On Thu, Apr 13, 2017 at 08:13:31AM -0400, James McCoy wrote:
> Please unblock package neovim
> 
> This upload includes fixes for CVE-2017-{5953,6349,6350}.
> 
> unblock neovim/0.1.7-4
Ping?

> diffstat for neovim-0.1.7 neovim-0.1.7
> 
>  changelog                                                           |    9 ++
>  patches/0001-debcherry-fixup-patch.patch                            |   32 
> +++++++-
>  patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch           |    4 -
>  patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch |    4 -
>  patches/0004-vim-patch-8.0.0377.patch                               |   38 
> ++++++++++
>  patches/0005-vim-patch-8.0.0378.patch                               |   37 
> +++++++++
>  patches/series                                                      |    2 
>  7 files changed, 118 insertions(+), 8 deletions(-)
> 
> diff -Nru neovim-0.1.7/debian/changelog neovim-0.1.7/debian/changelog
> --- neovim-0.1.7/debian/changelog     2017-01-16 07:18:35.000000000 -0500
> +++ neovim-0.1.7/debian/changelog     2017-04-10 08:15:38.000000000 -0400
> @@ -1,3 +1,12 @@
> +neovim (0.1.7-4) unstable; urgency=high
> +
> +  * Cherry-pick b338bb9d & 4af6c608 from upstream to fix buffer overflow if a
> +    spellfile has an invalid length in it.  (CVE-2017-5953)
> +  * Cherry-pick fb66a7c6 & ad66826a from upstream to fix buffer overflows 
> when
> +    reading corrupted undo files.  (CVE-2017-6349 & CVE-2017-6350)
> +
> + -- James McCoy <james...@debian.org>  Mon, 10 Apr 2017 08:15:38 -0400
> +
>  neovim (0.1.7-3) unstable; urgency=medium
>  
>    * Disable global_spec.lua since it's rather flaky.
> diff -Nru neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch 
> neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch
> --- neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch      
> 2017-01-16 07:18:35.000000000 -0500
> +++ neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch      
> 2017-04-10 08:15:38.000000000 -0400
> @@ -1,8 +1,12 @@
> -From 2ef123279cbff7afeb5546992dc34c902664b4db Mon Sep 17 00:00:00 2001
> +From 5a06ba6f8d7c464ec319eac1a805575849203371 Mon Sep 17 00:00:00 2001
>  From: James McCoy <james...@jamessan.com>
> -Date: Mon, 16 Jan 2017 07:19:41 -0500
> -Subject: [PATCH 1/3] debcherry fixup patch
> +Date: Mon, 10 Apr 2017 08:16:34 -0400
> +Subject: [PATCH 1/5] debcherry fixup patch
>  
> +53bde37a vim-patch:8.0.0376
> +      - no changes against upstream or conflicts
> +aa0c704e vim-patch:8.0.0322
> +      - extra changes or conflicts
>  7b3fc809 out_data_decide_throttle(): timeout instead of hard limit.
>        - no changes against upstream or conflicts
>  443f0387 out_data_decide_throttle(): Avoid too-small final chunk.
> @@ -22,11 +26,12 @@
>   src/nvim/main.c                       |   2 +-
>   src/nvim/memory.c                     |  31 ++++---
>   src/nvim/os/shell.c                   | 147 
> ++++++++++++++++++++++++++++++++--
> + src/nvim/spell.c                      |   6 +-
>   test/functional/eval/execute_spec.lua |  17 ++--
>   test/functional/terminal/helpers.lua  |   1 +
>   test/functional/ui/output_spec.lua    |  21 +++++
>   test/functional/ui/screen.lua         |  47 ++++++++---
> - 10 files changed, 235 insertions(+), 49 deletions(-)
> + 11 files changed, 240 insertions(+), 50 deletions(-)
>  
>  diff --git a/runtime/doc/various.txt b/runtime/doc/various.txt
>  index a1bf379d..3c147244 100644
> @@ -353,6 +358,25 @@
>     if (cnt) {
>       rbuffer_consumed(buf, cnt);
>     }
> +diff --git a/src/nvim/spell.c b/src/nvim/spell.c
> +index 7119ac6d..7dc9eb05 100644
> +--- a/src/nvim/spell.c
> ++++ b/src/nvim/spell.c
> +@@ -3589,9 +3589,13 @@ spell_read_tree (
> + 
> +   // The tree size was computed when writing the file, so that we can
> +   // allocate it as one long block. <nodecount>
> +-  int len = get4c(fd);
> ++  long len = get4c(fd);
> +   if (len < 0)
> +     return SP_TRUNCERROR;
> ++  if ((size_t)len >= SIZE_MAX / sizeof(int)) {
> ++    // Invalid length, multiply with sizeof(int) would overflow.
> ++    return SP_FORMERROR;
> ++  }
> +   if (len > 0) {
> +     // Allocate the byte array.
> +     bp = xmalloc(len);
>  diff --git a/test/functional/eval/execute_spec.lua 
> b/test/functional/eval/execute_spec.lua
>  index b5b48143..fc13c0a7 100644
>  --- a/test/functional/eval/execute_spec.lua
> diff -Nru 
> neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch 
> neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch
> --- 
> neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch 
>     2017-01-16 07:18:35.000000000 -0500
> +++ 
> neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch 
>     2017-04-10 08:15:38.000000000 -0400
> @@ -1,7 +1,7 @@
> -From 867ed903bffe6befb44208a34c8084db4ea44497 Mon Sep 17 00:00:00 2001
> +From e54118bdb9165d11ebe6250ab08ff2e4b85e29d2 Mon Sep 17 00:00:00 2001
>  From: "Justin M. Keyes" <justi...@gmail.com>
>  Date: Wed, 7 Dec 2016 14:01:51 +0100
> -Subject: [PATCH 2/3] test: Handle SIGHUP in tty-test fixture.
> +Subject: [PATCH 2/5] test: Handle SIGHUP in tty-test fixture.
>  
>  Closes #5727
>  ---
> diff -Nru 
> neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch
>  
> neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch
> --- 
> neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch
>    2017-01-16 07:18:35.000000000 -0500
> +++ 
> neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch
>    2017-04-10 08:15:38.000000000 -0400
> @@ -1,7 +1,7 @@
> -From 630b72431209463f105435aae491818cf53a2ac7 Mon Sep 17 00:00:00 2001
> +From d3babd790b7f67fa6ba590877961d49ae6e76826 Mon Sep 17 00:00:00 2001
>  From: "Justin M. Keyes" <justi...@gmail.com>
>  Date: Mon, 3 Oct 2016 10:46:11 +0200
> -Subject: [PATCH 3/3] tui: "backpressure": Drop messages to avoid flooding.
> +Subject: [PATCH 3/5] tui: "backpressure": Drop messages to avoid flooding.
>  
>  Closes #1234
>  
> diff -Nru neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch 
> neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch
> --- neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch 1969-12-31 
> 19:00:00.000000000 -0500
> +++ neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch 2017-04-10 
> 08:15:38.000000000 -0400
> @@ -0,0 +1,38 @@
> +From 6e3b7e649e7b1e7c2158fdc03f6a9aa02583dcf1 Mon Sep 17 00:00:00 2001
> +From: James McCoy <james...@jamessan.com>
> +Date: Sat, 8 Apr 2017 21:22:11 -0400
> +Subject: [PATCH 4/5] vim-patch:8.0.0377
> +
> +Problem:    Possible overflow when reading corrupted undo file.
> +Solution:   Check if allocated size is not too big. (King)
> +
> +https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c
> +
> +CVE-2017-6349
> +---
> + src/nvim/undo.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/nvim/undo.c b/src/nvim/undo.c
> +index 4d56046b..11f4d556 100644
> +--- a/src/nvim/undo.c
> ++++ b/src/nvim/undo.c
> +@@ -76,6 +76,7 @@
> + #include <inttypes.h>
> + #include <limits.h>
> + #include <stdbool.h>
> ++#include <stdint.h>
> + #include <string.h>
> + #include <fcntl.h>
> + 
> +@@ -1403,7 +1404,9 @@ void u_read_undo(char *name, char_u *hash, char_u 
> *orig_name)
> +   // sequence numbers of the headers.
> +   // When there are no headers uhp_table is NULL.
> +   if (num_head > 0) {
> +-    uhp_table = xmalloc((size_t)num_head * sizeof(u_header_T *));
> ++    if ((size_t)num_head < SIZE_MAX / sizeof(*uhp_table)) {
> ++      uhp_table = xmalloc((size_t)num_head * sizeof(*uhp_table));
> ++    }
> +   }
> + 
> +   long num_read_uhps = 0;
> diff -Nru neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch 
> neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch
> --- neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch 1969-12-31 
> 19:00:00.000000000 -0500
> +++ neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch 2017-04-10 
> 08:15:38.000000000 -0400
> @@ -0,0 +1,37 @@
> +From 64dd432e3e136a559d5959bc91504375f01e027d Mon Sep 17 00:00:00 2001
> +From: James McCoy <james...@jamessan.com>
> +Date: Sat, 8 Apr 2017 21:56:02 -0400
> +Subject: [PATCH 5/5] vim-patch:8.0.0378
> +
> +Problem:    Another possible overflow when reading corrupted undo file.
> +Solution:   Check if allocated size is not too big. (King)
> +
> +https://github.com/vim/vim/commit/0c8485f0e4931463c0f7986e1ea84a7d79f10c75
> +
> +CVE-2017-6350
> +---
> + src/nvim/undo.c | 10 +++++-----
> + 1 file changed, 5 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/nvim/undo.c b/src/nvim/undo.c
> +index 11f4d556..d1a0bfdf 100644
> +--- a/src/nvim/undo.c
> ++++ b/src/nvim/undo.c
> +@@ -970,12 +970,12 @@ static u_entry_T *unserialize_uep(bufinfo_T * bi, bool 
> *error,
> +   uep->ue_lcount = undo_read_4c(bi);
> +   uep->ue_size = undo_read_4c(bi);
> + 
> +-  char_u **array;
> ++  char_u **array = NULL;
> +   if (uep->ue_size > 0) {
> +-    array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size);
> +-    memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size);
> +-  } else {
> +-    array = NULL;
> ++    if ((size_t)uep->ue_size < SIZE_MAX / sizeof(char_u *)) {
> ++      array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size);
> ++      memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size);
> ++    }
> +   }
> +   uep->ue_array = array;
> + 
> diff -Nru neovim-0.1.7/debian/patches/series 
> neovim-0.1.7/debian/patches/series
> --- neovim-0.1.7/debian/patches/series        2017-01-16 07:18:35.000000000 
> -0500
> +++ neovim-0.1.7/debian/patches/series        2017-04-10 08:15:38.000000000 
> -0400
> @@ -2,3 +2,5 @@
>  0001-debcherry-fixup-patch.patch
>  0002-test-Handle-SIGHUP-in-tty-test-fixture.patch
>  0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch
> +0004-vim-patch-8.0.0377.patch
> +0005-vim-patch-8.0.0378.patch

Cheers,
-- 
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7  2D23 DFE6 91AE 331B A3DB

Reply via email to