Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 609150 (CVE-2017-5953)

Summary: <app-editors/{vim,gvim}-8.0.0386: Tree length values not validated properly when handling a spell file (CVE-2017-5953)
Product: Gentoo Security Reporter: ncl
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: vim
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description ncl 2017-02-12 17:34:23 UTC 
vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow.

https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY
https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-02-16 01:31:49 UTC 
Thank you for the report
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-03 14:28:01 UTC 
Added to an existing GLSA request.

Cleanup will happen in bug 611386.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-06-22 19:20:17 UTC 
This issue was resolved and addressed in
 GLSA 201706-26 at https://security.gentoo.org/glsa/201706-26
by GLSA coordinator Kristian Fiskerstrand (K_F).