diff --git a/0001-patch-8.2.3428-using-freed-memory-when-replacing.patch b/0001-patch-8.2.3428-using-freed-memory-when-replacing.patch new file mode 100644 index 0000000..f4860e8 --- /dev/null +++ b/0001-patch-8.2.3428-using-freed-memory-when-replacing.patch @@ -0,0 +1,50 @@ +diff -up vim82/src/normal.c.cve-3796 vim82/src/normal.c +--- vim82/src/normal.c.cve-3796 2021-03-22 10:02:42.000000000 +0100 ++++ vim82/src/normal.c 2021-10-15 10:45:21.397258123 +0200 +@@ -5076,19 +5076,23 @@ nv_replace(cmdarg_T *cap) + { + /* + * Get ptr again, because u_save and/or showmatch() will have +- * released the line. At the same time we let know that the +- * line will be changed. ++ * released the line. This may also happen in ins_copychar(). ++ * At the same time we let know that the line will be changed. + */ +- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y) + { + int c = ins_copychar(curwin->w_cursor.lnum + + (cap->nchar == Ctrl_Y ? -1 : 1)); ++ ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + if (c != NUL) + ptr[curwin->w_cursor.col] = c; + } + else ++ { ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + ptr[curwin->w_cursor.col] = cap->nchar; ++ } + if (p_sm && msg_silent == 0) + showmatch(cap->nchar); + ++curwin->w_cursor.col; +diff -up vim82/src/testdir/test_edit.vim.cve-3796 vim82/src/testdir/test_edit.vim +--- vim82/src/testdir/test_edit.vim.cve-3796 2021-10-15 10:45:21.398258115 +0200 ++++ vim82/src/testdir/test_edit.vim 2021-10-15 10:46:22.892764135 +0200 +@@ -1844,4 +1844,16 @@ func Test_read_invalid() + set encoding=utf-8 + endfunc + ++" Test for getting the character of the line below after "p" ++func Test_edit_put_CTRL_E() ++ set encoding=latin1 ++ new ++ let @" = '' ++ sil! norm orggRx ++ sil! norm pr ++ call assert_equal(['r', 'r'], getline(1, 2)) ++ bwipe! ++ set encoding=utf-8 ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/vim.spec b/vim.spec index 8670203..8d0e09d 100644 --- a/vim.spec +++ b/vim.spec @@ -74,6 +74,8 @@ Patch3020: 0001-patch-8.2.3290-Vim9-compiling-dict-may-use-pointer-a.patch Patch3021: vim-cve-var-retab.patch # 2004893 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-9.0] Patch3022: 0001-patch-8.2.3409-reading-beyond-end-of-line-with-inval.patch +# 2004976 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-9.0] +Patch3023: 0001-patch-8.2.3428-using-freed-memory-when-replacing.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -283,6 +285,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3020 -p1 -b .covscan-key-freed %patch3021 -p1 -b .cve-var-retab %patch3022 -p1 -b .cve-utf-ptrchar +%patch3023 -p1 -b .cve-nv-replace %build cd src @@ -847,6 +850,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags - 2011749 - Update test suite to work without default mouse behavior - 2002320 - CVE-2021-3770 vim: using retab with large value may lead to heap buffer overflow [rhel-9.0] - 2004893 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-9.0] +- 2004976 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-9.0] * Tue Aug 10 2021 Mohan Boddu - 2:8.2.2637-5 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags