rpms
/
vim
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import vim-8.0.1763-16.el8_5.12

This commit is contained in:
CentOS Sources 2022-03-29 15:28:13 -04:00 committed by Stepan Oksanichenko
parent 35c3bdc44a
commit 972bc25d8f
14 changed files with 640 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
SOURCES/0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch Normal file
View File

@ -0,0 +1,35 @@
diff -up vim80/src/screen.c.cve3872 vim80/src/screen.c
--- vim80/src/screen.c.cve3872 2021-10-21 13:20:27.694921335 +0200
+++ vim80/src/screen.c 2021-10-21 13:22:42.221732996 +0200
@@ -6911,13 +6911,13 @@ win_redr_status(win_T *wp)
*(p + len++) = ' ';
if (bt_help(wp->w_buffer))
{
- STRCPY(p + len, _("[Help]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
len += (int)STRLEN(p + len);
}
#ifdef FEAT_QUICKFIX
if (wp->w_p_pvw)
{
- STRCPY(p + len, _("[Preview]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
len += (int)STRLEN(p + len);
}
#endif
@@ -6927,12 +6927,12 @@ win_redr_status(win_T *wp)
#endif
)
{
- STRCPY(p + len, "[+]");
- len += 3;
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
+ len += (int)STRLEN(p + len);
}
if (wp->w_buffer->b_p_ro)
{
- STRCPY(p + len, _("[RO]"));
+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
len += (int)STRLEN(p + len);
}

34
SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch Normal file
View File

@ -0,0 +1,34 @@
diff --git a/src/misc1.c b/src/misc1.c
index de79c8e..1c5867d 100644
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -6792,7 +6792,7 @@ find_start_brace(void) /* XXX */
&& (pos = ind_find_start_CORS(NULL)) == NULL) /* XXX */
break;
if (pos != NULL)
- curwin->w_cursor.lnum = pos->lnum;
+ curwin->w_cursor = *pos;
}
curwin->w_cursor = cursor_save;
return trypos;
diff --git a/src/testdir/test_cindent.vim b/src/testdir/test_cindent.vim
index 7c2c5e3..f8c7e57 100644
--- a/src/testdir/test_cindent.vim
+++ b/src/testdir/test_cindent.vim
@@ -102,4 +102,16 @@ func Test_cindent_expr()
bw!
endfunc
+func Test_find_brace_backwards()
+ " this was looking beyond the end of the line
+ new
+ norm R/*
+ norm o0{
+ norm o//
+ norm V{=
+ call assert_equal(['/*', ' 0{', '//'], getline(1, 3))
+ bwipe!
+endfunc
+
+
" vim: shiftwidth=2 sts=2 expandtab

14
SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch Normal file
View File

@ -0,0 +1,14 @@
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 1827fec..e69fbd3 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -6537,8 +6537,7 @@ find_help_tags(
|| (vim_strchr((char_u *)"%_z@", arg[1]) != NULL
&& arg[2] != NUL)))
{
- STRCPY(d, "/\\\\");
- STRCPY(d + 3, arg + 1);
+ vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1);
/* Check for "/\\_$", should be "/\\_\$" */
if (d[3] == '_' && d[4] == '$')
STRCPY(d + 4, "\\$");

45
SOURCES/0001-patch-8.2.3949-using-freed-memory-with-V.patch Normal file
View File

@ -0,0 +1,45 @@
diff -up vim80/src/regexp.c.cve4192 vim80/src/regexp.c
--- vim80/src/regexp.c.cve4192 2022-01-12 15:21:44.792239040 +0100
+++ vim80/src/regexp.c 2022-01-12 15:34:35.190425880 +0100
@@ -4203,9 +4203,9 @@ reg_match_visual(void)
if (lnum < top.lnum || lnum > bot.lnum)
return FALSE;
+ col = (colnr_T)(reginput - regline);
if (mode == 'v')
{
- col = (colnr_T)(reginput - regline);
if ((lnum == top.lnum && col < top.col)
|| (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e')))
return FALSE;
@@ -4220,7 +4220,12 @@ reg_match_visual(void)
end = end2;
if (top.col == MAXCOL || bot.col == MAXCOL)
end = MAXCOL;
- cols = win_linetabsize(wp, regline, (colnr_T)(reginput - regline));
+
+ // getvvcol() flushes rex.line, need to get it again
+ regline = reg_getline(reglnum);
+ reginput = regline + col;
+
+ cols = win_linetabsize(wp, regline, col);
if (cols < start || cols > end - (*p_sel == 'e'))
return FALSE;
}
diff -up vim80/src/testdir/test_regexp_latin.vim.cve4192 vim80/src/testdir/test_regexp_latin.vim
--- vim80/src/testdir/test_regexp_latin.vim.cve4192 2022-01-12 15:21:44.792239040 +0100
+++ vim80/src/testdir/test_regexp_latin.vim 2022-01-12 15:36:12.499693099 +0100
@@ -80,3 +80,13 @@ func Test_using_invalid_visual_position(
/\%V
bwipe!
endfunc
+
+func Test_using_visual_position()
+ " this was using freed memory
+ new
+ exe "norm 0o\<Esc>\<C-V>k\<C-X>o0"
+ /\%V
+ bwipe!
+endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab

38
SOURCES/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch Normal file
View File

@ -0,0 +1,38 @@
diff -up vim80/src/charset.c.cve4193 vim80/src/charset.c
--- vim80/src/charset.c.cve4193 2022-01-12 14:49:08.710592947 +0100
+++ vim80/src/charset.c 2022-01-12 14:49:47.594705863 +0100
@@ -1291,10 +1291,15 @@ getvcol(
posptr = NULL; /* continue until the NUL */
else
{
- /* Special check for an empty line, which can happen on exit, when
- * ml_get_buf() always returns an empty string. */
- if (*ptr == NUL)
- pos->col = 0;
+ colnr_T i;
+
+ // In a few cases the position can be beyond the end of the line.
+ for (i = 0; i < pos->col; ++i)
+ if (ptr[i] == NUL)
+ {
+ pos->col = i;
+ break;
+ }
posptr = ptr + pos->col;
#ifdef FEAT_MBYTE
if (has_mbyte)
diff -up vim80/src/testdir/test_regexp_latin.vim.cve4193 vim80/src/testdir/test_regexp_latin.vim
--- vim80/src/testdir/test_regexp_latin.vim.cve4193 2022-01-12 14:49:08.710592947 +0100
+++ vim80/src/testdir/test_regexp_latin.vim 2022-01-12 14:50:45.186873107 +0100
@@ -72,3 +72,11 @@ func Test_backref()
call assert_fails('call search("\\%#=2\\(e\\1\\)")', 'E65:')
bwipe!
endfunc
+
+func Test_using_invalid_visual_position()
+ " this was going beyond the end of the line
+ new
+ exe "norm 0o000\<Esc>0\<C-V>$s0"
+ /\%V
+ bwipe!
+endfunc

95
SOURCES/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch Normal file
View File

@ -0,0 +1,95 @@
diff -up vim80/src/ops.c.cve0261 vim80/src/ops.c
--- vim80/src/ops.c.cve0261 2022-01-26 14:30:27.475308323 +0100
+++ vim80/src/ops.c 2022-01-26 14:34:16.650933713 +0100
@@ -636,23 +636,30 @@ block_insert(
if (b_insert)
{
off = (*mb_head_off)(oldp, oldp + offset + spaces);
+ spaces -= off;
+ count -= off;
}
else
{
- off = (*mb_off_next)(oldp, oldp + offset);
- offset += off;
+ // spaces fill the gap, the character that's at the edge moves
+ // right
+ off = (*mb_head_off)(oldp, oldp + offset);
+ offset -= off;
}
spaces -= off;
count -= off;
}
#endif
- newp = alloc_check((unsigned)(STRLEN(oldp)) + s_len + count + 1);
+ // Make sure the allocated size matches what is actually copied below.
+ newp = alloc(STRLEN(oldp) + spaces + s_len
+ + (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0)
+ + count + 1);
if (newp == NULL)
continue;
/* copy up to shifted part */
- mch_memmove(newp, oldp, (size_t)(offset));
+ mch_memmove(newp, oldp, (size_t)offset);
oldp += offset;
/* insert pre-padding */
@@ -662,14 +669,21 @@ block_insert(
mch_memmove(newp + offset + spaces, s, (size_t)s_len);
offset += s_len;
- if (spaces && !bdp->is_short)
+ if (spaces > 0 && !bdp->is_short)
{
- /* insert post-padding */
- vim_memset(newp + offset + spaces, ' ', (size_t)(p_ts - spaces));
- /* We're splitting a TAB, don't copy it. */
- oldp++;
- /* We allowed for that TAB, remember this now */
- count++;
+ if (*oldp == TAB)
+ {
+ // insert post-padding
+ vim_memset(newp + offset + spaces, ' ',
+ (size_t)(p_ts - spaces));
+ // we're splitting a TAB, don't copy it
+ oldp++;
+ // We allowed for that TAB, remember this now
+ count++;
+ }
+ else
+ // Not a TAB, no extra spaces
+ count = spaces;
}
if (spaces > 0)
@@ -2738,9 +2752,9 @@ op_insert(oparg_T *oap, long count1)
oap->start_vcol = t;
}
else if (oap->op_type == OP_APPEND
- && oap->end.col
+ && oap->start.col
#ifdef FEAT_VIRTUALEDIT
- + oap->end.coladd
+ + oap->start.coladd
#endif
>= curbuf->b_op_start_orig.col
#ifdef FEAT_VIRTUALEDIT
diff -up vim80/src/testdir/test_visual.vim.cve0261 vim80/src/testdir/test_visual.vim
--- vim80/src/testdir/test_visual.vim.cve0261 2022-01-26 14:30:27.476308325 +0100
+++ vim80/src/testdir/test_visual.vim 2022-01-26 14:36:03.482225225 +0100
@@ -254,3 +254,12 @@ func Test_virtual_replace2()
%d_
set bs&vim
endfunc
+
+func Test_visual_block_append_invalid_char()
+ " this was going over the end of the line
+ new
+ call setline(1, [' let xxx', 'xxxxxˆ', 'xxxxxxxxxxx'])
+ exe "normal 0\<C-V>jjA-\<Esc>"
+ call assert_equal([' - let xxx', 'xxxxx -ˆ', 'xxxxxxxx-xxx'], getline(1, 3))
+ bwipe!
+endfunc

46
SOURCES/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch Normal file
View File

@ -0,0 +1,46 @@
diff --git a/src/ops.c b/src/ops.c
index e9cfb1d..e35b033 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -629,26 +629,9 @@ block_insert(
#ifdef FEAT_MBYTE
if (has_mbyte && spaces > 0)
- {
- int off;
+ // avoid copying part of a multi-byte character
+ offset -= (*mb_head_off)(oldp, oldp + offset);
- /* Avoid starting halfway a multi-byte character. */
- if (b_insert)
- {
- off = (*mb_head_off)(oldp, oldp + offset + spaces);
- spaces -= off;
- count -= off;
- }
- else
- {
- // spaces fill the gap, the character that's at the edge moves
- // right
- off = (*mb_head_off)(oldp, oldp + offset);
- offset -= off;
- }
- spaces -= off;
- count -= off;
- }
#endif
// Make sure the allocated size matches what is actually copied below.
diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim
index 24e3db8..1042720 100644
--- a/src/testdir/test_utf8.vim
+++ b/src/testdir/test_utf8.vim
@@ -9,7 +9,7 @@ func Test_visual_block_insert()
new
call setline(1, ["aaa", "あああ", "bbb"])
exe ":norm! gg0l\<C-V>jjIx\<Esc>"
- call assert_equal(['axaa', 'xあああ', 'bxbb'], getline(1, '$'))
+ call assert_equal(['axaa', ' xあああ', 'bxbb'], getline(1, '$'))
bwipeout!
endfunc

12
SOURCES/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up vim80/src/ex_getln.c.cve0359 vim80/src/ex_getln.c
--- vim80/src/ex_getln.c.cve0359 2022-01-27 16:55:41.386213891 +0100
+++ vim80/src/ex_getln.c 2022-01-27 17:00:20.330960544 +0100
@@ -300,7 +300,7 @@ getcmdline(
ccline.cmdindent = (firstc > 0 ? indent : 0);
/* alloc initial ccline.cmdbuff */
- alloc_cmdbuff(exmode_active ? 250 : indent + 1);
+ alloc_cmdbuff(indent + 50);
if (ccline.cmdbuff == NULL)
return NULL; /* out of memory */
ccline.cmdlen = ccline.cmdpos = 0;

33
SOURCES/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch Normal file
View File

@ -0,0 +1,33 @@
diff -up vim80/src/ex_cmds.c.cve0361 vim80/src/ex_cmds.c
--- vim80/src/ex_cmds.c.cve0361 2022-02-08 12:20:51.277666290 +0100
+++ vim80/src/ex_cmds.c 2022-02-08 12:20:51.280666209 +0100
@@ -983,6 +983,8 @@ ex_copy(linenr_T line1, linenr_T line2,
}
appended_lines_mark(n, count);
+ if (VIsual_active)
+ check_pos(curbuf, &VIsual);
msgmore((long)count);
}
diff -up vim80/src/testdir/test_visual.vim.cve0361 vim80/src/testdir/test_visual.vim
--- vim80/src/testdir/test_visual.vim.cve0361 2022-02-08 12:20:51.280666209 +0100
+++ vim80/src/testdir/test_visual.vim 2022-02-08 12:21:44.530356814 +0100
@@ -263,3 +263,17 @@ func Test_visual_block_append_invalid_ch
call assert_equal([' - let xxx', 'xxxxx -ˆ', 'xxxxxxxx-xxx'], getline(1, 3))
bwipe!
endfunc
+
+" this was leaving the end of the Visual area beyond the end of a line
+func Test_visual_ex_copy_line()
+ new
+ call setline(1, ["aaa", "bbbbbbbbbxbb"])
+ /x
+ exe "normal ggvjfxO"
+ t0
+ normal gNU
+ bwipe!
+endfunc
+
+
+" vim: shiftwidth=2 sts=2 expandtab

85
SOURCES/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch Normal file
View File

@ -0,0 +1,85 @@
commit ec45bc7682fd698d8d39f43732129c4d092355f3
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Wed Feb 2 16:30:11 2022 +0100
Fix illegal memory access with bracketed paste in Ex mode
diff --git a/src/edit.c b/src/edit.c
index f29fbc7..57b8dce 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -9519,27 +9519,33 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
int ret_char = -1;
int save_allow_keys = allow_keys;
int save_paste = p_paste;
- int save_ai = curbuf->b_p_ai;
- /* If the end code is too long we can't detect it, read everything. */
- if (STRLEN(end) >= NUMBUFLEN)
+ // If the end code is too long we can't detect it, read everything.
+ if (end != NULL && STRLEN(end) >= NUMBUFLEN)
end = NULL;
++no_mapping;
allow_keys = 0;
- p_paste = TRUE;
- curbuf->b_p_ai = FALSE;
+ if (!p_paste)
+ // Also have the side effects of setting 'paste' to make it work much
+ // faster.
+ set_option_value((char_u *)"paste", TRUE, NULL, 0);
for (;;)
{
/* When the end is not defined read everything. */
if (end == NULL && vpeekc() == NUL)
break;
- c = plain_vgetc();
-#ifdef FEAT_MBYTE
+ do
+ c = vgetc();
+ while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR);
+ if (c == NUL || got_int || (ex_normal_busy > 0 && c == Ctrl_C))
+ // When CTRL-C was encountered the typeahead will be flushed and we
+ // won't get the end sequence. Except when using ":normal".
+ break;
+
if (has_mbyte)
idx += (*mb_char2bytes)(c, buf + idx);
else
-#endif
buf[idx++] = c;
buf[idx] = NUL;
if (end != NULL && STRNCMP(buf, end, idx) == 0)
@@ -9557,7 +9563,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
break;
case PASTE_EX:
- if (gap != NULL && ga_grow(gap, idx) == OK)
+ // add one for the NUL that is going to be appended
+ if (gap != NULL && ga_grow(gap, idx + 1) == OK)
{
mch_memmove((char *)gap->ga_data + gap->ga_len,
buf, (size_t)idx);
@@ -9582,11 +9589,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
case PASTE_ONE_CHAR:
if (ret_char == -1)
{
-#ifdef FEAT_MBYTE
if (has_mbyte)
ret_char = (*mb_ptr2char)(buf);
else
-#endif
ret_char = buf[0];
}
break;
@@ -9597,8 +9602,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
--no_mapping;
allow_keys = save_allow_keys;
- p_paste = save_paste;
- curbuf->b_p_ai = save_ai;
+ if (!save_paste)
+ set_option_value((char_u *)"paste", FALSE, NULL, 0);
return ret_char;
}

51
SOURCES/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch Normal file
View File

@ -0,0 +1,51 @@
commit c604f3ad4782fde770617ff688e1ceac0dc1bd7c
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Thu Feb 3 10:14:42 2022 +0100
Fix using freed memory when substitute with function call
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index e69fbd3..0788573 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4767,6 +4767,7 @@ do_sub(exarg_T *eap)
int save_do_all; /* remember user specified 'g' flag */
int save_do_ask; /* remember user specified 'c' flag */
char_u *pat = NULL, *sub = NULL; /* init for GCC */
+ char_u *sub_copy = NULL;
int delimiter;
int sublen;
int got_quit = FALSE;
@@ -5062,11 +5063,20 @@ do_sub(exarg_T *eap)
sub_firstline = NULL;
/*
- * ~ in the substitute pattern is replaced with the old pattern.
- * We do it here once to avoid it to be replaced over and over again.
- * But don't do it when it starts with "\=", then it's an expression.
+ * If the substitute pattern starts with "\=" then it's an expression.
+ * Make a copy, a recursive function may free it.
+ * Otherwise, '~' in the substitute pattern is replaced with the old
+ * pattern. We do it here once to avoid it to be replaced over and over
+ * again.
*/
- if (!(sub[0] == '\\' && sub[1] == '='))
+ if (sub[0] == '\\' && sub[1] == '=')
+ {
+ sub = vim_strsave(sub);
+ if (sub == NULL)
+ return;
+ sub_copy = sub;
+ }
+ else
sub = regtilde(sub, p_magic);
/*
@@ -5825,6 +5835,7 @@ outofmem:
#endif
vim_regfree(regmatch.regprog);
+ vim_free(sub_copy);
/* Restore the flag values, they can be used for ":&&". */
subflags.do_all = save_do_all;

13
SOURCES/vim-cve3778-fix.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up vim80/src/regexp_nfa.c.cve3796-fix vim80/src/regexp_nfa.c
--- vim80/src/regexp_nfa.c.cve3796-fix 2021-09-20 08:27:13.752604505 +0200
+++ vim80/src/regexp_nfa.c 2021-09-20 08:29:10.206546910 +0200
@@ -5493,7 +5493,8 @@ find_match_text(colnr_T startcol, int re
match = FALSE;
break;
}
- len2 += MB_CHAR2LEN(c2);
+ len2 += enc_utf8 ? utf_ptr2len(regline + col + len2)
+ : MB_CHAR2LEN(c2);
}
if (match
#ifdef FEAT_MBYTE

51
SOURCES/vim-cve3796.patch Normal file
View File

@ -0,0 +1,51 @@
diff --git a/src/normal.c b/src/normal.c
index be0e75e..7d62e20 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -7147,19 +7147,23 @@ nv_replace(cmdarg_T *cap)
{
/*
* Get ptr again, because u_save and/or showmatch() will have
- * released the line. At the same time we let know that the
- * line will be changed.
+ * released the line. This may also happen in ins_copychar().
+ * At the same time we let know that the line will be changed.
*/
- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
{
int c = ins_copychar(curwin->w_cursor.lnum
+ (cap->nchar == Ctrl_Y ? -1 : 1));
+
+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
if (c != NUL)
ptr[curwin->w_cursor.col] = c;
}
else
+ {
+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
ptr[curwin->w_cursor.col] = cap->nchar;
+ }
if (p_sm && msg_silent == 0)
showmatch(cap->nchar);
++curwin->w_cursor.col;
diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
index 7278bcd..8818805 100644
--- a/src/testdir/test_edit.vim
+++ b/src/testdir/test_edit.vim
@@ -1387,3 +1387,15 @@ func Test_edit_quit()
only
endfunc
+" Test for getting the character of the line below after "p"
+func Test_edit_put_CTRL_E()
+ set encoding=latin1
+ new
+ let @" = ''
+ sil! norm orggRx
+ sil! norm pr
+ call assert_equal(['r', 'r'], getline(1, 2))
+ bwipe!
+ set encoding=utf-8
+endfunc
+

89
SPECS/vim.spec
View File

@ -24,7 +24,7 @@ Summary: The VIM editor
URL: http://www.vim.org/
Name: vim
Version: %{baseversion}.%{patchlevel}
Release: 15%{?dist}
Release: 16%{?dist}.12
License: Vim and MIT
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
Source1: vim.sh
@ -75,6 +75,31 @@ Patch3019: 0001-patch-8.1.1365-source-command-doesn-t-check-for-the-.patch
Patch3020: vim-crypto-warning.patch
# 1842755 - CVE-2019-20807
Patch3021: 0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch
# 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0]
Patch3022: vim-cve3796.patch
# 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0]
Patch3023: vim-cve3778-fix.patch
Patch3024: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
# 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0]
Patch3025: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch
# 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0]
Patch3026: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
# CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
Patch3027: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
# CVE-2021-4192 vim: vulnerable to Use After Free
Patch3028: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
# CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
Patch3029: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
# CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
Patch3030: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch
# CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
Patch3031: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch
# CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
Patch3032: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
# CVE-2022-0413 vim: use after free in src/ex_cmds.c
Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
# CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch
# gcc is no longer in buildroot by default
BuildRequires: gcc
@ -273,6 +298,19 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3019 -p1 -b .cve
%patch3020 -p1 -b .crypto-warning
%patch3021 -p1 -b .rvim
%patch3022 -p1 -b .cve3796
%patch3023 -p1 -b .cve3778
%patch3024 -p1 -b .cve3872
%patch3025 -p1 -b .cve3984
%patch3026 -p1 -b .cve4019
%patch3027 -p1 -b .cve4193
%patch3028 -p1 -b .cve4192
%patch3029 -p1 -b .cve0261
%patch3030 -p1 -b .cve0318
%patch3031 -p1 -b .cve0359
%patch3032 -p1 -b .cve0392
%patch3033 -p1 -b .cve0413
%patch3034 -p1 -b .cve0361
%build
%if 0%{?rhel} > 7
@ -791,6 +829,55 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
%{_datadir}/icons/locolor/*/apps/*
%changelog
* Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.12
- CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
* Fri Feb 04 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.11
- CVE-2022-0413 vim: use after free in src/ex_cmds.c
- Fix specfile problems
- Resolves: rhbz#2048525
* Thu Feb 03 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.10
- CVE-2022-0413 vim: use after free in src/ex_cmds.c
- Resolves: rhbz#2048525
* Wed Feb 02 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.9
- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
- Improve fix
- Resolves: rhbz#2049403
* Wed Feb 02 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.8
- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
- Resolves: rhbz#2049403
* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.7
- CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.6
- fix test suite after fix for CVE-2022-0318
* Wed Jan 26 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.5
- CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
- CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
* Wed Jan 12 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.4
- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
- CVE-2021-4192 vim: vulnerable to Use After Free
* Fri Dec 03 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.3
- 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0]
- 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0]
* Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.2
- remove the upstream test - uses a feature which is not presented in RHEL 8
* Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.1
- CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-8.6.0]
* Mon Sep 20 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16
- 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0]
- 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0]
* Tue Jun 02 2020 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-15
- 1842755 - CVE-2019-20807