diff --git a/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch b/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch new file mode 100644 index 0000000..4066b1e --- /dev/null +++ b/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch @@ -0,0 +1,39 @@ +diff -up vim82/src/spellsuggest.c.cve0943 vim82/src/spellsuggest.c +--- vim82/src/spellsuggest.c.cve0943 2022-03-28 20:48:07.079197805 +0200 ++++ vim82/src/spellsuggest.c 2022-03-28 20:48:07.101197522 +0200 +@@ -501,6 +501,10 @@ spell_suggest(int count) + curwin->w_cursor.col = VIsual.col; + ++badlen; + end_visual_mode(); ++ // make sure we don't include the NUL at the end of the line ++ line = ml_get_curline(); ++ if (badlen > STRLEN(line) - curwin->w_cursor.col) ++ badlen = STRLEN(line) - curwin->w_cursor.col; + } + // Find the start of the badly spelled word. + else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0 +diff -up vim82/src/testdir/test_spell.vim.cve0943 vim82/src/testdir/test_spell.vim +--- vim82/src/testdir/test_spell.vim.cve0943 2022-03-28 20:48:07.102197509 +0200 ++++ vim82/src/testdir/test_spell.vim 2022-03-28 20:49:05.038452974 +0200 +@@ -441,6 +441,21 @@ func Test_spellsuggest_expr_errors() + delfunc MySuggest3 + endfunc + ++func Test_spellsuggest_visual_end_of_line() ++ let enc_save = &encoding ++ set encoding=iso8859 ++ ++ " This was reading beyond the end of the line. ++ norm R00000000000 ++ sil norm 0 ++ sil! norm i00000) ++ sil! norm i00000) ++ call feedkeys("\") ++ norm z= ++ ++ let &encoding = enc_save ++endfunc ++ + func Test_spellinfo() + new + let runtime = substitute($VIMRUNTIME, '\\', '/', 'g') diff --git a/vim.spec b/vim.spec index 24c1031..c932b19 100644 --- a/vim.spec +++ b/vim.spec @@ -116,7 +116,10 @@ Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch # CVE-2022-0714 vim: buffer overflow [rhel-9] Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch +# CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch +# CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim +Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -348,6 +351,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3042 -p1 -b .cve0629 %patch3043 -p1 -b .cve0714 %patch3044 -p1 -b .cve0554 +%patch3045 -p1 -b .cve0943 %build cd src @@ -907,6 +911,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %changelog * Mon Mar 28 2022 Zdenek Dohnal - 2:8.2.2637-16 - CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior +- CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim * Thu Feb 24 2022 Zdenek Dohnal - 2:8.2.2637-15 - CVE-2022-0714 vim: buffer overflow [rhel-9]