rpms/vim
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import vim-8.0.1763-16.el8_5.4

Browse Source
This commit is contained in:
CentOS Sources 2022-01-19 21:26:22 +00:00 committed by Stepan Oksanichenko
parent fdc86bdaef
commit 6c2fa8c102
3 changed files with 94 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
SOURCES/0001-patch-8.2.3949-using-freed-memory-with-V.patch Normal file
View File

@ -0,0 +1,45 @@
diff -up vim80/src/regexp.c.cve4192 vim80/src/regexp.c
--- vim80/src/regexp.c.cve4192 2022-01-12 15:21:44.792239040 +0100
+++ vim80/src/regexp.c 2022-01-12 15:34:35.190425880 +0100
@@ -4203,9 +4203,9 @@ reg_match_visual(void)
if (lnum < top.lnum || lnum > bot.lnum)
return FALSE;
+ col = (colnr_T)(reginput - regline);
if (mode == 'v')
{
- col = (colnr_T)(reginput - regline);
if ((lnum == top.lnum && col < top.col)
|| (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e')))
return FALSE;
@@ -4220,7 +4220,12 @@ reg_match_visual(void)
end = end2;
if (top.col == MAXCOL || bot.col == MAXCOL)
end = MAXCOL;
- cols = win_linetabsize(wp, regline, (colnr_T)(reginput - regline));
+
+ // getvvcol() flushes rex.line, need to get it again
+ regline = reg_getline(reglnum);
+ reginput = regline + col;
+
+ cols = win_linetabsize(wp, regline, col);
if (cols < start || cols > end - (*p_sel == 'e'))
return FALSE;
}
diff -up vim80/src/testdir/test_regexp_latin.vim.cve4192 vim80/src/testdir/test_regexp_latin.vim
--- vim80/src/testdir/test_regexp_latin.vim.cve4192 2022-01-12 15:21:44.792239040 +0100
+++ vim80/src/testdir/test_regexp_latin.vim 2022-01-12 15:36:12.499693099 +0100
@@ -80,3 +80,13 @@ func Test_using_invalid_visual_position(
/\%V
bwipe!
endfunc
+
+func Test_using_visual_position()
+ " this was using freed memory
+ new
+ exe "norm 0o\<Esc>\<C-V>k\<C-X>o0"
+ /\%V
+ bwipe!
+endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab

38
SOURCES/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch Normal file
View File

@ -0,0 +1,38 @@
diff -up vim80/src/charset.c.cve4193 vim80/src/charset.c
--- vim80/src/charset.c.cve4193 2022-01-12 14:49:08.710592947 +0100
+++ vim80/src/charset.c 2022-01-12 14:49:47.594705863 +0100
@@ -1291,10 +1291,15 @@ getvcol(
posptr = NULL; /* continue until the NUL */
else
{
- /* Special check for an empty line, which can happen on exit, when
- * ml_get_buf() always returns an empty string. */
- if (*ptr == NUL)
- pos->col = 0;
+ colnr_T i;
+
+ // In a few cases the position can be beyond the end of the line.
+ for (i = 0; i < pos->col; ++i)
+ if (ptr[i] == NUL)
+ {
+ pos->col = i;
+ break;
+ }
posptr = ptr + pos->col;
#ifdef FEAT_MBYTE
if (has_mbyte)
diff -up vim80/src/testdir/test_regexp_latin.vim.cve4193 vim80/src/testdir/test_regexp_latin.vim
--- vim80/src/testdir/test_regexp_latin.vim.cve4193 2022-01-12 14:49:08.710592947 +0100
+++ vim80/src/testdir/test_regexp_latin.vim 2022-01-12 14:50:45.186873107 +0100
@@ -72,3 +72,11 @@ func Test_backref()
call assert_fails('call search("\\%#=2\\(e\\1\\)")', 'E65:')
bwipe!
endfunc
+
+func Test_using_invalid_visual_position()
+ " this was going beyond the end of the line
+ new
+ exe "norm 0o000\<Esc>0\<C-V>$s0"
+ /\%V
+ bwipe!
+endfunc

12
SPECS/vim.spec
View File

@ -24,7 +24,7 @@ Summary: The VIM editor
URL: http://www.vim.org/ URL: http://www.vim.org/
Name: vim Name: vim
Version: %{baseversion}.%{patchlevel} Version: %{baseversion}.%{patchlevel}
Release: 16%{?dist}.3 Release: 16%{?dist}.4
License: Vim and MIT License: Vim and MIT
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
Source1: vim.sh Source1: vim.sh
@ -84,6 +84,10 @@ Patch3024: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
Patch3025: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch Patch3025: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch
# 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0] # 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0]
Patch3026: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch Patch3026: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
# CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
Patch3027: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
# CVE-2021-4192 vim: vulnerable to Use After Free
Patch3028: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
# gcc is no longer in buildroot by default # gcc is no longer in buildroot by default
BuildRequires: gcc BuildRequires: gcc
@ -287,6 +291,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3024 -p1 -b .cve3872 %patch3024 -p1 -b .cve3872
%patch3025 -p1 -b .cve3984 %patch3025 -p1 -b .cve3984
%patch3026 -p1 -b .cve4019 %patch3026 -p1 -b .cve4019
%patch3027 -p1 -b .cve4193
%patch3028 -p1 -b .cve4192
%build %build
%if 0%{?rhel} > 7 %if 0%{?rhel} > 7
@ -805,6 +811,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
%{_datadir}/icons/locolor/*/apps/* %{_datadir}/icons/locolor/*/apps/*
%changelog %changelog
* Wed Jan 12 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.4
- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
- CVE-2021-4192 vim: vulnerable to Use After Free
* Fri Dec 03 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.3 * Fri Dec 03 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.3
- 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0] - 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0]
- 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0] - 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0]