From c30f6cd9cccb131f84b2dfd455c0d58642e2d9e5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 13 Apr 2022 02:12:03 +0000 Subject: [PATCH] import vim-8.0.1763-16.el8_5.13 --- ...sing-buffer-line-after-it-has-been-f.patch | 22 +++++++++++++++++++ SPECS/vim.spec | 8 ++++++- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch diff --git a/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch b/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch new file mode 100644 index 00000000..a2eb48be --- /dev/null +++ b/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch @@ -0,0 +1,22 @@ +diff -up vim80/src/regexp.c.cve1154 vim80/src/regexp.c +--- vim80/src/regexp.c.cve1154 2022-04-09 12:01:30.054452927 +0200 ++++ vim80/src/regexp.c 2022-04-09 12:02:48.987999877 +0200 +@@ -4415,8 +4415,17 @@ regmatch( + int mark = OPERAND(scan)[0]; + int cmp = OPERAND(scan)[1]; + pos_T *pos; ++ size_t col = REG_MULTI ? reginput - regline : 0; + + pos = getmark_buf(rex.reg_buf, mark, FALSE); ++ ++ // Line may have been freed, get it again. ++ if (REG_MULTI) ++ { ++ regline = reg_getline(reglnum); ++ reginput = regline + col; ++ } ++ + if (pos == NULL /* mark doesn't exist */ + || pos->lnum <= 0 /* mark isn't set in reg_buf */ + || (pos->lnum == reglnum + rex.reg_firstlnum +diff -up vim80/src/testdir/test_regexp_latin.vim.cve1154 vim80/src/testdir/test_regexp_latin.vim diff --git a/SPECS/vim.spec b/SPECS/vim.spec index 8bd7a1d0..46788e0a 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -24,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 16%{?dist}.12 +Release: 16%{?dist}.13 License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -100,6 +100,8 @@ Patch3032: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch # CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch +# CVE-2022-1154 vim: use after free in utf_ptr2char +Patch3035: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -311,6 +313,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3032 -p1 -b .cve0392 %patch3033 -p1 -b .cve0413 %patch3034 -p1 -b .cve0361 +%patch3035 -p1 -b .cve1154 %build %if 0%{?rhel} > 7 @@ -829,6 +832,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog +* Sat Apr 09 2022 Zdenek Dohnal - 2:8.0.1763-16.13 +- CVE-2022-1154 vim: use after free in utf_ptr2char + * Tue Feb 08 2022 Zdenek Dohnal - 2:8.0.1763-16.12 - CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository