From 71d1d36ac86fad58f1264794faa3fccd3bee9eb1 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Wed, 9 Feb 2022 09:55:42 +0100 Subject: [PATCH] CVE-2022-0368 vim: Out-of-bounds Read in vim Resolves: CVE-2022-0368 --- ...llegal-memory-access-when-undo-makes.patch | 55 +++++++++++++++++++ vim.spec | 6 ++ 2 files changed, 61 insertions(+) create mode 100644 0001-patch-8.2.4217-illegal-memory-access-when-undo-makes.patch diff --git a/0001-patch-8.2.4217-illegal-memory-access-when-undo-makes.patch b/0001-patch-8.2.4217-illegal-memory-access-when-undo-makes.patch new file mode 100644 index 0000000..adf946c --- /dev/null +++ b/0001-patch-8.2.4217-illegal-memory-access-when-undo-makes.patch @@ -0,0 +1,55 @@ +From 8d02ce1ed75d008c34a5c9aaa51b67cbb9d33baa Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 25 Jan 2022 18:24:00 +0000 +Subject: [PATCH] patch 8.2.4217: illegal memory access when undo makes Visual + area invalid + +Problem: Illegal memory access when undo makes Visual area invalid. +Solution: Correct the Visual area after undo. +--- + src/testdir/test_visual.vim | 15 +++++++++++++++ + src/undo.c | 2 ++ + src/version.c | 2 ++ + 3 files changed, 19 insertions(+) + +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index 9b322fd21..b2beda08d 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -1339,5 +1339,20 @@ func Test_visual_ex_copy_line() + bwipe! + endfunc + ++" This was leaving the end of the Visual area beyond the end of a line. ++" Set 'undolevels' to start a new undo block. ++func Test_visual_undo_deletes_last_line() ++ new ++ call setline(1, ["aaa", "ccc", "dyd"]) ++ set undolevels=100 ++ exe "normal obbbbbbbbbxbb\" ++ set undolevels=100 ++ /y ++ exe "normal ggvjfxO" ++ undo ++ normal gNU ++ bwipe! ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/undo.c b/src/undo.c +index 4d186d453..636144aef 100644 +--- a/src/undo.c ++++ b/src/undo.c +@@ -3029,6 +3029,8 @@ u_undo_end( + } + } + #endif ++ if (VIsual_active) ++ check_pos(curbuf, &VIsual); + + smsg_attr_keep(0, _("%ld %s; %s #%ld %s"), + u_oldcount < 0 ? -u_oldcount : u_oldcount, +-- +2.34.1 + diff --git a/vim.spec b/vim.spec index ea417e5..3bac147 100644 --- a/vim.spec +++ b/vim.spec @@ -98,6 +98,8 @@ Patch3032: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch Patch3033: 0001-patch-8.2.4154-ml_get-error-when-exchanging-windows-.patch # CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch +# CVE-2022-0368 vim: Out-of-bounds Read in vim +Patch3035: 0001-patch-8.2.4217-illegal-memory-access-when-undo-makes.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -319,6 +321,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3032 -p1 -b .cve0359 %patch3033 -p1 -b .cve0319 %patch3034 -p1 -b .cve0361 +%patch3035 -p1 -b .cve0368 %build cd src @@ -876,6 +879,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Wed Feb 09 2022 Zdenek Dohnal - 2:8.2.2637-12 +- CVE-2022-0368 vim: Out-of-bounds Read in vim + * Tue Feb 08 2022 Zdenek Dohnal - 2:8.2.2637-12 - CVE-2022-0319 vim: heap-based out-of-bounds read - CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository