Browse code
Add patch for vim CVE-2017-6349 and CVE-2017-6350
Change-Id: Ia0b3b3cd1eba1016766565fddf2e395fa2f84903
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/2098
Reviewed-by: Sharath George
Tested-by: gerrit-photon <photon-checkins@vmware.com>
suezzelur authored on 2017/03/03 04:26:57Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,52 @@ |
| 0 |
+diff -rup vim74/src/undo.c vim74-new/src/undo.c |
|
| 1 |
+--- vim74/src/undo.c 2013-06-10 11:13:37.000000000 -0700 |
|
| 2 |
+@@ -1151,7 +1151,7 @@ unserialize_uep(fp, error, file_name) |
|
| 3 |
+ {
|
|
| 4 |
+ int i; |
|
| 5 |
+ u_entry_T *uep; |
|
| 6 |
+- char_u **array; |
|
| 7 |
++ char_u **array = NULL; |
|
| 8 |
+ char_u *line; |
|
| 9 |
+ int line_len; |
|
| 10 |
+ |
|
| 11 |
+@@ -1168,7 +1168,8 @@ unserialize_uep(fp, error, file_name) |
|
| 12 |
+ uep->ue_size = get4c(fp); |
|
| 13 |
+ if (uep->ue_size > 0) |
|
| 14 |
+ {
|
|
| 15 |
+- array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size); |
|
| 16 |
++ if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *)) |
|
| 17 |
++ array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size); |
|
| 18 |
+ if (array == NULL) |
|
| 19 |
+ {
|
|
| 20 |
+ *error = TRUE; |
|
| 21 |
+@@ -1176,8 +1177,6 @@ unserialize_uep(fp, error, file_name) |
|
| 22 |
+ } |
|
| 23 |
+ vim_memset(array, 0, sizeof(char_u *) * uep->ue_size); |
|
| 24 |
+ } |
|
| 25 |
+- else |
|
| 26 |
+- array = NULL; |
|
| 27 |
+ uep->ue_array = array; |
|
| 28 |
+ |
|
| 29 |
+ for (i = 0; i < uep->ue_size; ++i) |
|
| 30 |
+@@ -1572,7 +1571,7 @@ u_read_undo(name, hash, orig_name) |
|
| 31 |
+ linenr_T line_lnum; |
|
| 32 |
+ colnr_T line_colnr; |
|
| 33 |
+ linenr_T line_count; |
|
| 34 |
+- int num_head = 0; |
|
| 35 |
++ long num_head = 0; |
|
| 36 |
+ long old_header_seq, new_header_seq, cur_header_seq; |
|
| 37 |
+ long seq_last, seq_cur; |
|
| 38 |
+ long last_save_nr = 0; |
|
| 39 |
+@@ -1745,8 +1744,9 @@ u_read_undo(name, hash, orig_name) |
|
| 40 |
+ * When there are no headers uhp_table is NULL. */ |
|
| 41 |
+ if (num_head > 0) |
|
| 42 |
+ {
|
|
| 43 |
+- uhp_table = (u_header_T **)U_ALLOC_LINE( |
|
| 44 |
+- num_head * sizeof(u_header_T *)); |
|
| 45 |
++ if (num_head < LONG_MAX / (long)sizeof(u_header_T *)) |
|
| 46 |
++ uhp_table = (u_header_T **)U_ALLOC_LINE( |
|
| 47 |
++ num_head * sizeof(u_header_T *)); |
|
| 48 |
+ if (uhp_table == NULL) |
|
| 49 |
+ goto error; |
|
| 50 |
+ } |
| ... | ... |
@@ -3,7 +3,7 @@ |
| 3 | 3 |
Summary: Text editor |
| 4 | 4 |
Name: vim |
| 5 | 5 |
Version: 7.4 |
| 6 |
-Release: 9%{?dist}
|
|
| 6 |
+Release: 10%{?dist}
|
|
| 7 | 7 |
License: Charityware |
| 8 | 8 |
URL: http://www.vim.org |
| 9 | 9 |
Group: Applications/Editors |
| ... | ... |
@@ -13,6 +13,7 @@ Source0: %{name}-%{version}.tar.bz2
|
| 13 | 13 |
%define sha1 vim=601abf7cc2b5ab186f40d8790e542f86afca86b7 |
| 14 | 14 |
Patch0: vim-CVE-2016-1248.patch |
| 15 | 15 |
Patch1: vim-7.4-CVE-2017-5953.patch |
| 16 |
+Patch2: vim-7.4-CVE-2017-6349_CVE-2017-6350.patch |
|
| 16 | 17 |
BuildRequires: ncurses-devel |
| 17 | 18 |
Requires: tcsh |
| 18 | 19 |
|
| ... | ... |
@@ -31,6 +32,7 @@ The vim extra package contains a extra files for powerful text editor. |
| 31 | 31 |
%setup -q -n %{name}74
|
| 32 | 32 |
%patch0 -p1 |
| 33 | 33 |
%patch1 -p1 |
| 34 |
+%patch2 -p1 |
|
| 34 | 35 |
echo '#define SYS_VIMRC_FILE "/etc/vimrc"' >> src/feature.h |
| 35 | 36 |
%build |
| 36 | 37 |
./configure \ |
| ... | ... |
@@ -159,6 +161,8 @@ make test |
| 159 | 159 |
%{_bindir}/vimdiff
|
| 160 | 160 |
|
| 161 | 161 |
%changelog |
| 162 |
+* Tue Feb 28 2017 Anish Swaminathan <anishs@vmware.com> 7.4-10 |
|
| 163 |
+- Fix for CVE-2017-6349 and CVE-2017-6350 |
|
| 162 | 164 |
* Fri Feb 17 2017 Anish Swaminathan <anishs@vmware.com> 7.4-9 |
| 163 | 165 |
- Fix for CVE-2017-5953 |
| 164 | 166 |
* Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com> 7.4-8 |