import CS git vim-8.0.1763-22.el8_10

2026-03-12 05:46:10 -04:00 · 2026-03-12 05:46:10 -04:00 · 58d62a2b19
commit 58d62a2b19
parent a2b7606273
3 changed files with 80 additions and 5 deletions
--- a/SOURCES/0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
+++ b/SOURCES/0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
@ -0,0 +1,39 @@
+diff -up vim80/src/structs.h.tag-overflow vim80/src/structs.h
+--- vim80/src/structs.h.tag-overflow	2018-04-24 17:10:42.000000000 +0200
+++ vim80/src/structs.h	2026-02-25 15:20:08.027012072 +0100
+@@ -3423,3 +3423,7 @@ typedef struct {
+     int		save_opcount;
+     tasave_T	tabuf;
+ } save_state_T;
+
+// Return the length of a string literal
+#define STRLEN_LITERAL(s) (sizeof(s) - 1)
+
+diff -up vim80/src/tag.c.tag-overflow vim80/src/tag.c
+--- vim80/src/tag.c.tag-overflow	2018-03-05 15:55:42.000000000 +0100
+++ vim80/src/tag.c	2026-02-25 15:21:18.623604260 +0100
+@@ -2677,7 +2677,7 @@ get_tagfname(
+ 	    if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
+ 		return FAIL;
+ 	    ++tnp->tn_hf_idx;
+-	    STRCPY(buf, p_hf);
+	    vim_strncpy(buf, p_hf, MAXPATHL - 1);
+ 	    STRCPY(gettail(buf), "tags");
+ 	}
+ 	else
+diff -up vim80/src/testdir/test_help.vim.tag-overflow vim80/src/testdir/test_help.vim
+--- vim80/src/testdir/test_help.vim.tag-overflow	2017-12-11 10:20:46.000000000 +0100
+++ vim80/src/testdir/test_help.vim	2026-02-25 15:21:53.687898395 +0100
+@@ -49,3 +49,12 @@ func Test_help_local_additions()
+   call delete('Xruntime', 'rf')
+   let &rtp = rtp_save
+ endfunc
+
+" This caused a buffer overflow
+func Test_helpfile_overflow()
+  let _helpfile = &helpfile
+  let &helpfile = repeat('A', 5000)
+  help
+  helpclose
+  let &helpfile = _helpfile
+endfunc
--- a/SOURCES/0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
+++ b/SOURCES/0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
@ -0,0 +1,26 @@
+diff -up vim80/src/tag.c.tag-overflow2 vim80/src/tag.c
+--- vim80/src/tag.c.tag-overflow2	2026-02-25 15:22:41.624581958 +0100
+++ vim80/src/tag.c	2026-02-25 15:23:23.993655916 +0100
+@@ -2677,7 +2677,7 @@ get_tagfname(
+ 	    if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
+ 		return FAIL;
+ 	    ++tnp->tn_hf_idx;
+-	    vim_strncpy(buf, p_hf, MAXPATHL - 1);
+	    vim_strncpy(buf, p_hf, MAXPATHL - STRLEN_LITERAL("tags") - 1);
+ 	    STRCPY(gettail(buf), "tags");
+ 	}
+ 	else
+diff -up vim80/src/testdir/test_help.vim.tag-overflow2 vim80/src/testdir/test_help.vim
+--- vim80/src/testdir/test_help.vim.tag-overflow2	2026-02-25 15:22:41.624858588 +0100
+++ vim80/src/testdir/test_help.vim	2026-02-25 15:24:01.774829851 +0100
+@@ -56,5 +56,10 @@ func Test_helpfile_overflow()
+   let &helpfile = repeat('A', 5000)
+   help
+   helpclose
+  for i in range(4089, 4096)
+    let &helpfile = repeat('A', i) . '/A'
+    help
+    helpclose
+  endfor
+   let &helpfile = _helpfile
+ endfunc
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 21%{?dist}
+Release: 22%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@ -113,6 +113,11 @@ Patch3040: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
 Patch3041: 0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch
 # RHEL-112007 CVE-2025-53906 vim: Vim path traversal
 Patch3042: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch
+# RHEL-147935 CVE-2026-25749 vim: Heap Overflow in Vim
+# 0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
+# 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
+Patch3043: 0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
+Patch3044: 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch


 # gcc is no longer in buildroot by default
@ -337,6 +342,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3040 -p1 -b .cve1927
 %patch -P 3041 -p1 -b .CVE-2025-53905
 %patch -P 3042 -p1 -b .CVE-2025-53906
+%patch -P 3043 -p1 -b .tag-overflow
+%patch -P 3044 -p1 -b .tag-overflow2

 %build
 %if 0%{?rhel} > 7
@ -855,23 +862,26 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*

 %changelog
+* Fri Feb 27 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-22
+- RHEL-147935 CVE-2026-25749 vim: Heap Overflow in Vim
+
 * Wed Sep 17 2025 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-21
 - RHEL-112003 CVE-2025-53905 vim: Vim path traversial
 - RHEL-112007 CVE-2025-53906 vim: Vim path traversal

-* Tue Jun 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-20
+* Tue Jun 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.4
 - fix issue reported by covscan

-* Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-20
+* Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.3
 - CVE-2022-1785 vim: Out-of-bounds Write
 - CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
 - CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c

-* Sat May 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-20
+* Sat May 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.2
 - CVE-2022-1621 vim: heap buffer overflow
 - CVE-2022-1629 vim: buffer over-read

-* Sat Apr 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-20
+* Sat Apr 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.1
 - CVE-2022-1154 vim: use after free in utf_ptr2char

 * Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19