diff --git a/0001-patch-8.2.3949-using-freed-memory-with-V.patch b/0001-patch-8.2.3949-using-freed-memory-with-V.patch new file mode 100644 index 0000000..6a6ae25 --- /dev/null +++ b/0001-patch-8.2.3949-using-freed-memory-with-V.patch @@ -0,0 +1,44 @@ +diff -up vim82/src/regexp.c.cve4192 vim82/src/regexp.c +--- vim82/src/regexp.c.cve4192 2021-03-22 10:02:42.000000000 +0100 ++++ vim82/src/regexp.c 2022-01-13 10:54:17.629176807 +0100 +@@ -1316,9 +1316,9 @@ reg_match_visual(void) + if (lnum < top.lnum || lnum > bot.lnum) + return FALSE; + ++ col = (colnr_T)(rex.input - rex.line); + if (mode == 'v') + { +- col = (colnr_T)(rex.input - rex.line); + if ((lnum == top.lnum && col < top.col) + || (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e'))) + return FALSE; +@@ -1333,7 +1333,12 @@ reg_match_visual(void) + end = end2; + if (top.col == MAXCOL || bot.col == MAXCOL) + end = MAXCOL; +- cols = win_linetabsize(wp, rex.line, (colnr_T)(rex.input - rex.line)); ++ ++ // getvvcol() flushes rex.line, need to get it again ++ rex.line = reg_getline(rex.lnum); ++ rex.input = rex.line + col; ++ ++ cols = win_linetabsize(wp, rex.line, col); + if (cols < start || cols > end - (*p_sel == 'e')) + return FALSE; + } +diff -up vim82/src/testdir/test_regexp_latin.vim.cve4192 vim82/src/testdir/test_regexp_latin.vim +--- vim82/src/testdir/test_regexp_latin.vim.cve4192 2022-01-13 10:52:05.508789448 +0100 ++++ vim82/src/testdir/test_regexp_latin.vim 2022-01-13 10:52:05.510789454 +0100 +@@ -946,4 +946,12 @@ func Test_using_invalid_visual_position( + bwipe! + endfunc + ++func Test_using_visual_position() ++ " this was using freed memory ++ new ++ exe "norm 0o\\k\o0" ++ /\%V ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/vim.spec b/vim.spec index b876f76..234c6df 100644 --- a/vim.spec +++ b/vim.spec @@ -86,6 +86,8 @@ Patch3026: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch Patch3027: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch # CVE-2021-4193 vim: vulnerable to Out-of-bounds Read Patch3028: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch +# CVE-2021-4192 vim: vulnerable to Use After Free +Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -301,6 +303,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3026 -p1 -b .cve3984 %patch3027 -p1 -b .cve4019 %patch3028 -p1 -b .cve4193 +%patch3029 -p1 -b .cve4192 %build cd src @@ -860,6 +863,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %changelog * Thu Jan 13 2022 Zdenek Dohnal - 2:8.2.2637-10 - CVE-2021-4193 vim: vulnerable to Out-of-bounds Read +- CVE-2021-4192 vim: vulnerable to Use After Free * Mon Dec 06 2021 Zdenek Dohnal - 2:8.2.2637-9 - 2028431 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-9.0]