diff --git a/0001-patch-9.1.0903-potential-overflow-in-spell_soundfold.patch b/0001-patch-9.1.0903-potential-overflow-in-spell_soundfold.patch new file mode 100644 index 00000000..0882089f --- /dev/null +++ b/0001-patch-9.1.0903-potential-overflow-in-spell_soundfold.patch @@ -0,0 +1,61 @@ +From 39a94d20487794aeb722c21e84f8816e217f0cfe Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Wed, 4 Dec 2024 20:16:17 +0100 +Subject: [PATCH] patch 9.1.0903: potential overflow in spell_soundfold_wsal() + +Problem: potential overflow in spell_soundfold_wsal() +Solution: Protect wres from buffer overflow, by checking the + length (Zdenek Dohnal) + +Error: OVERRUN (CWE-119): +vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that +"reslen" is 254 on the false branch. +vim91/src/spell.c:3833: incr: Incrementing "reslen". The value of "reslen" +is now 255. +vim91/src/spell.c:3792: overrun-local: Overrunning array "wres" of 254 +4-byte elements at element index 254 (byte offset 1019) using index +"reslen - 1" (which evaluates to 254). + 3789| { + 3790| // rule with '<' is used + 3791|-> if (reslen > 0 && ws != NULL && *ws != NUL + 3792| && (wres[reslen - 1] == c + 3793| || wres[reslen - 1] == *ws)) + +Error: OVERRUN (CWE-119): +vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that +"reslen" is 254 on the false branch. +vim91/src/spell.c:3833: overrun-local: Overrunning array "wres" of 254 +4-byte elements at element index 254 (byte offset 1019) using index +"reslen++" (which evaluates to 254). + 3831| { + 3832| if (c != NUL) + 3833|-> wres[reslen++] = c; + 3834| mch_memmove(word, word + i + 1, + 3835| sizeof(int) * (wordlen - +(i + 1) + 1)); + +related: #16163 + +Signed-off-by: Zdenek Dohnal +Signed-off-by: Christian Brabandt +--- + src/spell.c | 2 +- + src/version.c | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/spell.c b/src/spell.c +index 5a7720f7f..2581a5ede 100644 +--- a/src/spell.c ++++ b/src/spell.c +@@ -3829,7 +3829,7 @@ spell_soundfold_wsal(slang_T *slang, char_u *inword, char_u *res) + c = *ws; + if (strstr((char *)s, "^^") != NULL) + { +- if (c != NUL) ++ if (c != NUL && reslen < MAXWLEN) + wres[reslen++] = c; + mch_memmove(word, word + i + 1, + sizeof(int) * (wordlen - (i + 1) + 1)); +-- +2.47.1 + diff --git a/0001-patch-9.1.0904-Vim9-copy-paste-error-in-class_defini.patch b/0001-patch-9.1.0904-Vim9-copy-paste-error-in-class_defini.patch new file mode 100644 index 00000000..19a2be8a --- /dev/null +++ b/0001-patch-9.1.0904-Vim9-copy-paste-error-in-class_defini.patch @@ -0,0 +1,48 @@ +From 215c82d061d750d8a26ef52f529a9e3ca4e0f82a Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Wed, 4 Dec 2024 20:19:40 +0100 +Subject: [PATCH] patch 9.1.0904: Vim9: copy-paste error in + class_defining_member() + +Problem: Vim9: copy-paste error in class_defining_member() +Solution: use variable type VAR_CLASS instead (Zdenek Dohnal) + +Found issue by OpenScanHub: +Error: COPY_PASTE_ERROR (CWE-398): +vim91/src/vim9class.c:3308: original: "VAR_OBJECT" looks like the +original copy. +vim91/src/vim9class.c:3316: copy_paste_error: "VAR_OBJECT" looks like a +copy-paste error. +vim91/src/vim9class.c:3316: remediation: Should it say "VAR_CLASS" +instead? +3314| { +3315| cl_tmp = super; +3316|-> vartype = VAR_OBJECT; +3317| } +3318| } + +closes: #16163 + +Signed-off-by: Zdenek Dohnal +Signed-off-by: Christian Brabandt +--- + src/version.c | 2 ++ + src/vim9class.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/vim9class.c b/src/vim9class.c +index d0ddcb820..e85cf827f 100644 +--- a/src/vim9class.c ++++ b/src/vim9class.c +@@ -3313,7 +3313,7 @@ class_defining_member(class_T *cl, char_u *name, size_t len, ocmember_T **p_m) + if (( m = class_member_lookup(super, name, len, NULL)) != NULL) + { + cl_tmp = super; +- vartype = VAR_OBJECT; ++ vartype = VAR_CLASS; + } + } + if (cl_tmp == NULL) +-- +2.47.1 + diff --git a/vim.spec b/vim.spec index 12c6c819..f39b63e5 100644 --- a/vim.spec +++ b/vim.spec @@ -51,7 +51,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 # swift.vim contains Apache 2.0 with runtime library exception: # which is taken as Apache-2.0 WITH Swift-exception - reported to legal as https://gitlab.com/fedora/legal/fedora-license-data/-/issues/188 @@ -99,6 +99,13 @@ Patch3003: vim-python3-tests.patch Patch3004: vim-crypto-warning.patch # don't ever set mouse (Fedora downstream patch) Patch3005: vim-8.0-copy-paste.patch +# RHEL-44652 vim-9.1.083-1.el10: RHEL SAST Automation: address 4 High impact true positive(s) +# 2 patches: 0001-src-spell.c-Protect-wres-from-possible-buffer-overfl.patch +# 0003-src-vim9class.c-Fix-typo.patch +# upstreamed as: https://github.com/vim/vim/commit/215c82d06 +# https://github.com/vim/vim/commit/39a94d204 +Patch3006: 0001-patch-9.1.0903-potential-overflow-in-spell_soundfold.patch +Patch3007: 0001-patch-9.1.0904-Vim9-copy-paste-error-in-class_defini.patch # uses autoconf in spec file @@ -422,6 +429,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch -P 3003 -p1 -b .python-tests %patch -P 3004 -p1 -b .fips-warning %patch -P 3005 -p1 -b .copypaste +%patch -P 3006 -p1 -b .buffer-overflow +%patch -P 3007 -p1 -b .typo %build cd src @@ -1057,6 +1066,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %changelog +* Thu Dec 05 2024 Zdenek Dohnal - 2:9.1.083-4 +- RHEL-44652 vim-9.1.083-1.el10: RHEL SAST Automation: address 4 High impact true positive(s) + * Tue Oct 29 2024 Troy Dawson - 2:9.1.083-3 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018