From 58d62a2b1954ebbe5b5f4f05bcc54907ead1e8da Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Thu, 12 Mar 2026 05:46:10 -0400 Subject: [PATCH] import CS git vim-8.0.1763-22.el8_10 --- ...ecurity-buffer-overflow-in-helpfile-.patch | 39 +++++++++++++++++++ ...nother-case-of-buffer-overflow-with-.patch | 26 +++++++++++++ SPECS/vim.spec | 20 +++++++--- 3 files changed, 80 insertions(+), 5 deletions(-) create mode 100644 SOURCES/0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch create mode 100644 SOURCES/0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch diff --git a/SOURCES/0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch b/SOURCES/0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch new file mode 100644 index 00000000..58c4857c --- /dev/null +++ b/SOURCES/0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch @@ -0,0 +1,39 @@ +diff -up vim80/src/structs.h.tag-overflow vim80/src/structs.h +--- vim80/src/structs.h.tag-overflow 2018-04-24 17:10:42.000000000 +0200 ++++ vim80/src/structs.h 2026-02-25 15:20:08.027012072 +0100 +@@ -3423,3 +3423,7 @@ typedef struct { + int save_opcount; + tasave_T tabuf; + } save_state_T; ++ ++// Return the length of a string literal ++#define STRLEN_LITERAL(s) (sizeof(s) - 1) ++ +diff -up vim80/src/tag.c.tag-overflow vim80/src/tag.c +--- vim80/src/tag.c.tag-overflow 2018-03-05 15:55:42.000000000 +0100 ++++ vim80/src/tag.c 2026-02-25 15:21:18.623604260 +0100 +@@ -2677,7 +2677,7 @@ get_tagfname( + if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL) + return FAIL; + ++tnp->tn_hf_idx; +- STRCPY(buf, p_hf); ++ vim_strncpy(buf, p_hf, MAXPATHL - 1); + STRCPY(gettail(buf), "tags"); + } + else +diff -up vim80/src/testdir/test_help.vim.tag-overflow vim80/src/testdir/test_help.vim +--- vim80/src/testdir/test_help.vim.tag-overflow 2017-12-11 10:20:46.000000000 +0100 ++++ vim80/src/testdir/test_help.vim 2026-02-25 15:21:53.687898395 +0100 +@@ -49,3 +49,12 @@ func Test_help_local_additions() + call delete('Xruntime', 'rf') + let &rtp = rtp_save + endfunc ++ ++" This caused a buffer overflow ++func Test_helpfile_overflow() ++ let _helpfile = &helpfile ++ let &helpfile = repeat('A', 5000) ++ help ++ helpclose ++ let &helpfile = _helpfile ++endfunc diff --git a/SOURCES/0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch b/SOURCES/0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch new file mode 100644 index 00000000..7098a7ac --- /dev/null +++ b/SOURCES/0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch @@ -0,0 +1,26 @@ +diff -up vim80/src/tag.c.tag-overflow2 vim80/src/tag.c +--- vim80/src/tag.c.tag-overflow2 2026-02-25 15:22:41.624581958 +0100 ++++ vim80/src/tag.c 2026-02-25 15:23:23.993655916 +0100 +@@ -2677,7 +2677,7 @@ get_tagfname( + if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL) + return FAIL; + ++tnp->tn_hf_idx; +- vim_strncpy(buf, p_hf, MAXPATHL - 1); ++ vim_strncpy(buf, p_hf, MAXPATHL - STRLEN_LITERAL("tags") - 1); + STRCPY(gettail(buf), "tags"); + } + else +diff -up vim80/src/testdir/test_help.vim.tag-overflow2 vim80/src/testdir/test_help.vim +--- vim80/src/testdir/test_help.vim.tag-overflow2 2026-02-25 15:22:41.624858588 +0100 ++++ vim80/src/testdir/test_help.vim 2026-02-25 15:24:01.774829851 +0100 +@@ -56,5 +56,10 @@ func Test_helpfile_overflow() + let &helpfile = repeat('A', 5000) + help + helpclose ++ for i in range(4089, 4096) ++ let &helpfile = repeat('A', i) . '/A' ++ help ++ helpclose ++ endfor + let &helpfile = _helpfile + endfunc diff --git a/SPECS/vim.spec b/SPECS/vim.spec index 88e53331..17cb8c67 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -24,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 21%{?dist} +Release: 22%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -113,6 +113,11 @@ Patch3040: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch Patch3041: 0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch # RHEL-112007 CVE-2025-53906 vim: Vim path traversal Patch3042: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch +# RHEL-147935 CVE-2026-25749 vim: Heap Overflow in Vim +# 0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch +# 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch +Patch3043: 0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch +Patch3044: 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch # gcc is no longer in buildroot by default @@ -337,6 +342,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3040 -p1 -b .cve1927 %patch -P 3041 -p1 -b .CVE-2025-53905 %patch -P 3042 -p1 -b .CVE-2025-53906 +%patch -P 3043 -p1 -b .tag-overflow +%patch -P 3044 -p1 -b .tag-overflow2 %build %if 0%{?rhel} > 7 @@ -855,23 +862,26 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog +* Fri Feb 27 2026 Zdenek Dohnal - 2:8.0.1763-22 +- RHEL-147935 CVE-2026-25749 vim: Heap Overflow in Vim + * Wed Sep 17 2025 Zdenek Dohnal - 2:8.0.1763-21 - RHEL-112003 CVE-2025-53905 vim: Vim path traversial - RHEL-112007 CVE-2025-53906 vim: Vim path traversal -* Tue Jun 14 2022 Zdenek Dohnal - 2:8.0.1763-20 +* Tue Jun 14 2022 Zdenek Dohnal - 2:8.0.1763-19.4 - fix issue reported by covscan -* Mon Jun 13 2022 Zdenek Dohnal - 2:8.0.1763-20 +* Mon Jun 13 2022 Zdenek Dohnal - 2:8.0.1763-19.3 - CVE-2022-1785 vim: Out-of-bounds Write - CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c - CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c -* Sat May 14 2022 Zdenek Dohnal - 2:8.0.1763-20 +* Sat May 14 2022 Zdenek Dohnal - 2:8.0.1763-19.2 - CVE-2022-1621 vim: heap buffer overflow - CVE-2022-1629 vim: buffer over-read -* Sat Apr 09 2022 Zdenek Dohnal - 2:8.0.1763-20 +* Sat Apr 09 2022 Zdenek Dohnal - 2:8.0.1763-19.1 - CVE-2022-1154 vim: use after free in utf_ptr2char * Tue Feb 08 2022 Zdenek Dohnal - 2:8.0.1763-19