RHEL-44652 vim-9.1.083-1.el10: RHEL SAST Automation: address 4 High impact true positive(s)

Resolves: RHEL-44652
This commit is contained in:
Zdenek Dohnal 2024-12-05 17:29:15 +01:00
parent 91bb413f10
commit 2882c25ede
3 changed files with 122 additions and 1 deletions

View File

@ -0,0 +1,61 @@
From 39a94d20487794aeb722c21e84f8816e217f0cfe Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Wed, 4 Dec 2024 20:16:17 +0100
Subject: [PATCH] patch 9.1.0903: potential overflow in spell_soundfold_wsal()
Problem: potential overflow in spell_soundfold_wsal()
Solution: Protect wres from buffer overflow, by checking the
length (Zdenek Dohnal)
Error: OVERRUN (CWE-119):
vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that
"reslen" is 254 on the false branch.
vim91/src/spell.c:3833: incr: Incrementing "reslen". The value of "reslen"
is now 255.
vim91/src/spell.c:3792: overrun-local: Overrunning array "wres" of 254
4-byte elements at element index 254 (byte offset 1019) using index
"reslen - 1" (which evaluates to 254).
3789| {
3790| // rule with '<' is used
3791|-> if (reslen > 0 && ws != NULL && *ws != NUL
3792| && (wres[reslen - 1] == c
3793| || wres[reslen - 1] == *ws))
Error: OVERRUN (CWE-119):
vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that
"reslen" is 254 on the false branch.
vim91/src/spell.c:3833: overrun-local: Overrunning array "wres" of 254
4-byte elements at element index 254 (byte offset 1019) using index
"reslen++" (which evaluates to 254).
3831| {
3832| if (c != NUL)
3833|-> wres[reslen++] = c;
3834| mch_memmove(word, word + i + 1,
3835| sizeof(int) * (wordlen -
(i + 1) + 1));
related: #16163
Signed-off-by: Zdenek Dohnal <zdohnal@redhat.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
src/spell.c | 2 +-
src/version.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/spell.c b/src/spell.c
index 5a7720f7f..2581a5ede 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -3829,7 +3829,7 @@ spell_soundfold_wsal(slang_T *slang, char_u *inword, char_u *res)
c = *ws;
if (strstr((char *)s, "^^") != NULL)
{
- if (c != NUL)
+ if (c != NUL && reslen < MAXWLEN)
wres[reslen++] = c;
mch_memmove(word, word + i + 1,
sizeof(int) * (wordlen - (i + 1) + 1));
--
2.47.1

View File

@ -0,0 +1,48 @@
From 215c82d061d750d8a26ef52f529a9e3ca4e0f82a Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Wed, 4 Dec 2024 20:19:40 +0100
Subject: [PATCH] patch 9.1.0904: Vim9: copy-paste error in
class_defining_member()
Problem: Vim9: copy-paste error in class_defining_member()
Solution: use variable type VAR_CLASS instead (Zdenek Dohnal)
Found issue by OpenScanHub:
Error: COPY_PASTE_ERROR (CWE-398):
vim91/src/vim9class.c:3308: original: "VAR_OBJECT" looks like the
original copy.
vim91/src/vim9class.c:3316: copy_paste_error: "VAR_OBJECT" looks like a
copy-paste error.
vim91/src/vim9class.c:3316: remediation: Should it say "VAR_CLASS"
instead?
3314| {
3315| cl_tmp = super;
3316|-> vartype = VAR_OBJECT;
3317| }
3318| }
closes: #16163
Signed-off-by: Zdenek Dohnal <zdohnal@redhat.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
src/version.c | 2 ++
src/vim9class.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/vim9class.c b/src/vim9class.c
index d0ddcb820..e85cf827f 100644
--- a/src/vim9class.c
+++ b/src/vim9class.c
@@ -3313,7 +3313,7 @@ class_defining_member(class_T *cl, char_u *name, size_t len, ocmember_T **p_m)
if (( m = class_member_lookup(super, name, len, NULL)) != NULL)
{
cl_tmp = super;
- vartype = VAR_OBJECT;
+ vartype = VAR_CLASS;
}
}
if (cl_tmp == NULL)
--
2.47.1

View File

@ -51,7 +51,7 @@ Summary: The VIM editor
URL: http://www.vim.org/
Name: vim
Version: %{baseversion}.%{patchlevel}
Release: 3%{?dist}
Release: 4%{?dist}
Epoch: 2
# swift.vim contains Apache 2.0 with runtime library exception:
# which is taken as Apache-2.0 WITH Swift-exception - reported to legal as https://gitlab.com/fedora/legal/fedora-license-data/-/issues/188
@ -99,6 +99,13 @@ Patch3003: vim-python3-tests.patch
Patch3004: vim-crypto-warning.patch
# don't ever set mouse (Fedora downstream patch)
Patch3005: vim-8.0-copy-paste.patch
# RHEL-44652 vim-9.1.083-1.el10: RHEL SAST Automation: address 4 High impact true positive(s)
# 2 patches: 0001-src-spell.c-Protect-wres-from-possible-buffer-overfl.patch
# 0003-src-vim9class.c-Fix-typo.patch
# upstreamed as: https://github.com/vim/vim/commit/215c82d06
# https://github.com/vim/vim/commit/39a94d204
Patch3006: 0001-patch-9.1.0903-potential-overflow-in-spell_soundfold.patch
Patch3007: 0001-patch-9.1.0904-Vim9-copy-paste-error-in-class_defini.patch
# uses autoconf in spec file
@ -422,6 +429,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch -P 3003 -p1 -b .python-tests
%patch -P 3004 -p1 -b .fips-warning
%patch -P 3005 -p1 -b .copypaste
%patch -P 3006 -p1 -b .buffer-overflow
%patch -P 3007 -p1 -b .typo
%build
cd src
@ -1057,6 +1066,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
%changelog
* Thu Dec 05 2024 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-4
- RHEL-44652 vim-9.1.083-1.el10: RHEL SAST Automation: address 4 High impact true positive(s)
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2:9.1.083-3
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018