r1016 - in /branches/packages/vim/etch: debian/README debian/changelog debian/rules upstream/patches/7.0.234 upstream/patches/7.0.235 upstream/patches/7.1.039

jamessan at users.alioth.debian.org jamessan at users.alioth.debian.org
Sat Sep 1 22:01:59 UTC 2007


Author: jamessan
Date: Sat Sep  1 22:01:59 2007
New Revision: 1016

URL: http://svn.debian.org/wsvn/pkg-vim/?sc=1&rev=1016
Log:
Add upstream patches 7.1.039, 7.0.234, and 7.0.235 to fix CVEs 2007-2438 and 2007-2953.  Stable security update.

Added:
    branches/packages/vim/etch/upstream/patches/7.0.234
    branches/packages/vim/etch/upstream/patches/7.0.235
    branches/packages/vim/etch/upstream/patches/7.1.039
Modified:
    branches/packages/vim/etch/debian/README
    branches/packages/vim/etch/debian/changelog
    branches/packages/vim/etch/debian/rules

Modified: branches/packages/vim/etch/debian/README
URL: http://svn.debian.org/wsvn/pkg-vim/branches/packages/vim/etch/debian/README?rev=1016&op=diff
==============================================================================
--- branches/packages/vim/etch/debian/README (original)
+++ branches/packages/vim/etch/debian/README Sat Sep  1 22:01:59 2007
@@ -123,7 +123,7 @@
   2561  7.0.096  taglist() does not use path of tags file
   2617  7.0.097  tab pages line was not updated for ":tabclose N"
   2196  7.0.098  redirection didn't work inside cmdline completion
-  2189  7.0.099  GUI: scrolling causes problems for the popup menu 
+  2189  7.0.099  GUI: scrolling causes problems for the popup menu
   2086  7.0.100  "zug" may report the wrong filename
   2732  7.0.101  "zw" mostly doesn't work; "zg" may create wrong directory
   1634  7.0.102  redraw problem in cmdline when using SCIM
@@ -147,3 +147,6 @@
   1780  7.0.120  crash when using getreg('=') in the = register
   1549  7.0.121  GUI: dragging last status line doesn't work with text tabline
   2865  7.0.122  only half of double-wide bold character may be drawn
+  1723  7.0.234  feedkeys() may be invoked from a modeline
+  2299  7.0.235  writefile() may be invoked from a modeline
+  1750  7.1.039  weird help-tags tag in docs file may make cause a crash

Modified: branches/packages/vim/etch/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-vim/branches/packages/vim/etch/debian/changelog?rev=1016&op=diff
==============================================================================
--- branches/packages/vim/etch/debian/changelog (original)
+++ branches/packages/vim/etch/debian/changelog Sat Sep  1 22:01:59 2007
@@ -1,3 +1,11 @@
+vim (1:7.0-122+1etch3) stable-security; urgency=high
+
+  * Add upstream patches 7.0.234 and 7.0.235 which fix CVE-2007-2438.
+    (Closes: #435401)
+  * Add upstream patch 7.1.039 which fixes CVE-2007-2953.  (Closes: #438593)
+
+ -- James Vega <jamessan at debian.org>  Fri, 17 Aug 2007 22:46:28 -0400
+
 vim (1:7.0-122+1etch2) testing-proposed-updates; urgency=low
 
   * Fix the file test for deciding whether we need to remove alternatives to

Modified: branches/packages/vim/etch/debian/rules
URL: http://svn.debian.org/wsvn/pkg-vim/branches/packages/vim/etch/debian/rules?rev=1016&op=diff
==============================================================================
--- branches/packages/vim/etch/debian/rules (original)
+++ branches/packages/vim/etch/debian/rules Sat Sep  1 22:01:59 2007
@@ -221,7 +221,8 @@
 	if [ ! -L vim -o "`readlink vim`" != "$(VIMCUR)" ]; then \
 	  ln -fs $(SRCDIR) vim; \
 	fi
-	@for f in `find upstream/patches -type f -name '$(VERSION).*' -printf "%P\n" | grep -v .svn | sort -n` ; do\
+	# Add 7.1 patches for upstream's fix for CVE-2007-2953
+	@for f in `find upstream/patches -type f -name '$(VERSION).*' -printf "%P\n" -o -type f -name "7.1.*" -printf "%P\n" | grep -v .svn | sort -n` ; do\
 	  echo "applying upstream patch: $$f" ;\
 	  cat upstream/patches/$$f | patch -s -d$(SRCDIR) -p0 ;\
 	done

Added: branches/packages/vim/etch/upstream/patches/7.0.234
URL: http://svn.debian.org/wsvn/pkg-vim/branches/packages/vim/etch/upstream/patches/7.0.234?rev=1016&op=file
==============================================================================
--- branches/packages/vim/etch/upstream/patches/7.0.234 (added)
+++ branches/packages/vim/etch/upstream/patches/7.0.234 Sat Sep  1 22:01:59 2007
@@ -1,0 +1,53 @@
+To: vim-dev at vim.org
+Subject: patch 7.0.234
+Fcc: outbox
+From: Bram Moolenaar <Bram at moolenaar.net>
+Mime-Version: 1.0
+Content-Type: text/plain; charset=ISO-8859-1
+Content-Transfer-Encoding: 8bit
+------------
+
+Patch 7.0.234
+Problem:    It's possible to use feedkeys() from a modeline.  That is a
+	    security issue, can be used for a trojan horse.
+Solution:   Disallow using feedkeys() in the sandbox.
+Files:	    src/eval.c
+
+
+*** ../vim-7.0.233/src/eval.c	Thu Apr 26 17:08:16 2007
+--- src/eval.c	Fri Apr 27 21:48:18 2007
+***************
+*** 9078,9083 ****
+--- 9078,9089 ----
+      int		typed = FALSE;
+      char_u	*keys_esc;
+  
++     /* This is not allowed in the sandbox.  If the commands would still be
++      * executed in the sandbox it would be OK, but it probably happens later,
++      * when "sandbox" is no longer set. */
++     if (check_secure())
++ 	return;
++ 
+      rettv->vval.v_number = 0;
+      keys = get_tv_string(&argvars[0]);
+      if (*keys != NUL)
+*** ../vim-7.0.233/src/version.c	Thu Apr 26 18:42:17 2007
+--- src/version.c	Fri Apr 27 22:13:23 2007
+***************
+*** 668,669 ****
+--- 668,671 ----
+  {   /* Add new patch number below this line */
++ /**/
++     234,
+  /**/
+
+-- 
+"Making it up?  Why should I want to make anything up?  Life's bad enough
+as it is without wanting to invent any more of it."
+		-- Marvin, the Paranoid Android in Douglas Adams'
+		   "The Hitchhiker's Guide to the Galaxy"
+
+ /// Bram Moolenaar -- Bram at Moolenaar.net -- http://www.Moolenaar.net   \\\
+///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
+\\\        download, build and distribute -- http://www.A-A-P.org        ///
+ \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

Added: branches/packages/vim/etch/upstream/patches/7.0.235
URL: http://svn.debian.org/wsvn/pkg-vim/branches/packages/vim/etch/upstream/patches/7.0.235?rev=1016&op=file
==============================================================================
--- branches/packages/vim/etch/upstream/patches/7.0.235 (added)
+++ branches/packages/vim/etch/upstream/patches/7.0.235 Sat Sep  1 22:01:59 2007
@@ -1,0 +1,71 @@
+To: vim-dev at vim.org
+Subject: patch 7.0.235
+Fcc: outbox
+From: Bram Moolenaar <Bram at moolenaar.net>
+Mime-Version: 1.0
+Content-Type: text/plain; charset=ISO-8859-1
+Content-Transfer-Encoding: 8bit
+------------
+
+Patch 7.0.235
+Problem:    It is possible to use writefile() in the sandbox.
+Solution:   Add a few more checks for the sandbox.
+Files:      src/eval.c
+    
+
+*** ../vim-7.0.234/src/eval.c	Fri Apr 27 22:17:43 2007
+--- src/eval.c	Sat Apr 28 21:36:02 2007
+***************
+*** 15598,15603 ****
+--- 15598,15606 ----
+      int		err = FALSE;
+      FILE	*fd;
+  
++     if (check_restricted() || check_secure())
++ 	return;
++ 
+      if (argvars[1].v_type != VAR_UNKNOWN)
+      {
+  	/*
+***************
+*** 16430,16435 ****
+--- 16433,16441 ----
+      char_u	*s;
+      int		ret = 0;
+      int		c;
++ 
++     if (check_restricted() || check_secure())
++ 	return;
+  
+      if (argvars[0].v_type != VAR_LIST)
+      {
+*** ../vim-7.0.234/src/version.c	Fri Apr 27 22:17:43 2007
+--- src/version.c	Sun Apr 29 13:54:29 2007
+***************
+*** 668,669 ****
+--- 668,671 ----
+  {   /* Add new patch number below this line */
++ /**/
++     235,
+  /**/
+
+-- 
+Now it is such a bizarrely improbable coincidence that anything as
+mind-bogglingly useful as the Babel fish could have evolved purely by chance
+that some thinkers have chosen to see it as a final and clinching proof of the
+NON-existence of God.
+The argument goes something like this: 'I refuse to prove that I exist,' says
+God, 'for proof denies faith, and without faith I am nothing.'
+'But,' says Man, 'the Babel fish is a dead giveaway, isn't it?  It could not
+have evolved by chance.  It proves you exist, and so therefore, by your own
+arguments, you don't.  QED.'
+'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a
+puff of logic.
+'Oh, that was easy,' says Man, and for an encore goes on to prove that black
+is white and gets himself killed on the next pedestrian crossing.
+		-- Douglas Adams, "The Hitchhiker's Guide to the Galaxy"
+
+ /// Bram Moolenaar -- Bram at Moolenaar.net -- http://www.Moolenaar.net   \\\
+///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
+\\\        download, build and distribute -- http://www.A-A-P.org        ///
+ \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

Added: branches/packages/vim/etch/upstream/patches/7.1.039
URL: http://svn.debian.org/wsvn/pkg-vim/branches/packages/vim/etch/upstream/patches/7.1.039?rev=1016&op=file
==============================================================================
--- branches/packages/vim/etch/upstream/patches/7.1.039 (added)
+++ branches/packages/vim/etch/upstream/patches/7.1.039 Sat Sep  1 22:01:59 2007
@@ -1,0 +1,57 @@
+To: vim-dev at vim.org
+Subject: patch 7.1.039
+Fcc: outbox
+From: Bram Moolenaar <Bram at moolenaar.net>
+Mime-Version: 1.0
+Content-Type: text/plain; charset=ISO-8859-1
+Content-Transfer-Encoding: 8bit
+------------
+
+Patch 7.1.039
+Problem:    A tag in a help file that starts with "help-tags" and contains a
+	    percent sign may make Vim crash. (Ulf Harnhammar)
+Solution:   Use puts() instead of fprintf().
+Files:	    src/ex_cmds.c
+
+
+*** ../vim-7.1.038/src/ex_cmds.c	Tue Jul 24 11:15:46 2007
+--- src/ex_cmds.c	Wed Jul 25 20:06:20 2007
+***************
+*** 6374,6382 ****
+  	for (i = 0; i < ga.ga_len; ++i)
+  	{
+  	    s = ((char_u **)ga.ga_data)[i];
+! 	    if (STRNCMP(s, "help-tags", 9) == 0)
+  		/* help-tags entry was added in formatted form */
+! 		fprintf(fd_tags, (char *)s);
+  	    else
+  	    {
+  		fprintf(fd_tags, "%s\t/*", s);
+--- 6374,6382 ----
+  	for (i = 0; i < ga.ga_len; ++i)
+  	{
+  	    s = ((char_u **)ga.ga_data)[i];
+! 	    if (STRNCMP(s, "help-tags\t", 10) == 0)
+  		/* help-tags entry was added in formatted form */
+! 		fputs((char *)s, fd_tags);
+  	    else
+  	    {
+  		fprintf(fd_tags, "%s\t/*", s);
+*** ../vim-7.1.038/src/version.c	Tue Jul 24 15:25:27 2007
+--- src/version.c	Wed Jul 25 22:41:18 2007
+***************
+*** 668,669 ****
+--- 668,671 ----
+  {   /* Add new patch number below this line */
++ /**/
++     39,
+  /**/
+
+-- 
+On the other hand, you have different fingers.
+                                      -- Steven Wright
+
+ /// Bram Moolenaar -- Bram at Moolenaar.net -- http://www.Moolenaar.net   \\\
+///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
+\\\        download, build and distribute -- http://www.A-A-P.org        ///
+ \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///




More information about the pkg-vim-maintainers mailing list