From 7b787a70b71a3560f4eb9b9c2431a767e1ae8f76 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Tue, 8 Feb 2022 14:32:49 +0100 Subject: [PATCH] CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository Resolves: CVE-2022-0361 --- ...llegal-memory-access-when-copying-li.patch | 51 +++++++++++++++++++ vim.spec | 4 ++ 2 files changed, 55 insertions(+) create mode 100644 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch diff --git a/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch b/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch new file mode 100644 index 0000000..27d8404 --- /dev/null +++ b/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch @@ -0,0 +1,51 @@ +From dc5490e2cbc8c16022a23b449b48c1bd0083f366 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 25 Jan 2022 13:52:53 +0000 +Subject: [PATCH] patch 8.2.4215: illegal memory access when copying lines in + Visual mode + +Problem: Illegal memory access when copying lines in Visual mode. +Solution: Adjust the Visual position after copying lines. +--- + src/ex_cmds.c | 2 ++ + src/testdir/test_visual.vim | 11 +++++++++++ + src/version.c | 2 ++ + 3 files changed, 15 insertions(+) + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index 95209985e..f5d93e664 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -866,6 +866,8 @@ ex_copy(linenr_T line1, linenr_T line2, linenr_T n) + } + + appended_lines_mark(n, count); ++ if (VIsual_active) ++ check_pos(curbuf, &VIsual); + + msgmore((long)count); + } +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index 72f5388b9..9b322fd21 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -1328,5 +1328,16 @@ func Test_visual_exchange_windows() + bwipe! + endfunc + ++" this was leaving the end of the Visual area beyond the end of a line ++func Test_visual_ex_copy_line() ++ new ++ call setline(1, ["aaa", "bbbbbbbbbxbb"]) ++ /x ++ exe "normal ggvjfxO" ++ t0 ++ normal gNU ++ bwipe! ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab +-- +2.34.1 + diff --git a/vim.spec b/vim.spec index 8e826ba..ea417e5 100644 --- a/vim.spec +++ b/vim.spec @@ -96,6 +96,8 @@ Patch3031: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch Patch3032: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch # CVE-2022-0319 vim: heap-based out-of-bounds read Patch3033: 0001-patch-8.2.4154-ml_get-error-when-exchanging-windows-.patch +# CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository +Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -316,6 +318,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3031 -p1 -b .cve0318 %patch3032 -p1 -b .cve0359 %patch3033 -p1 -b .cve0319 +%patch3034 -p1 -b .cve0361 %build cd src @@ -875,6 +878,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %changelog * Tue Feb 08 2022 Zdenek Dohnal - 2:8.2.2637-12 - CVE-2022-0319 vim: heap-based out-of-bounds read +- CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository * Thu Jan 27 2022 Zdenek Dohnal - 2:8.2.2637-11 - CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c