611386 – (CVE-2017-6349, CVE-2017-6350) <app-editors/{vim,gvim}-8.0.0386: two integer overflow

Bug 611386 (CVE-2017-6349, CVE-2017-6350) - <app-editors/{vim,gvim}-8.0.0386: two integer overflow

Summary: <app-editors/{vim,gvim}-8.0.0386: two integer overflow

Status:	RESOLVED FIXED

Alias:	CVE-2017-6349, CVE-2017-6350

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-03-02 09:04 UTC by Agostino Sarubbo
Modified:	2017-06-22 19:20 UTC (History)
CC List:	3 users (show)

See Also:
Package list:	=app-editors/vim-8.0.0386 =app-editors/vim-core-8.0.0386 =app-editors/gvim-8.0.0386
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-03-02 09:04:12 UTC

From https://bugzilla.redhat.com/show_bug.cgi?id=1427945:

An integer overflow at an unserialize_uep memory allocation site would occur for vim, as it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows. 

Upstream bug:

https://groups.google.com/forum/#!topic/vim_dev/QPZc0CY9j3Y

Upstream patch:

https://github.com/vim/vim/commit/0c8485f0e4931463c0f7986e1ea84a7d79f10c75



From https://bugzilla.redhat.com/show_bug.cgi?id=1427944:

An integer overflow at a u_read_undo memory allocation site would occur for vim, as it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows.

Upstream bug:

https://groups.google.com/forum/#!topic/vim_dev/QPZc0CY9j3Y

Upstream patch:

https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Tim Harder gentoo-dev

2017-03-02 17:30:40 UTC

A newer version of vim is already in the tree. If you want to stabilize that, go ahead.

Comment 2 Stabilization helper bot gentoo-dev

2017-03-02 19:01:00 UTC

An automated check of this bug failed - repoman reported dependency errors (105 lines truncated): 

> dependency.bad app-editors/vim/vim-8.0.0386.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['~app-editors/vim-core-8.0.0386']
> dependency.bad app-editors/vim/vim-8.0.0386.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['~app-editors/vim-core-8.0.0386']
> dependency.bad app-editors/vim/vim-8.0.0386.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['~app-editors/vim-core-8.0.0386']

Comment 3 Agostino Sarubbo gentoo-dev

2017-03-03 09:03:01 UTC

amd64 stable

Comment 4 Michael Weber (RETIRED) gentoo-dev

2017-03-03 09:35:01 UTC

arm arm64 ppc ppc64 stable.

Comment 5 Joshua Baergen 2017-03-03 15:33:31 UTC

Does gvim need to be updated as well?

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2017-03-03 16:00:28 UTC

(In reply to Joshua Baergen from comment #5)
> Does gvim need to be updated as well?

Yes, good catch.

Re-adding arches.

Comment 7 Tobias Klausmann (RETIRED) gentoo-dev

2017-03-03 19:17:10 UTC

Stable on alpha.

Comment 8 Arnaud Launay 2017-03-04 11:27:42 UTC

Hello,
gvim needs to get its stable keyword too, right now you can't emerge it, it's blocked by vim-core.

Comment 9 Agostino Sarubbo gentoo-dev

2017-03-04 13:38:40 UTC

amd64 stable

Comment 10 Agostino Sarubbo gentoo-dev

2017-03-04 13:46:54 UTC

x86 stable

Comment 11 Agostino Sarubbo gentoo-dev

2017-03-04 14:03:59 UTC

sparc stable

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2017-03-05 01:00:29 UTC

Stable for HPPA PPC64.

Comment 13 Markus Meier gentoo-dev

2017-03-08 05:58:55 UTC

arm stable

Comment 14 Michael Weber (RETIRED) gentoo-dev

2017-03-10 16:19:23 UTC

ppc stable.

Comment 15 Michael Weber (RETIRED) gentoo-dev

2017-03-10 16:20:28 UTC

gvim isn't keyworded for arm64, rest was stabled in the first round.

Comment 16 Agostino Sarubbo gentoo-dev

2017-03-11 17:20:03 UTC

ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 17 Yury German Gentoo Infrastructure

2017-03-24 05:29:44 UTC

Maintainer(s), Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).

Comment 18 Yury German Gentoo Infrastructure

2017-04-11 05:42:50 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 19 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-04 12:47:56 UTC

Cleanup PR: https://github.com/gentoo/gentoo/pull/4847

Comment 20 Patrice Clement gentoo-dev

2017-06-06 17:44:28 UTC

Thanks Whissi for the PR! 

Security please proceed.

Comment 21 GLSAMaker/CVETool Bot gentoo-dev

2017-06-22 19:20:24 UTC

This issue was resolved and addressed in
 GLSA 201706-26 at https://security.gentoo.org/glsa/201706-26
by GLSA coordinator Kristian Fiskerstrand (K_F).