From df6b8d35963df8f471dbf2ae18b6e4d415422511 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 11 Jan 2022 13:44:50 -0500 Subject: [PATCH] import vim-8.2.2637-9.el9 --- ...llegal-memory-access-when-C-indentin.patch | 34 +++++++++++++++++++ ...uffer-overflow-with-long-help-argume.patch | 32 +++++++++++++++++ SPECS/vim.spec | 14 +++++++- 3 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch create mode 100644 SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch diff --git a/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch b/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch new file mode 100644 index 00000000..b308783d --- /dev/null +++ b/SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch @@ -0,0 +1,34 @@ +diff --git a/src/cindent.c b/src/cindent.c +index b2fac1a..ce513e3 100644 +--- a/src/cindent.c ++++ b/src/cindent.c +@@ -1654,7 +1654,7 @@ find_start_brace(void) // XXX + && (pos = ind_find_start_CORS(NULL)) == NULL) // XXX + break; + if (pos != NULL) +- curwin->w_cursor.lnum = pos->lnum; ++ curwin->w_cursor = *pos; + } + curwin->w_cursor = cursor_save; + return trypos; +diff --git a/src/testdir/test_cindent.vim b/src/testdir/test_cindent.vim +index 5926408..f668faa 100644 +--- a/src/testdir/test_cindent.vim ++++ b/src/testdir/test_cindent.vim +@@ -5307,4 +5307,16 @@ func Test_cindent_pragma() + enew! | close + endfunc + ++func Test_find_brace_backwards() ++ " this was looking beyond the end of the line ++ new ++ norm R/* ++ norm o0{ ++ norm o// ++ norm V{= ++ call assert_equal(['/*', ' 0{', '//'], getline(1, 3)) ++ bwipe! ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch b/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch new file mode 100644 index 00000000..8f8c0754 --- /dev/null +++ b/SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch @@ -0,0 +1,32 @@ +diff --git a/src/help.c b/src/help.c +index ee6ff18..67e4fb2 100644 +--- a/src/help.c ++++ b/src/help.c +@@ -422,8 +422,7 @@ find_help_tags( + || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL + && arg[2] != NUL))) + { +- STRCPY(d, "/\\\\"); +- STRCPY(d + 3, arg + 1); ++ vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1); + // Check for "/\\_$", should be "/\\_\$" + if (d[3] == '_' && d[4] == '$') + STRCPY(d + 4, "\\$"); +diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim +index ff2bc41..c8ff5b8 100644 +--- a/src/testdir/test_help.vim ++++ b/src/testdir/test_help.vim +@@ -123,5 +123,13 @@ func Test_helptag_cmd_readonly() + call delete('Xdir', 'rf') + endfunc + ++func Test_help_long_argument() ++ try ++ exe 'help \%' .. repeat('0', 1021) ++ catch ++ call assert_match("E149:", v:exception) ++ endtry ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab diff --git a/SPECS/vim.spec b/SPECS/vim.spec index 522a8657..bcbf058b 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -27,7 +27,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 8%{?dist} +Release: 9%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: virc @@ -80,6 +80,10 @@ Patch3023: 0001-patch-8.2.3428-using-freed-memory-when-replacing.patch Patch3024: 0001-patch-8.2.3406-on-some-systems-tests-fail-without-_R.patch # 2016202 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-9.0] Patch3025: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch +# 2028342 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-9.0] +Patch3026: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch +# 2028431 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-9.0] +Patch3027: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -292,6 +296,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3023 -p1 -b .cve-nv-replace %patch3024 -p1 -b .reentrant %patch3025 -p1 -b .cve-win-redr +%patch3026 -p1 -b .cve3984 +%patch3027 -p1 -b .cve4019 %build cd src @@ -849,6 +855,12 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Mon Dec 02 2021 Zdenek Dohnal - 2:8.2.2637-9 +- 2028431 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-9.0] + +* Thu Dec 02 2021 Zdenek Dohnal - 2:8.2.2637-9 +- 2028342 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-9.0] + * Tue Oct 26 2021 Zdenek Dohnal - 2:8.2.2637-8 - 2016202 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-9.0]