2016202 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-9.0]

Resolves: CVE-2021-3872

0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch

@@ -0,0 +1,72 @@
+From 826bfe4bbd7594188e3d74d2539d9707b1c6a14b Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 8 Oct 2021 18:39:28 +0100
+Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
+ long
+
+Problem:    Illegal memory access if buffer name is very long.
+Solution:   Make sure not to go over the end of the buffer.
+---
+ src/drawscreen.c                | 10 +++++-----
+ src/testdir/test_statusline.vim | 10 ++++++++++
+ src/version.c                   |  2 ++
+ 3 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/src/drawscreen.c b/src/drawscreen.c
+index 82e53753b..e38ca9586 100644
+--- a/src/drawscreen.c
++++ b/src/drawscreen.c
+@@ -464,13 +464,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
+ 	    *(p + len++) = ' ';
+ 	if (bt_help(wp->w_buffer))
+ 	{
+-	    STRCPY(p + len, _("[Help]"));
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ #ifdef FEAT_QUICKFIX
+ 	if (wp->w_p_pvw)
+ 	{
+-	    STRCPY(p + len, _("[Preview]"));
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ #endif
+@@ -480,12 +480,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
+ #endif
+ 		)
+ 	{
+-	    STRCPY(p + len, "[+]");
+-	    len += 3;
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
++	    len += (int)STRLEN(p + len);
+ 	}
+ 	if (wp->w_buffer->b_p_ro)
+ 	{
+-	    STRCPY(p + len, _("[RO]"));
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ 
+diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
+index f3eea2e71..a952de69b 100644
+--- a/src/testdir/test_statusline.vim
++++ b/src/testdir/test_statusline.vim
+@@ -522,4 +522,14 @@ func Test_statusline_mbyte_fillchar()
+   %bw!
+ endfunc
+ 
++" Used to write beyond allocated memory.  This assumes MAXPATHL is 4096 bytes.
++func Test_statusline_verylong_filename()
++  let fname = repeat('x', 4090)
++  exe "new " .. fname
++  set buftype=help
++  set previewwindow
++  redraw
++  bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.31.1
+

vim.spec

@@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@@ -78,6 +78,8 @@ Patch3022: 0001-patch-8.2.3409-reading-beyond-end-of-line-with-inval.patch
 Patch3023: 0001-patch-8.2.3428-using-freed-memory-when-replacing.patch
 # 2015517 - [s390x] Vim needs to be compiled with -D_REENTRANT
 Patch3024: 0001-patch-8.2.3406-on-some-systems-tests-fail-without-_R.patch
+# 2016202 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-9.0]
+Patch3025: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -289,6 +291,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3022 -p1 -b .cve-utf-ptrchar
 %patch3023 -p1 -b .cve-nv-replace
 %patch3024 -p1 -b .reentrant
+%patch3025 -p1 -b .cve-win-redr
 
 %build
 cd src
@@ -846,6 +849,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 
 %changelog
+* Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-8
+- 2016202 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-9.0]
+
 * Tue Oct 19 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-7
 - 2015517 - [s390x] Vim needs to be compiled with -D_REENTRANT