rpms/vim
5
0
Fork 0
Code Issues Pull Requests Releases Activity

CVE-2022-1154 vim: use after free in utf_ptr2char

Browse Source 
Resolves: CVE-2022-1154
This commit is contained in:
Zdenek Dohnal 2022-04-25 15:55:02 +02:00
parent 13ff67f4d3
commit 70b0772976
2 changed files with 51 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch Normal file
View File

@ -0,0 +1,44 @@
diff -up vim82/src/regexp_bt.c.cve1154 vim82/src/regexp_bt.c
--- vim82/src/regexp_bt.c.cve1154 2022-04-25 15:22:28.367621755 +0200
+++ vim82/src/regexp_bt.c 2022-04-25 15:25:13.726340728 +0200
@@ -3188,8 +3188,17 @@ regmatch(
int mark = OPERAND(scan)[0];
int cmp = OPERAND(scan)[1];
pos_T *pos;
+ size_t col = REG_MULTI ? rex.input - rex.line : 0;
pos = getmark_buf(rex.reg_buf, mark, FALSE);
+
+ // Line may have been freed, get it again.
+ if (REG_MULTI)
+ {
+ rex.line = reg_getline(rex.lnum);
+ rex.input = rex.line + col;
+ }
+
if (pos == NULL // mark doesn't exist
|| pos->lnum <= 0 // mark isn't set in reg_buf
|| (pos->lnum == rex.lnum + rex.reg_firstlnum
diff -up vim82/src/testdir/test_regexp_latin.vim.cve1154 vim82/src/testdir/test_regexp_latin.vim
--- vim82/src/testdir/test_regexp_latin.vim.cve1154 2022-04-25 15:22:28.368621752 +0200
+++ vim82/src/testdir/test_regexp_latin.vim 2022-04-25 15:26:57.515227712 +0200
@@ -954,4 +954,19 @@ func Test_using_visual_position()
bwipe!
endfunc
+func Test_using_mark_position()
+ " this was using freed memory
+ " new engine
+ new
+ norm O0
+ call assert_fails("s/\\%')", 'E486:')
+ bwipe!
+
+ " old engine
+ new
+ norm O0
+ call assert_fails("s/\\%#=1\\%')", 'E486:')
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab

8
vim.spec
View File

@ -27,7 +27,7 @@ Summary: The VIM editor
URL: http://www.vim.org/ URL: http://www.vim.org/
Name: vim Name: vim
Version: %{baseversion}.%{patchlevel} Version: %{baseversion}.%{patchlevel}
Release: 16%{?dist} Release: 17%{?dist}
License: Vim and MIT License: Vim and MIT
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
Source1: virc Source1: virc
@ -120,6 +120,8 @@ Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
# CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim # CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
# CVE-2022-1154 vim: use after free in utf_ptr2char
Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
# gcc is no longer in buildroot by default # gcc is no longer in buildroot by default
BuildRequires: gcc BuildRequires: gcc
@ -352,6 +354,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3043 -p1 -b .cve0714 %patch3043 -p1 -b .cve0714
%patch3044 -p1 -b .cve0554 %patch3044 -p1 -b .cve0554
%patch3045 -p1 -b .cve0943 %patch3045 -p1 -b .cve0943
%patch3046 -p1 -b .cve1154
%build %build
cd src cd src
@ -909,6 +912,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
%endif %endif
%changelog %changelog
* Mon Apr 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-17
- CVE-2022-1154 vim: use after free in utf_ptr2char
* Mon Mar 28 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16 * Mon Mar 28 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16
- CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior - CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
- CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim - CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim