diff --git a/SOURCES/0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch b/SOURCES/0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch new file mode 100644 index 00000000..76018f9e --- /dev/null +++ b/SOURCES/0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch @@ -0,0 +1,35 @@ +diff -up vim80/src/screen.c.cve3872 vim80/src/screen.c +--- vim80/src/screen.c.cve3872 2021-10-21 13:20:27.694921335 +0200 ++++ vim80/src/screen.c 2021-10-21 13:22:42.221732996 +0200 +@@ -6911,13 +6911,13 @@ win_redr_status(win_T *wp) + *(p + len++) = ' '; + if (bt_help(wp->w_buffer)) + { +- STRCPY(p + len, _("[Help]")); ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]")); + len += (int)STRLEN(p + len); + } + #ifdef FEAT_QUICKFIX + if (wp->w_p_pvw) + { +- STRCPY(p + len, _("[Preview]")); ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]")); + len += (int)STRLEN(p + len); + } + #endif +@@ -6927,12 +6927,12 @@ win_redr_status(win_T *wp) + #endif + ) + { +- STRCPY(p + len, "[+]"); +- len += 3; ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]"); ++ len += (int)STRLEN(p + len); + } + if (wp->w_buffer->b_p_ro) + { +- STRCPY(p + len, _("[RO]")); ++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]")); + len += (int)STRLEN(p + len); + } + diff --git a/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch b/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch new file mode 100644 index 00000000..668ffe54 --- /dev/null +++ b/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch @@ -0,0 +1,34 @@ +diff --git a/src/misc1.c b/src/misc1.c +index de79c8e..1c5867d 100644 +--- a/src/misc1.c ++++ b/src/misc1.c +@@ -6792,7 +6792,7 @@ find_start_brace(void) /* XXX */ + && (pos = ind_find_start_CORS(NULL)) == NULL) /* XXX */ + break; + if (pos != NULL) +- curwin->w_cursor.lnum = pos->lnum; ++ curwin->w_cursor = *pos; + } + curwin->w_cursor = cursor_save; + return trypos; +diff --git a/src/testdir/test_cindent.vim b/src/testdir/test_cindent.vim +index 7c2c5e3..f8c7e57 100644 +--- a/src/testdir/test_cindent.vim ++++ b/src/testdir/test_cindent.vim +@@ -102,4 +102,16 @@ func Test_cindent_expr() + bw! + endfunc + ++func Test_find_brace_backwards() ++ " this was looking beyond the end of the line ++ new ++ norm R/* ++ norm o0{ ++ norm o// ++ norm V{= ++ call assert_equal(['/*', ' 0{', '//'], getline(1, 3)) ++ bwipe! ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch b/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch new file mode 100644 index 00000000..0cfaec6a --- /dev/null +++ b/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch @@ -0,0 +1,14 @@ +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index 1827fec..e69fbd3 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -6537,8 +6537,7 @@ find_help_tags( + || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL + && arg[2] != NUL))) + { +- STRCPY(d, "/\\\\"); +- STRCPY(d + 3, arg + 1); ++ vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1); + /* Check for "/\\_$", should be "/\\_\$" */ + if (d[3] == '_' && d[4] == '$') + STRCPY(d + 4, "\\$"); diff --git a/SOURCES/0001-patch-8.2.3949-using-freed-memory-with-V.patch b/SOURCES/0001-patch-8.2.3949-using-freed-memory-with-V.patch new file mode 100644 index 00000000..c3f7bb15 --- /dev/null +++ b/SOURCES/0001-patch-8.2.3949-using-freed-memory-with-V.patch @@ -0,0 +1,45 @@ +diff -up vim80/src/regexp.c.cve4192 vim80/src/regexp.c +--- vim80/src/regexp.c.cve4192 2022-01-12 15:21:44.792239040 +0100 ++++ vim80/src/regexp.c 2022-01-12 15:34:35.190425880 +0100 +@@ -4203,9 +4203,9 @@ reg_match_visual(void) + if (lnum < top.lnum || lnum > bot.lnum) + return FALSE; + ++ col = (colnr_T)(reginput - regline); + if (mode == 'v') + { +- col = (colnr_T)(reginput - regline); + if ((lnum == top.lnum && col < top.col) + || (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e'))) + return FALSE; +@@ -4220,7 +4220,12 @@ reg_match_visual(void) + end = end2; + if (top.col == MAXCOL || bot.col == MAXCOL) + end = MAXCOL; +- cols = win_linetabsize(wp, regline, (colnr_T)(reginput - regline)); ++ ++ // getvvcol() flushes rex.line, need to get it again ++ regline = reg_getline(reglnum); ++ reginput = regline + col; ++ ++ cols = win_linetabsize(wp, regline, col); + if (cols < start || cols > end - (*p_sel == 'e')) + return FALSE; + } +diff -up vim80/src/testdir/test_regexp_latin.vim.cve4192 vim80/src/testdir/test_regexp_latin.vim +--- vim80/src/testdir/test_regexp_latin.vim.cve4192 2022-01-12 15:21:44.792239040 +0100 ++++ vim80/src/testdir/test_regexp_latin.vim 2022-01-12 15:36:12.499693099 +0100 +@@ -80,3 +80,13 @@ func Test_using_invalid_visual_position( + /\%V + bwipe! + endfunc ++ ++func Test_using_visual_position() ++ " this was using freed memory ++ new ++ exe "norm 0o\\k\o0" ++ /\%V ++ bwipe! ++endfunc ++ ++" vim: shiftwidth=2 sts=2 expandtab diff --git a/SOURCES/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch b/SOURCES/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch new file mode 100644 index 00000000..485f00d5 --- /dev/null +++ b/SOURCES/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch @@ -0,0 +1,38 @@ +diff -up vim80/src/charset.c.cve4193 vim80/src/charset.c +--- vim80/src/charset.c.cve4193 2022-01-12 14:49:08.710592947 +0100 ++++ vim80/src/charset.c 2022-01-12 14:49:47.594705863 +0100 +@@ -1291,10 +1291,15 @@ getvcol( + posptr = NULL; /* continue until the NUL */ + else + { +- /* Special check for an empty line, which can happen on exit, when +- * ml_get_buf() always returns an empty string. */ +- if (*ptr == NUL) +- pos->col = 0; ++ colnr_T i; ++ ++ // In a few cases the position can be beyond the end of the line. ++ for (i = 0; i < pos->col; ++i) ++ if (ptr[i] == NUL) ++ { ++ pos->col = i; ++ break; ++ } + posptr = ptr + pos->col; + #ifdef FEAT_MBYTE + if (has_mbyte) +diff -up vim80/src/testdir/test_regexp_latin.vim.cve4193 vim80/src/testdir/test_regexp_latin.vim +--- vim80/src/testdir/test_regexp_latin.vim.cve4193 2022-01-12 14:49:08.710592947 +0100 ++++ vim80/src/testdir/test_regexp_latin.vim 2022-01-12 14:50:45.186873107 +0100 +@@ -72,3 +72,11 @@ func Test_backref() + call assert_fails('call search("\\%#=2\\(e\\1\\)")', 'E65:') + bwipe! + endfunc ++ ++func Test_using_invalid_visual_position() ++ " this was going beyond the end of the line ++ new ++ exe "norm 0o000\0\$s0" ++ /\%V ++ bwipe! ++endfunc diff --git a/SPECS/vim.spec b/SPECS/vim.spec index 159811df..0c0402a3 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -24,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 16%{?dist} +Release: 16%{?dist}.4 License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -79,6 +79,15 @@ Patch3021: 0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch Patch3022: vim-cve3796.patch # 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0] Patch3023: vim-cve3778-fix.patch +Patch3024: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch +# 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0] +Patch3025: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch +# 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0] +Patch3026: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch +# CVE-2021-4193 vim: vulnerable to Out-of-bounds Read +Patch3027: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch +# CVE-2021-4192 vim: vulnerable to Use After Free +Patch3028: 0001-patch-8.2.3949-using-freed-memory-with-V.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -279,6 +288,11 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3021 -p1 -b .rvim %patch3022 -p1 -b .cve3796 %patch3023 -p1 -b .cve3778 +%patch3024 -p1 -b .cve3872 +%patch3025 -p1 -b .cve3984 +%patch3026 -p1 -b .cve4019 +%patch3027 -p1 -b .cve4193 +%patch3028 -p1 -b .cve4192 %build %if 0%{?rhel} > 7 @@ -797,6 +811,20 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog +* Wed Jan 12 2022 Zdenek Dohnal - 2:8.0.1763-16.4 +- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read +- CVE-2021-4192 vim: vulnerable to Use After Free + +* Fri Dec 03 2021 Zdenek Dohnal - 2:8.0.1763-16.3 +- 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0] +- 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0] + +* Tue Oct 26 2021 Zdenek Dohnal - 2:8.0.1763-16.2 +- remove the upstream test - uses a feature which is not presented in RHEL 8 + +* Tue Oct 26 2021 Zdenek Dohnal - 2:8.0.1763-16.1 +- CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-8.6.0] + * Mon Sep 20 2021 Zdenek Dohnal - 2:8.0.1763-16 - 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0] - 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0]