Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 678752 (CVE-2018-20786)

Summary: <app-editors/vim-8.1.0648: out-of-memory in screen.c, state.c, vterm.c leading to denial of service
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jnerin, vim
Priority: Normal Flags: stable-bot: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1680588
Whiteboard: B3 [noglsa cve]
Package list:
=app-editors/vim-8.1.0648-r1 =app-editors/vim-core-8.1.0648 =app-editors/gvim-8.1.0648-r1
 Runtime testing required: ---
Attachments:
Description Flags
tatt tests report (ppc64)
none
tatt tests report (ppc) none

Description Agostino Sarubbo gentoo-dev 2019-02-25 15:17:59 UTC 
From ${URL} :

libvterm through 0+bzr726, as used in Vim and other products, mishandles certain
out-of-memory conditions, leading to a denial of service (application crash),
related to screen.c, state.c, and vterm.c.

Upstream Issue:
https://github.com/vim/vim/issues/3711

Upstream Patch:
https://github.com/vim/vim/commit/cd929f7ba8cc5b6d6dcf35c8b34124e969fed6b8


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2019-03-30 00:36:02 UTC 
@arches, please stabilize.
Comment 2 Stabilization helper bot gentoo-dev 2019-03-30 01:02:51 UTC 
An automated check of this bug failed - repoman reported dependency errors (197 lines truncated): 

> dependency.bad app-editors/vim/vim-8.1.0648-r1.ebuild: DEPEND: alpha(default/linux/alpha/17.0) ['~app-editors/vim-core-8.1.0648']
> dependency.bad app-editors/vim/vim-8.1.0648-r1.ebuild: RDEPEND: alpha(default/linux/alpha/17.0) ['~app-editors/vim-core-8.1.0648']
> dependency.bad app-editors/vim/vim-8.1.0648-r1.ebuild: DEPEND: alpha(default/linux/alpha/17.0/desktop) ['~app-editors/vim-core-8.1.0648']
Comment 3 Agostino Sarubbo gentoo-dev 2019-03-30 10:47:18 UTC 
amd64 stable
Comment 4 Christopher Head 2019-03-30 15:40:08 UTC 
Stabilizing vim and vim-core but not gvim has led to a dependency failure.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-30 18:08:22 UTC 
amd64 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-02 09:49:33 UTC 
s390 stable
Comment 7 ernsteiswuerfel archtester 2019-04-02 19:34:08 UTC 
Created attachment 571678 [details]
tatt tests report (ppc64)

ppc64: gvim-8.1.0648-r1 fails some tests (bug #682320).

Looks good otherwise.
Comment 8 ernsteiswuerfel archtester 2019-04-02 19:35:48 UTC 
Created attachment 571682 [details]
tatt tests report (ppc)

ppc: gvim-8.1.0648-r1 testsuite hangs (bug #682292).

Looks good otherwise.
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-03 07:09:39 UTC 
arm stable
Comment 10 Rolf Eike Beer archtester 2019-04-06 10:19:00 UTC 
sparc stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-06 15:30:58 UTC 
alpha stable
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2019-04-08 17:28:33 UTC 
arm64 stable
Comment 13 Rolf Eike Beer archtester 2019-04-11 19:40:59 UTC 
hppa stable
Comment 14 Stabilization helper bot gentoo-dev 2019-08-01 06:59:26 UTC 
An automated check of this bug failed - the following atoms are unknown:

app-editors/vim-8.1.0648-r1
app-editors/vim-core-8.1.0648
app-editors/gvim-8.1.0648-r1

Please verify the atom list.
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2019-08-02 00:37:21 UTC 
stable awhile ago and clean.