import vim-8.0.1763-16.el8_5.4

2022-02-01 15:14:14 -05:00 · 2022-02-01 15:14:14 -05:00 · 1b77547944
parent 1d937bdab7
commit 1b77547944
6 changed files with 195 additions and 1 deletions
--- a/SOURCES/0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
+++ b/SOURCES/0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
@ -0,0 +1,35 @@
+diff -up vim80/src/screen.c.cve3872 vim80/src/screen.c
+--- vim80/src/screen.c.cve3872	2021-10-21 13:20:27.694921335 +0200
+++ vim80/src/screen.c	2021-10-21 13:22:42.221732996 +0200
+@@ -6911,13 +6911,13 @@ win_redr_status(win_T *wp)
+ 	    *(p + len++) = ' ';
+ 	if (bt_help(wp->w_buffer))
+ 	{
+-	    STRCPY(p + len, _("[Help]"));
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ #ifdef FEAT_QUICKFIX
+ 	if (wp->w_p_pvw)
+ 	{
+-	    STRCPY(p + len, _("[Preview]"));
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ #endif
+@@ -6927,12 +6927,12 @@ win_redr_status(win_T *wp)
+ #endif
+ 		)
+ 	{
+-	    STRCPY(p + len, "[+]");
+-	    len += 3;
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
+	    len += (int)STRLEN(p + len);
+ 	}
+ 	if (wp->w_buffer->b_p_ro)
+ 	{
+-	    STRCPY(p + len, _("[RO]"));
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ 
--- a/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch
+++ b/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch
@ -0,0 +1,34 @@
+diff --git a/src/misc1.c b/src/misc1.c
+index de79c8e..1c5867d 100644
+--- a/src/misc1.c
+++ b/src/misc1.c
+@@ -6792,7 +6792,7 @@ find_start_brace(void)	    /* XXX */
+ 		       && (pos = ind_find_start_CORS(NULL)) == NULL) /* XXX */
+ 	    break;
+ 	if (pos != NULL)
+-	    curwin->w_cursor.lnum = pos->lnum;
+	    curwin->w_cursor = *pos;
+     }
+     curwin->w_cursor = cursor_save;
+     return trypos;
+diff --git a/src/testdir/test_cindent.vim b/src/testdir/test_cindent.vim
+index 7c2c5e3..f8c7e57 100644
+--- a/src/testdir/test_cindent.vim
+++ b/src/testdir/test_cindent.vim
+@@ -102,4 +102,16 @@ func Test_cindent_expr()
+   bw!
+ endfunc
+ 
+func Test_find_brace_backwards()
+  " this was looking beyond the end of the line
+  new
+  norm R/*
+  norm o0{
+  norm o//
+  norm V{=
+  call assert_equal(['/*', '   0{', '//'], getline(1, 3))
+  bwipe!
+endfunc
+
+
+ " vim: shiftwidth=2 sts=2 expandtab
--- a/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
+++ b/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
@ -0,0 +1,14 @@
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 1827fec..e69fbd3 100644
+--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
+@@ -6537,8 +6537,7 @@ find_help_tags(
+ 		    || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL
+ 							   && arg[2] != NUL)))
+ 	{
+-	    STRCPY(d, "/\\\\");
+-	    STRCPY(d + 3, arg + 1);
+	    vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1);
+ 	    /* Check for "/\\_$", should be "/\\_\$" */
+ 	    if (d[3] == '_' && d[4] == '$')
+ 		STRCPY(d + 4, "\\$");
--- a/SOURCES/0001-patch-8.2.3949-using-freed-memory-with-V.patch
+++ b/SOURCES/0001-patch-8.2.3949-using-freed-memory-with-V.patch
@ -0,0 +1,45 @@
+diff -up vim80/src/regexp.c.cve4192 vim80/src/regexp.c
+--- vim80/src/regexp.c.cve4192	2022-01-12 15:21:44.792239040 +0100
+++ vim80/src/regexp.c	2022-01-12 15:34:35.190425880 +0100
+@@ -4203,9 +4203,9 @@ reg_match_visual(void)
+     if (lnum < top.lnum || lnum > bot.lnum)
+ 	return FALSE;
+ 
+    col = (colnr_T)(reginput - regline);
+     if (mode == 'v')
+     {
+-	col = (colnr_T)(reginput - regline);
+ 	if ((lnum == top.lnum && col < top.col)
+ 		|| (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e')))
+ 	    return FALSE;
+@@ -4220,7 +4220,12 @@ reg_match_visual(void)
+ 	    end = end2;
+ 	if (top.col == MAXCOL || bot.col == MAXCOL)
+ 	    end = MAXCOL;
+-	cols = win_linetabsize(wp, regline, (colnr_T)(reginput - regline));
+
+	// getvvcol() flushes rex.line, need to get it again
+	regline = reg_getline(reglnum);
+	reginput = regline + col;
+
+	cols = win_linetabsize(wp, regline, col);
+ 	if (cols < start || cols > end - (*p_sel == 'e'))
+ 	    return FALSE;
+     }
+diff -up vim80/src/testdir/test_regexp_latin.vim.cve4192 vim80/src/testdir/test_regexp_latin.vim
+--- vim80/src/testdir/test_regexp_latin.vim.cve4192	2022-01-12 15:21:44.792239040 +0100
+++ vim80/src/testdir/test_regexp_latin.vim	2022-01-12 15:36:12.499693099 +0100
+@@ -80,3 +80,13 @@ func Test_using_invalid_visual_position(
+   /\%V
+   bwipe!
+ endfunc
+
+func Test_using_visual_position()
+  " this was using freed memory
+  new
+  exe "norm 0o\<Esc>\<C-V>k\<C-X>o0"
+  /\%V
+  bwipe!
+endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab
--- a/SOURCES/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
+++ b/SOURCES/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
@ -0,0 +1,38 @@
+diff -up vim80/src/charset.c.cve4193 vim80/src/charset.c
+--- vim80/src/charset.c.cve4193	2022-01-12 14:49:08.710592947 +0100
+++ vim80/src/charset.c	2022-01-12 14:49:47.594705863 +0100
+@@ -1291,10 +1291,15 @@ getvcol(
+ 	posptr = NULL;  /* continue until the NUL */
+     else
+     {
+-	/* Special check for an empty line, which can happen on exit, when
+-	 * ml_get_buf() always returns an empty string. */
+-	if (*ptr == NUL)
+-	    pos->col = 0;
+	colnr_T i;
+
+	// In a few cases the position can be beyond the end of the line.
+	for (i = 0; i < pos->col; ++i)
+	    if (ptr[i] == NUL)
+	    {
+		pos->col = i;
+		break;
+	    }
+ 	posptr = ptr + pos->col;
+ #ifdef FEAT_MBYTE
+ 	if (has_mbyte)
+diff -up vim80/src/testdir/test_regexp_latin.vim.cve4193 vim80/src/testdir/test_regexp_latin.vim
+--- vim80/src/testdir/test_regexp_latin.vim.cve4193	2022-01-12 14:49:08.710592947 +0100
+++ vim80/src/testdir/test_regexp_latin.vim	2022-01-12 14:50:45.186873107 +0100
+@@ -72,3 +72,11 @@ func Test_backref()
+   call assert_fails('call search("\\%#=2\\(e\\1\\)")', 'E65:')
+   bwipe!
+ endfunc
+
+func Test_using_invalid_visual_position()
+  " this was going beyond the end of the line
+  new
+  exe "norm 0o000\<Esc>0\<C-V>$s0"
+  /\%V
+  bwipe!
+endfunc
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 16%{?dist}
+Release: 16%{?dist}.4
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@ -79,6 +79,15 @@ Patch3021: 0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch
 Patch3022: vim-cve3796.patch
 # 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0]
 Patch3023: vim-cve3778-fix.patch
+Patch3024: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
+# 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0]
+Patch3025: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch
+# 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0]
+Patch3026: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
+# CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
+Patch3027: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
+# CVE-2021-4192 vim: vulnerable to Use After Free
+Patch3028: 0001-patch-8.2.3949-using-freed-memory-with-V.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -279,6 +288,11 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3021 -p1 -b .rvim
 %patch3022 -p1 -b .cve3796
 %patch3023 -p1 -b .cve3778
+%patch3024 -p1 -b .cve3872
+%patch3025 -p1 -b .cve3984
+%patch3026 -p1 -b .cve4019
+%patch3027 -p1 -b .cve4193
+%patch3028 -p1 -b .cve4192

 %build
 %if 0%{?rhel} > 7
@ -797,6 +811,20 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*

 %changelog
+* Wed Jan 12 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.4
+- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
+- CVE-2021-4192 vim: vulnerable to Use After Free
+
+* Fri Dec 03 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.3
+- 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0]
+- 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0]
+
+* Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.2
+- remove the upstream test - uses a feature which is not presented in RHEL 8
+
+* Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.1
+- CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-8.6.0]
+
 * Mon Sep 20 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16
 - 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0]
 - 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0]