diff --git a/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch b/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch new file mode 100644 index 0000000..668ffe5 --- /dev/null +++ b/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch @@ -0,0 +1,34 @@ +diff --git a/src/misc1.c b/src/misc1.c +index de79c8e..1c5867d 100644 +--- a/src/misc1.c ++++ b/src/misc1.c +@@ -6792,7 +6792,7 @@ find_start_brace(void) /* XXX */ + && (pos = ind_find_start_CORS(NULL)) == NULL) /* XXX */ + break; + if (pos != NULL) +- curwin->w_cursor.lnum = pos->lnum; ++ curwin->w_cursor = *pos; + } + curwin->w_cursor = cursor_save; + return trypos; +diff --git a/src/testdir/test_cindent.vim b/src/testdir/test_cindent.vim +index 7c2c5e3..f8c7e57 100644 +--- a/src/testdir/test_cindent.vim ++++ b/src/testdir/test_cindent.vim +@@ -102,4 +102,16 @@ func Test_cindent_expr() + bw! + endfunc + ++func Test_find_brace_backwards() ++ " this was looking beyond the end of the line ++ new ++ norm R/* ++ norm o0{ ++ norm o// ++ norm V{= ++ call assert_equal(['/*', ' 0{', '//'], getline(1, 3)) ++ bwipe! ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch b/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch new file mode 100644 index 0000000..0cfaec6 --- /dev/null +++ b/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch @@ -0,0 +1,14 @@ +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index 1827fec..e69fbd3 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -6537,8 +6537,7 @@ find_help_tags( + || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL + && arg[2] != NUL))) + { +- STRCPY(d, "/\\\\"); +- STRCPY(d + 3, arg + 1); ++ vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1); + /* Check for "/\\_$", should be "/\\_\$" */ + if (d[3] == '_' && d[4] == '$') + STRCPY(d + 4, "\\$"); diff --git a/SPECS/vim.spec b/SPECS/vim.spec index 0874876..03efc9b 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -24,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 16%{?dist}.2 +Release: 16%{?dist}.3 License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -80,6 +80,10 @@ Patch3022: vim-cve3796.patch # 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0] Patch3023: vim-cve3778-fix.patch Patch3024: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch +# 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0] +Patch3025: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch +# 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0] +Patch3026: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -281,6 +285,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3022 -p1 -b .cve3796 %patch3023 -p1 -b .cve3778 %patch3024 -p1 -b .cve3872 +%patch3025 -p1 -b .cve3984 +%patch3026 -p1 -b .cve4019 %build %if 0%{?rhel} > 7 @@ -799,6 +805,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog +* Fri Dec 03 2021 Zdenek Dohnal - 2:8.0.1763-16.3 +- 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0] +- 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0] + * Tue Oct 26 2021 Zdenek Dohnal - 2:8.0.1763-16.2 - remove the upstream test - uses a feature which is not presented in RHEL 8