From 54c882cc464208341048d5a277c37f8430e47ac6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 09 2021 09:56:37 +0000 Subject: import vim-8.0.1763-16.el8 --- diff --git a/SOURCES/vim-cve3778-fix.patch b/SOURCES/vim-cve3778-fix.patch new file mode 100644 index 0000000..a482b38 --- /dev/null +++ b/SOURCES/vim-cve3778-fix.patch @@ -0,0 +1,13 @@ +diff -up vim80/src/regexp_nfa.c.cve3796-fix vim80/src/regexp_nfa.c +--- vim80/src/regexp_nfa.c.cve3796-fix 2021-09-20 08:27:13.752604505 +0200 ++++ vim80/src/regexp_nfa.c 2021-09-20 08:29:10.206546910 +0200 +@@ -5493,7 +5493,8 @@ find_match_text(colnr_T startcol, int re + match = FALSE; + break; + } +- len2 += MB_CHAR2LEN(c2); ++ len2 += enc_utf8 ? utf_ptr2len(regline + col + len2) ++ : MB_CHAR2LEN(c2); + } + if (match + #ifdef FEAT_MBYTE diff --git a/SOURCES/vim-cve3796.patch b/SOURCES/vim-cve3796.patch new file mode 100644 index 0000000..ca41acf --- /dev/null +++ b/SOURCES/vim-cve3796.patch @@ -0,0 +1,51 @@ +diff --git a/src/normal.c b/src/normal.c +index be0e75e..7d62e20 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -7147,19 +7147,23 @@ nv_replace(cmdarg_T *cap) + { + /* + * Get ptr again, because u_save and/or showmatch() will have +- * released the line. At the same time we let know that the +- * line will be changed. ++ * released the line. This may also happen in ins_copychar(). ++ * At the same time we let know that the line will be changed. + */ +- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y) + { + int c = ins_copychar(curwin->w_cursor.lnum + + (cap->nchar == Ctrl_Y ? -1 : 1)); ++ ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + if (c != NUL) + ptr[curwin->w_cursor.col] = c; + } + else ++ { ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + ptr[curwin->w_cursor.col] = cap->nchar; ++ } + if (p_sm && msg_silent == 0) + showmatch(cap->nchar); + ++curwin->w_cursor.col; +diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim +index 7278bcd..8818805 100644 +--- a/src/testdir/test_edit.vim ++++ b/src/testdir/test_edit.vim +@@ -1387,3 +1387,15 @@ func Test_edit_quit() + only + endfunc + ++" Test for getting the character of the line below after "p" ++func Test_edit_put_CTRL_E() ++ set encoding=latin1 ++ new ++ let @" = '' ++ sil! norm orggRx ++ sil! norm pr ++ call assert_equal(['r', 'r'], getline(1, 2)) ++ bwipe! ++ set encoding=utf-8 ++endfunc ++ diff --git a/SPECS/vim.spec b/SPECS/vim.spec index 40f0fae..159811d 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -24,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 15%{?dist} +Release: 16%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -75,6 +75,10 @@ Patch3019: 0001-patch-8.1.1365-source-command-doesn-t-check-for-the-.patch Patch3020: vim-crypto-warning.patch # 1842755 - CVE-2019-20807 Patch3021: 0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch +# 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0] +Patch3022: vim-cve3796.patch +# 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0] +Patch3023: vim-cve3778-fix.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -273,6 +277,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3019 -p1 -b .cve %patch3020 -p1 -b .crypto-warning %patch3021 -p1 -b .rvim +%patch3022 -p1 -b .cve3796 +%patch3023 -p1 -b .cve3778 %build %if 0%{?rhel} > 7 @@ -791,6 +797,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog +* Mon Sep 20 2021 Zdenek Dohnal - 2:8.0.1763-16 +- 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0] +- 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0] + * Tue Jun 02 2020 Zdenek Dohnal - 2:8.0.1763-15 - 1842755 - CVE-2019-20807