diff --git a/SOURCES/0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch b/SOURCES/0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch new file mode 100644 index 0000000..e190f2c --- /dev/null +++ b/SOURCES/0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch @@ -0,0 +1,49 @@ +From 34f8117dec685ace52cd9e578e2729db278163fc Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 16 Feb 2022 12:16:19 +0000 +Subject: [PATCH] patch 8.2.4397: crash when using many composing characters in + error message + +Problem: Crash when using many composing characters in error message. +Solution: Use mb_cptr2char_adv() instead of mb_ptr2char_adv(). +--- + src/testdir/test_assert.vim | 8 ++++++++ + src/testing.c | 2 +- + src/version.c | 2 ++ + 3 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim +index 8987f3f8d..27b2d73fb 100644 +--- a/src/testdir/test_assert.vim ++++ b/src/testdir/test_assert.vim +@@ -53,6 +53,14 @@ func Test_assert_equal() + call assert_equal("\b\e\f\n\t\r\\\x01\x7f", 'x') + call assert_match('Expected ''\\b\\e\\f\\n\\t\\r\\\\\\x01\\x7f'' but got ''x''', v:errors[0]) + call remove(v:errors, 0) ++ ++ " many composing characters are handled properly ++ call setline(1, ' ') ++ norm 100grƯ€ ++ call assert_equal(1, getline(1)) ++ call assert_match("Expected 1 but got '.* occurs 100 times]'", v:errors[0]) ++ call remove(v:errors, 0) ++ bwipe! + endfunc + + func Test_assert_equal_dict() +diff --git a/src/testing.c b/src/testing.c +index 448c01c1e..48ba14d2c 100644 +--- a/src/testing.c ++++ b/src/testing.c +@@ -101,7 +101,7 @@ ga_concat_shorten_esc(garray_T *gap, char_u *str) + { + same_len = 1; + s = p; +- c = mb_ptr2char_adv(&s); ++ c = mb_cptr2char_adv(&s); + clen = s - p; + while (*s != NUL && c == mb_ptr2char(s)) + { +-- +2.35.1 + diff --git a/SOURCES/0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch b/SOURCES/0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch new file mode 100644 index 0000000..123e7d6 --- /dev/null +++ b/SOURCES/0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch @@ -0,0 +1,35 @@ +diff --git a/src/indent.c b/src/indent.c +index 77d8b0a..9830685 100644 +--- a/src/indent.c ++++ b/src/indent.c +@@ -1284,6 +1284,8 @@ change_indent( + new_cursor_col += (*mb_ptr2len)(ptr + new_cursor_col); + else + ++new_cursor_col; ++ if (ptr[new_cursor_col] == NUL) ++ break; + vcol += lbr_chartabsize(ptr, ptr + new_cursor_col, (colnr_T)vcol); + } + vcol = last_vcol; +diff --git a/src/testdir/test_vartabs.vim b/src/testdir/test_vartabs.vim +index 0ff1ea8..a613510 100644 +--- a/src/testdir/test_vartabs.vim ++++ b/src/testdir/test_vartabs.vim +@@ -419,4 +419,17 @@ func Test_varsofttabstop() + close! + endfunc + ++func Test_vartabstop_latin1() ++ let save_encoding = &encoding ++ new ++ set encoding=iso8859-1 ++ set compatible linebreak list revins smarttab ++ set vartabstop=400 ++ exe "norm i00\t\" ++ bwipe! ++ let &encoding = save_encoding ++ set nocompatible linebreak& list& revins& smarttab& vartabstop& ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/SPECS/vim.spec b/SPECS/vim.spec index aa49305..aab134b 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -27,7 +27,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 13%{?dist} +Release: 15%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: virc @@ -112,6 +112,10 @@ Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch Patch3040: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch # CVE-2022-0572 vim: heap overflow in ex_retab() may lead to crash Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch +# CVE-2022-0629 vim: Stack-based Buffer Overflow in vim prior to 8.2 +Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch +# CVE-2022-0714 vim: buffer overflow [rhel-9] +Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -340,6 +344,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3039 -p1 -b .cve0443 %patch3040 -p1 -b .cve0392 %patch3041 -p1 -b .cve0572 +%patch3042 -p1 -b .cve0629 +%patch3043 -p1 -b .cve0714 %build cd src @@ -897,6 +903,12 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Thu Feb 24 2022 Zdenek Dohnal - 2:8.2.2637-15 +- CVE-2022-0714 vim: buffer overflow [rhel-9] + +* Wed Feb 23 2022 Zdenek Dohnal - 2:8.2.2637-14 +- CVE-2022-0629 vim: Stack-based Buffer Overflow in vim prior to 8.2 + * Wed Feb 16 2022 Zdenek Dohnal - 2:8.2.2637-13 - CVE-2022-0572 vim: heap overflow in ex_retab() may lead to crash