Date: Sat, 8 Apr 2017 21:56:02 -0400
+Subject: [PATCH 5/5] vim-patch:8.0.0378
+
+Problem:    Another possible overflow when reading corrupted undo file.
+Solution:   Check if allocated size is not too big. (King)
+
+https://github.com/vim/vim/commit/0c8485f0e4931463c0f7986e1ea84a7d79f10c75
+
+CVE-2017-6350
+---
+ src/nvim/undo.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/nvim/undo.c b/src/nvim/undo.c
+index 11f4d556..d1a0bfdf 100644
+--- a/src/nvim/undo.c
++++ b/src/nvim/undo.c
+@@ -970,12 +970,12 @@ static u_entry_T *unserialize_uep(bufinfo_T * bi, bool 
*error,
+   uep->ue_lcount = undo_read_4c(bi);
+   uep->ue_size = undo_read_4c(bi);
+ 
+-  char_u **array;
++  char_u **array = NULL;
+   if (uep->ue_size > 0) {
+-    array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size);
+-    memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size);
+-  } else {
+-    array = NULL;
++    if ((size_t)uep->ue_size < SIZE_MAX / sizeof(char_u *)) {
++      array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size);
++      memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size);
++    }
+   }
+   uep->ue_array = array;
+ 
diff -Nru neovim-0.1.7/debian/patches/series neovim-0.1.7/debian/patches/series
--- neovim-0.1.7/debian/patches/series  2017-01-16 07:18:35.000000000 -0500
+++ neovim-0.1.7/debian/patches/series  2017-04-10 08:15:38.000000000 -0400
@@ -2,3 +2,5 @@
 0001-debcherry-fixup-patch.patch
 0002-test-Handle-SIGHUP-in-tty-test-fixture.patch
 0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch
+0004-vim-patch-8.0.0377.patch
+0005-vim-patch-8.0.0378.patch

Bug#860242: unblock: neovim/0.1.7-4

Reply via email to