diff --git a/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch b/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch new file mode 100644 index 00000000..8f8c0754 --- /dev/null +++ b/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch @@ -0,0 +1,32 @@ +diff --git a/src/help.c b/src/help.c +index ee6ff18..67e4fb2 100644 +--- a/src/help.c ++++ b/src/help.c +@@ -422,8 +422,7 @@ find_help_tags( + || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL + && arg[2] != NUL))) + { +- STRCPY(d, "/\\\\"); +- STRCPY(d + 3, arg + 1); ++ vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1); + // Check for "/\\_$", should be "/\\_\$" + if (d[3] == '_' && d[4] == '$') + STRCPY(d + 4, "\\$"); +diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim +index ff2bc41..c8ff5b8 100644 +--- a/src/testdir/test_help.vim ++++ b/src/testdir/test_help.vim +@@ -123,5 +123,13 @@ func Test_helptag_cmd_readonly() + call delete('Xdir', 'rf') + endfunc + ++func Test_help_long_argument() ++ try ++ exe 'help \%' .. repeat('0', 1021) ++ catch ++ call assert_match("E149:", v:exception) ++ endtry ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab diff --git a/vim.spec b/vim.spec index 864e6337..bcbf058b 100644 --- a/vim.spec +++ b/vim.spec @@ -27,7 +27,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 10%{?dist} +Release: 9%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: virc @@ -82,6 +82,8 @@ Patch3024: 0001-patch-8.2.3406-on-some-systems-tests-fail-without-_R.patch Patch3025: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch # 2028342 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-9.0] Patch3026: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch +# 2028431 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-9.0] +Patch3027: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -295,6 +297,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3024 -p1 -b .reentrant %patch3025 -p1 -b .cve-win-redr %patch3026 -p1 -b .cve3984 +%patch3027 -p1 -b .cve4019 %build cd src @@ -852,6 +855,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Mon Dec 02 2021 Zdenek Dohnal - 2:8.2.2637-9 +- 2028431 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-9.0] + * Thu Dec 02 2021 Zdenek Dohnal - 2:8.2.2637-9 - 2028342 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-9.0]