From 45b285e45dab0cf1245263e1f1c37c822144c674 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 11 2022 05:33:40 +0000 Subject: import vim-8.0.1763-16.el8_5.12 --- diff --git a/SOURCES/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch b/SOURCES/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch new file mode 100644 index 0000000..604a8ff --- /dev/null +++ b/SOURCES/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch @@ -0,0 +1,33 @@ +diff -up vim80/src/ex_cmds.c.cve0361 vim80/src/ex_cmds.c +--- vim80/src/ex_cmds.c.cve0361 2022-02-08 12:20:51.277666290 +0100 ++++ vim80/src/ex_cmds.c 2022-02-08 12:20:51.280666209 +0100 +@@ -983,6 +983,8 @@ ex_copy(linenr_T line1, linenr_T line2, + } + + appended_lines_mark(n, count); ++ if (VIsual_active) ++ check_pos(curbuf, &VIsual); + + msgmore((long)count); + } +diff -up vim80/src/testdir/test_visual.vim.cve0361 vim80/src/testdir/test_visual.vim +--- vim80/src/testdir/test_visual.vim.cve0361 2022-02-08 12:20:51.280666209 +0100 ++++ vim80/src/testdir/test_visual.vim 2022-02-08 12:21:44.530356814 +0100 +@@ -263,3 +263,17 @@ func Test_visual_block_append_invalid_ch + call assert_equal([' - let xxx', 'xxxxx -ˆ', 'xxxxxxxx-xxx'], getline(1, 3)) + bwipe! + endfunc ++ ++" this was leaving the end of the Visual area beyond the end of a line ++func Test_visual_ex_copy_line() ++ new ++ call setline(1, ["aaa", "bbbbbbbbbxbb"]) ++ /x ++ exe "normal ggvjfxO" ++ t0 ++ normal gNU ++ bwipe! ++endfunc ++ ++ ++" vim: shiftwidth=2 sts=2 expandtab diff --git a/SOURCES/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch b/SOURCES/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch new file mode 100644 index 0000000..8cb7a44 --- /dev/null +++ b/SOURCES/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch @@ -0,0 +1,85 @@ +commit ec45bc7682fd698d8d39f43732129c4d092355f3 +Author: Tomas Korbar +Date: Wed Feb 2 16:30:11 2022 +0100 + + Fix illegal memory access with bracketed paste in Ex mode + +diff --git a/src/edit.c b/src/edit.c +index f29fbc7..57b8dce 100644 +--- a/src/edit.c ++++ b/src/edit.c +@@ -9519,27 +9519,33 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + int ret_char = -1; + int save_allow_keys = allow_keys; + int save_paste = p_paste; +- int save_ai = curbuf->b_p_ai; + +- /* If the end code is too long we can't detect it, read everything. */ +- if (STRLEN(end) >= NUMBUFLEN) ++ // If the end code is too long we can't detect it, read everything. ++ if (end != NULL && STRLEN(end) >= NUMBUFLEN) + end = NULL; + ++no_mapping; + allow_keys = 0; +- p_paste = TRUE; +- curbuf->b_p_ai = FALSE; ++ if (!p_paste) ++ // Also have the side effects of setting 'paste' to make it work much ++ // faster. ++ set_option_value((char_u *)"paste", TRUE, NULL, 0); + + for (;;) + { + /* When the end is not defined read everything. */ + if (end == NULL && vpeekc() == NUL) + break; +- c = plain_vgetc(); +-#ifdef FEAT_MBYTE ++ do ++ c = vgetc(); ++ while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR); ++ if (c == NUL || got_int || (ex_normal_busy > 0 && c == Ctrl_C)) ++ // When CTRL-C was encountered the typeahead will be flushed and we ++ // won't get the end sequence. Except when using ":normal". ++ break; ++ + if (has_mbyte) + idx += (*mb_char2bytes)(c, buf + idx); + else +-#endif + buf[idx++] = c; + buf[idx] = NUL; + if (end != NULL && STRNCMP(buf, end, idx) == 0) +@@ -9557,7 +9563,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + break; + + case PASTE_EX: +- if (gap != NULL && ga_grow(gap, idx) == OK) ++ // add one for the NUL that is going to be appended ++ if (gap != NULL && ga_grow(gap, idx + 1) == OK) + { + mch_memmove((char *)gap->ga_data + gap->ga_len, + buf, (size_t)idx); +@@ -9582,11 +9589,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + case PASTE_ONE_CHAR: + if (ret_char == -1) + { +-#ifdef FEAT_MBYTE + if (has_mbyte) + ret_char = (*mb_ptr2char)(buf); + else +-#endif + ret_char = buf[0]; + } + break; +@@ -9597,8 +9602,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + + --no_mapping; + allow_keys = save_allow_keys; +- p_paste = save_paste; +- curbuf->b_p_ai = save_ai; ++ if (!save_paste) ++ set_option_value((char_u *)"paste", FALSE, NULL, 0); + + return ret_char; + } diff --git a/SOURCES/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch b/SOURCES/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch new file mode 100644 index 0000000..b37d821 --- /dev/null +++ b/SOURCES/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch @@ -0,0 +1,51 @@ +commit c604f3ad4782fde770617ff688e1ceac0dc1bd7c +Author: Tomas Korbar +Date: Thu Feb 3 10:14:42 2022 +0100 + + Fix using freed memory when substitute with function call + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index e69fbd3..0788573 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -4767,6 +4767,7 @@ do_sub(exarg_T *eap) + int save_do_all; /* remember user specified 'g' flag */ + int save_do_ask; /* remember user specified 'c' flag */ + char_u *pat = NULL, *sub = NULL; /* init for GCC */ ++ char_u *sub_copy = NULL; + int delimiter; + int sublen; + int got_quit = FALSE; +@@ -5062,11 +5063,20 @@ do_sub(exarg_T *eap) + sub_firstline = NULL; + + /* +- * ~ in the substitute pattern is replaced with the old pattern. +- * We do it here once to avoid it to be replaced over and over again. +- * But don't do it when it starts with "\=", then it's an expression. ++ * If the substitute pattern starts with "\=" then it's an expression. ++ * Make a copy, a recursive function may free it. ++ * Otherwise, '~' in the substitute pattern is replaced with the old ++ * pattern. We do it here once to avoid it to be replaced over and over ++ * again. + */ +- if (!(sub[0] == '\\' && sub[1] == '=')) ++ if (sub[0] == '\\' && sub[1] == '=') ++ { ++ sub = vim_strsave(sub); ++ if (sub == NULL) ++ return; ++ sub_copy = sub; ++ } ++ else + sub = regtilde(sub, p_magic); + + /* +@@ -5825,6 +5835,7 @@ outofmem: + #endif + + vim_regfree(regmatch.regprog); ++ vim_free(sub_copy); + + /* Restore the flag values, they can be used for ":&&". */ + subflags.do_all = save_do_all; diff --git a/SPECS/vim.spec b/SPECS/vim.spec index ad1194c..8bd7a1d 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -24,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 16%{?dist}.7 +Release: 16%{?dist}.12 License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -94,6 +94,12 @@ Patch3029: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch Patch3030: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch # CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c Patch3031: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch +# CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c +Patch3032: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch +# CVE-2022-0413 vim: use after free in src/ex_cmds.c +Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch +# CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository +Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -302,6 +308,9 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3029 -p1 -b .cve0261 %patch3030 -p1 -b .cve0318 %patch3031 -p1 -b .cve0359 +%patch3032 -p1 -b .cve0392 +%patch3033 -p1 -b .cve0413 +%patch3034 -p1 -b .cve0361 %build %if 0%{?rhel} > 7 @@ -820,6 +829,27 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog +* Tue Feb 08 2022 Zdenek Dohnal - 2:8.0.1763-16.12 +- CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository + +* Fri Feb 04 2022 Tomas Korbar - 2:8.0.1763-16.11 +- CVE-2022-0413 vim: use after free in src/ex_cmds.c +- Fix specfile problems +- Resolves: rhbz#2048525 + +* Thu Feb 03 2022 Tomas Korbar - 2:8.0.1763-16.10 +- CVE-2022-0413 vim: use after free in src/ex_cmds.c +- Resolves: rhbz#2048525 + +* Wed Feb 02 2022 Tomas Korbar - 2:8.0.1763-16.9 +- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c +- Improve fix +- Resolves: rhbz#2049403 + +* Wed Feb 02 2022 Tomas Korbar - 2:8.0.1763-16.8 +- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c +- Resolves: rhbz#2049403 + * Thu Jan 27 2022 Zdenek Dohnal - 2:8.0.1763-16.7 - CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c