Bug 43111

Summary: vim: Multiple issues (4.1)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Jürn Brodersen <brodersen>
Severity: normal    
Priority: P5 Flags: requate: Patch_Available+
Version: UCS 4.1   
Target Milestone: UCS 4.1-4-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Bug Depends on:    
Bug Blocks: 45178    

Description Arvid Requate univentionstaff 2016-12-05 12:43:19 CET 
Upstream Debian package version 2:7.3.547-7+deb7u1 fixes this issue:

* vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened. (CVE-2016-1248)
Comment 1 Arvid Requate univentionstaff 2017-02-15 21:30:06 CET 
Upstream Debian package version 2:7.3.547-7+deb7u2 additionally fixes:

* buffer overflow if a spellfile has an invalid length in it.  (Closes: #854969, CVE-2017-5953)
Comment 2 Arvid Requate univentionstaff 2017-03-09 13:24:47 CET 
Upstream Debian package version 2:7.3.547-7+deb7u3 fixes:

* An integer overflow at a u_read_undo memory allocation site would occur for vim before patch 8.0.0377, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows. (CVE-2017-6349)

* An integer overflow at an unserialize_uep memory allocation site would occur for vim before patch 8.0.0378, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows. (CVE-2017-6350)


Max CVSS of 6.8 for CVE-2016-1248
Comment 3 Arvid Requate univentionstaff 2017-08-07 15:08:23 CEST 
2:7.3.547-7+deb7u4 fixes:

* denial of service (invalid free) or possibly unspecified other impact via a crafted source (aka -S) file. There might be a limited number of scenarios in which this has security relevance. (CVE-2017-11109)
Comment 4 Arvid Requate univentionstaff 2017-08-10 14:48:46 CEST 
repo_admin.py -U -d wheezy -r 4.1 -s errata4.1-4 -p vim
b41-scope errata4.1-4 vim

Advisory: vim.yaml
Comment 5 Jürn Brodersen univentionstaff 2017-08-11 12:26:51 CEST 
Looks good
What I tested:
Opened a file in vim -> OK
changelog -> OK
YAML -> OK

Verified
Comment 6 Erik Damrose univentionstaff 2017-08-16 13:34:10 CEST 
<http://errata.software-univention.de/ucs/4.1/450.html>