On Thu, Apr 13, 2017 at 08:13:31AM -0400, James McCoy wrote: > Please unblock package neovim > > This upload includes fixes for CVE-2017-{5953,6349,6350}. > > unblock neovim/0.1.7-4
Ping? > diffstat for neovim-0.1.7 neovim-0.1.7 > > changelog | 9 ++ > patches/0001-debcherry-fixup-patch.patch | 32 > +++++++- > patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch | 4 - > patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch | 4 - > patches/0004-vim-patch-8.0.0377.patch | 38 > ++++++++++ > patches/0005-vim-patch-8.0.0378.patch | 37 > +++++++++ > patches/series | 2 > 7 files changed, 118 insertions(+), 8 deletions(-) > > diff -Nru neovim-0.1.7/debian/changelog neovim-0.1.7/debian/changelog > --- neovim-0.1.7/debian/changelog 2017-01-16 07:18:35.000000000 -0500 > +++ neovim-0.1.7/debian/changelog 2017-04-10 08:15:38.000000000 -0400 > @@ -1,3 +1,12 @@ > +neovim (0.1.7-4) unstable; urgency=high > + > + * Cherry-pick b338bb9d & 4af6c608 from upstream to fix buffer overflow if a > + spellfile has an invalid length in it. (CVE-2017-5953) > + * Cherry-pick fb66a7c6 & ad66826a from upstream to fix buffer overflows > when > + reading corrupted undo files. (CVE-2017-6349 & CVE-2017-6350) > + > + -- James McCoy <james...@debian.org> Mon, 10 Apr 2017 08:15:38 -0400 > + > neovim (0.1.7-3) unstable; urgency=medium > > * Disable global_spec.lua since it's rather flaky. > diff -Nru neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch > neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch > --- neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch > 2017-01-16 07:18:35.000000000 -0500 > +++ neovim-0.1.7/debian/patches/0001-debcherry-fixup-patch.patch > 2017-04-10 08:15:38.000000000 -0400 > @@ -1,8 +1,12 @@ > -From 2ef123279cbff7afeb5546992dc34c902664b4db Mon Sep 17 00:00:00 2001 > +From 5a06ba6f8d7c464ec319eac1a805575849203371 Mon Sep 17 00:00:00 2001 > From: James McCoy <james...@jamessan.com> > -Date: Mon, 16 Jan 2017 07:19:41 -0500 > -Subject: [PATCH 1/3] debcherry fixup patch > +Date: Mon, 10 Apr 2017 08:16:34 -0400 > +Subject: [PATCH 1/5] debcherry fixup patch > > +53bde37a vim-patch:8.0.0376 > + - no changes against upstream or conflicts > +aa0c704e vim-patch:8.0.0322 > + - extra changes or conflicts > 7b3fc809 out_data_decide_throttle(): timeout instead of hard limit. > - no changes against upstream or conflicts > 443f0387 out_data_decide_throttle(): Avoid too-small final chunk. > @@ -22,11 +26,12 @@ > src/nvim/main.c | 2 +- > src/nvim/memory.c | 31 ++++--- > src/nvim/os/shell.c | 147 > ++++++++++++++++++++++++++++++++-- > + src/nvim/spell.c | 6 +- > test/functional/eval/execute_spec.lua | 17 ++-- > test/functional/terminal/helpers.lua | 1 + > test/functional/ui/output_spec.lua | 21 +++++ > test/functional/ui/screen.lua | 47 ++++++++--- > - 10 files changed, 235 insertions(+), 49 deletions(-) > + 11 files changed, 240 insertions(+), 50 deletions(-) > > diff --git a/runtime/doc/various.txt b/runtime/doc/various.txt > index a1bf379d..3c147244 100644 > @@ -353,6 +358,25 @@ > if (cnt) { > rbuffer_consumed(buf, cnt); > } > +diff --git a/src/nvim/spell.c b/src/nvim/spell.c > +index 7119ac6d..7dc9eb05 100644 > +--- a/src/nvim/spell.c > ++++ b/src/nvim/spell.c > +@@ -3589,9 +3589,13 @@ spell_read_tree ( > + > + // The tree size was computed when writing the file, so that we can > + // allocate it as one long block. <nodecount> > +- int len = get4c(fd); > ++ long len = get4c(fd); > + if (len < 0) > + return SP_TRUNCERROR; > ++ if ((size_t)len >= SIZE_MAX / sizeof(int)) { > ++ // Invalid length, multiply with sizeof(int) would overflow. > ++ return SP_FORMERROR; > ++ } > + if (len > 0) { > + // Allocate the byte array. > + bp = xmalloc(len); > diff --git a/test/functional/eval/execute_spec.lua > b/test/functional/eval/execute_spec.lua > index b5b48143..fc13c0a7 100644 > --- a/test/functional/eval/execute_spec.lua > diff -Nru > neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch > neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch > --- > neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch > 2017-01-16 07:18:35.000000000 -0500 > +++ > neovim-0.1.7/debian/patches/0002-test-Handle-SIGHUP-in-tty-test-fixture.patch > 2017-04-10 08:15:38.000000000 -0400 > @@ -1,7 +1,7 @@ > -From 867ed903bffe6befb44208a34c8084db4ea44497 Mon Sep 17 00:00:00 2001 > +From e54118bdb9165d11ebe6250ab08ff2e4b85e29d2 Mon Sep 17 00:00:00 2001 > From: "Justin M. Keyes" <justi...@gmail.com> > Date: Wed, 7 Dec 2016 14:01:51 +0100 > -Subject: [PATCH 2/3] test: Handle SIGHUP in tty-test fixture. > +Subject: [PATCH 2/5] test: Handle SIGHUP in tty-test fixture. > > Closes #5727 > --- > diff -Nru > neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch > > neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch > --- > neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch > 2017-01-16 07:18:35.000000000 -0500 > +++ > neovim-0.1.7/debian/patches/0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch > 2017-04-10 08:15:38.000000000 -0400 > @@ -1,7 +1,7 @@ > -From 630b72431209463f105435aae491818cf53a2ac7 Mon Sep 17 00:00:00 2001 > +From d3babd790b7f67fa6ba590877961d49ae6e76826 Mon Sep 17 00:00:00 2001 > From: "Justin M. Keyes" <justi...@gmail.com> > Date: Mon, 3 Oct 2016 10:46:11 +0200 > -Subject: [PATCH 3/3] tui: "backpressure": Drop messages to avoid flooding. > +Subject: [PATCH 3/5] tui: "backpressure": Drop messages to avoid flooding. > > Closes #1234 > > diff -Nru neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch > neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch > --- neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch 1969-12-31 > 19:00:00.000000000 -0500 > +++ neovim-0.1.7/debian/patches/0004-vim-patch-8.0.0377.patch 2017-04-10 > 08:15:38.000000000 -0400 > @@ -0,0 +1,38 @@ > +From 6e3b7e649e7b1e7c2158fdc03f6a9aa02583dcf1 Mon Sep 17 00:00:00 2001 > +From: James McCoy <james...@jamessan.com> > +Date: Sat, 8 Apr 2017 21:22:11 -0400 > +Subject: [PATCH 4/5] vim-patch:8.0.0377 > + > +Problem: Possible overflow when reading corrupted undo file. > +Solution: Check if allocated size is not too big. (King) > + > +https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c > + > +CVE-2017-6349 > +--- > + src/nvim/undo.c | 5 ++++- > + 1 file changed, 4 insertions(+), 1 deletion(-) > + > +diff --git a/src/nvim/undo.c b/src/nvim/undo.c > +index 4d56046b..11f4d556 100644 > +--- a/src/nvim/undo.c > ++++ b/src/nvim/undo.c > +@@ -76,6 +76,7 @@ > + #include <inttypes.h> > + #include <limits.h> > + #include <stdbool.h> > ++#include <stdint.h> > + #include <string.h> > + #include <fcntl.h> > + > +@@ -1403,7 +1404,9 @@ void u_read_undo(char *name, char_u *hash, char_u > *orig_name) > + // sequence numbers of the headers. > + // When there are no headers uhp_table is NULL. > + if (num_head > 0) { > +- uhp_table = xmalloc((size_t)num_head * sizeof(u_header_T *)); > ++ if ((size_t)num_head < SIZE_MAX / sizeof(*uhp_table)) { > ++ uhp_table = xmalloc((size_t)num_head * sizeof(*uhp_table)); > ++ } > + } > + > + long num_read_uhps = 0; > diff -Nru neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch > neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch > --- neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch 1969-12-31 > 19:00:00.000000000 -0500 > +++ neovim-0.1.7/debian/patches/0005-vim-patch-8.0.0378.patch 2017-04-10 > 08:15:38.000000000 -0400 > @@ -0,0 +1,37 @@ > +From 64dd432e3e136a559d5959bc91504375f01e027d Mon Sep 17 00:00:00 2001 > +From: James McCoy <james...@jamessan.com> > +Date: Sat, 8 Apr 2017 21:56:02 -0400 > +Subject: [PATCH 5/5] vim-patch:8.0.0378 > + > +Problem: Another possible overflow when reading corrupted undo file. > +Solution: Check if allocated size is not too big. (King) > + > +https://github.com/vim/vim/commit/0c8485f0e4931463c0f7986e1ea84a7d79f10c75 > + > +CVE-2017-6350 > +--- > + src/nvim/undo.c | 10 +++++----- > + 1 file changed, 5 insertions(+), 5 deletions(-) > + > +diff --git a/src/nvim/undo.c b/src/nvim/undo.c > +index 11f4d556..d1a0bfdf 100644 > +--- a/src/nvim/undo.c > ++++ b/src/nvim/undo.c > +@@ -970,12 +970,12 @@ static u_entry_T *unserialize_uep(bufinfo_T * bi, bool > *error, > + uep->ue_lcount = undo_read_4c(bi); > + uep->ue_size = undo_read_4c(bi); > + > +- char_u **array; > ++ char_u **array = NULL; > + if (uep->ue_size > 0) { > +- array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size); > +- memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size); > +- } else { > +- array = NULL; > ++ if ((size_t)uep->ue_size < SIZE_MAX / sizeof(char_u *)) { > ++ array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size); > ++ memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size); > ++ } > + } > + uep->ue_array = array; > + > diff -Nru neovim-0.1.7/debian/patches/series > neovim-0.1.7/debian/patches/series > --- neovim-0.1.7/debian/patches/series 2017-01-16 07:18:35.000000000 > -0500 > +++ neovim-0.1.7/debian/patches/series 2017-04-10 08:15:38.000000000 > -0400 > @@ -2,3 +2,5 @@ > 0001-debcherry-fixup-patch.patch > 0002-test-Handle-SIGHUP-in-tty-test-fixture.patch > 0003-tui-backpressure-Drop-messages-to-avoid-flooding.patch > +0004-vim-patch-8.0.0377.patch > +0005-vim-patch-8.0.0378.patch Cheers, -- James GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB