import vim-8.0.1763-16.el8_5.13

2022-04-13 02:12:03 +00:00 · 2022-04-13 02:12:03 +00:00 · c30f6cd9cc
commit c30f6cd9cc
parent f2d6eb89c1
2 changed files with 29 additions and 1 deletions
--- a/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
+++ b/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
@ -0,0 +1,22 @@
+diff -up vim80/src/regexp.c.cve1154 vim80/src/regexp.c
+--- vim80/src/regexp.c.cve1154	2022-04-09 12:01:30.054452927 +0200
+++ vim80/src/regexp.c	2022-04-09 12:02:48.987999877 +0200
+@@ -4415,8 +4415,17 @@ regmatch(
+ 		int	mark = OPERAND(scan)[0];
+ 		int	cmp = OPERAND(scan)[1];
+ 		pos_T	*pos;
+		size_t	col = REG_MULTI ? reginput - regline : 0;
+ 
+ 		pos = getmark_buf(rex.reg_buf, mark, FALSE);
+
+		// Line may have been freed, get it again.
+		if (REG_MULTI)
+		{
+		    regline = reg_getline(reglnum);
+		    reginput = regline + col;
+		}
+
+ 		if (pos == NULL		     /* mark doesn't exist */
+ 			|| pos->lnum <= 0    /* mark isn't set in reg_buf */
+ 			|| (pos->lnum == reglnum + rex.reg_firstlnum
+diff -up vim80/src/testdir/test_regexp_latin.vim.cve1154 vim80/src/testdir/test_regexp_latin.vim
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 16%{?dist}.12
+Release: 16%{?dist}.13
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@ -100,6 +100,8 @@ Patch3032: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
 Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
 # CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
 Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch
+# CVE-2022-1154 vim: use after free in utf_ptr2char
+Patch3035: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -311,6 +313,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3032 -p1 -b .cve0392
 %patch3033 -p1 -b .cve0413
 %patch3034 -p1 -b .cve0361
+%patch3035 -p1 -b .cve1154

 %build
 %if 0%{?rhel} > 7
@ -829,6 +832,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*

 %changelog
+* Sat Apr 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.13
+- CVE-2022-1154 vim: use after free in utf_ptr2char
+
 * Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.12
 - CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository