From b7a801e714e373ff5219ed552ee52495fefbd53e Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Thu, 13 Jan 2022 10:49:55 +0100 Subject: [PATCH] CVE-2021-4193 vim: vulnerable to Out-of-bounds Read Resolves: CVE-2021-4193 --- ...oing-beyond-the-end-of-the-line-with.patch | 39 +++++++++++++++++++ vim.spec | 8 +++- 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch diff --git a/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch b/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch new file mode 100644 index 00000000..885bc357 --- /dev/null +++ b/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch @@ -0,0 +1,39 @@ +diff -up vim82/src/charset.c.cve4193 vim82/src/charset.c +--- vim82/src/charset.c.cve4193 2021-03-22 10:02:42.000000000 +0100 ++++ vim82/src/charset.c 2022-01-13 10:14:55.634913386 +0100 +@@ -1232,10 +1232,15 @@ getvcol( + posptr = NULL; // continue until the NUL + else + { +- // Special check for an empty line, which can happen on exit, when +- // ml_get_buf() always returns an empty string. +- if (*ptr == NUL) +- pos->col = 0; ++ colnr_T i; ++ ++ // In a few cases the position can be beyond the end of the line. ++ for (i = 0; i < pos->col; ++i) ++ if (ptr[i] == NUL) ++ { ++ pos->col = i; ++ break; ++ } + posptr = ptr + pos->col; + if (has_mbyte) + // always start on the first byte +diff -up vim82/src/testdir/test_regexp_latin.vim.cve4193 vim82/src/testdir/test_regexp_latin.vim +--- vim82/src/testdir/test_regexp_latin.vim.cve4193 2022-01-13 10:14:55.634913386 +0100 ++++ vim82/src/testdir/test_regexp_latin.vim 2022-01-13 10:17:01.905292715 +0100 +@@ -938,4 +938,12 @@ func Test_regexp_last_subst_string() + close! + endfunc + ++func Test_using_invalid_visual_position() ++ " this was going beyond the end of the line ++ new ++ exe "norm 0o000\0\$s0" ++ /\%V ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/vim.spec b/vim.spec index 8add473c..b876f761 100644 --- a/vim.spec +++ b/vim.spec @@ -27,7 +27,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 9%{?dist} +Release: 10%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: virc @@ -84,6 +84,8 @@ Patch3025: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch Patch3026: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch # 2028431 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-9.0] Patch3027: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch +# CVE-2021-4193 vim: vulnerable to Out-of-bounds Read +Patch3028: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -298,6 +300,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3025 -p1 -b .cve-win-redr %patch3026 -p1 -b .cve3984 %patch3027 -p1 -b .cve4019 +%patch3028 -p1 -b .cve4193 %build cd src @@ -855,6 +858,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Thu Jan 13 2022 Zdenek Dohnal - 2:8.2.2637-10 +- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read + * Mon Dec 06 2021 Zdenek Dohnal - 2:8.2.2637-9 - 2028431 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-9.0]