From e2ec7ae719d9dea83caf5997011dbac186b7b73c Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Wed, 23 Feb 2022 15:30:22 +0100 Subject: [PATCH] CVE-2022-0629 vim: Stack-based Buffer Overflow in vim prior to 8.2 Resolves: CVE-2022-0629 --- ...rash-when-using-many-composing-chara.patch | 49 +++++++++++++++++++ vim.spec | 8 ++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch diff --git a/0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch b/0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch new file mode 100644 index 00000000..e190f2c8 --- /dev/null +++ b/0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch @@ -0,0 +1,49 @@ +From 34f8117dec685ace52cd9e578e2729db278163fc Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 16 Feb 2022 12:16:19 +0000 +Subject: [PATCH] patch 8.2.4397: crash when using many composing characters in + error message + +Problem: Crash when using many composing characters in error message. +Solution: Use mb_cptr2char_adv() instead of mb_ptr2char_adv(). +--- + src/testdir/test_assert.vim | 8 ++++++++ + src/testing.c | 2 +- + src/version.c | 2 ++ + 3 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim +index 8987f3f8d..27b2d73fb 100644 +--- a/src/testdir/test_assert.vim ++++ b/src/testdir/test_assert.vim +@@ -53,6 +53,14 @@ func Test_assert_equal() + call assert_equal("\b\e\f\n\t\r\\\x01\x7f", 'x') + call assert_match('Expected ''\\b\\e\\f\\n\\t\\r\\\\\\x01\\x7f'' but got ''x''', v:errors[0]) + call remove(v:errors, 0) ++ ++ " many composing characters are handled properly ++ call setline(1, ' ') ++ norm 100grƯ€ ++ call assert_equal(1, getline(1)) ++ call assert_match("Expected 1 but got '.* occurs 100 times]'", v:errors[0]) ++ call remove(v:errors, 0) ++ bwipe! + endfunc + + func Test_assert_equal_dict() +diff --git a/src/testing.c b/src/testing.c +index 448c01c1e..48ba14d2c 100644 +--- a/src/testing.c ++++ b/src/testing.c +@@ -101,7 +101,7 @@ ga_concat_shorten_esc(garray_T *gap, char_u *str) + { + same_len = 1; + s = p; +- c = mb_ptr2char_adv(&s); ++ c = mb_cptr2char_adv(&s); + clen = s - p; + while (*s != NUL && c == mb_ptr2char(s)) + { +-- +2.35.1 + diff --git a/vim.spec b/vim.spec index aa493052..f8b9c063 100644 --- a/vim.spec +++ b/vim.spec @@ -27,7 +27,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 13%{?dist} +Release: 14%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: virc @@ -112,6 +112,8 @@ Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch Patch3040: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch # CVE-2022-0572 vim: heap overflow in ex_retab() may lead to crash Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch +# CVE-2022-0629 vim: Stack-based Buffer Overflow in vim prior to 8.2 +Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -340,6 +342,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3039 -p1 -b .cve0443 %patch3040 -p1 -b .cve0392 %patch3041 -p1 -b .cve0572 +%patch3042 -p1 -b .cve0629 %build cd src @@ -897,6 +900,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Wed Feb 23 2022 Zdenek Dohnal - 2:8.2.2637-14 +- CVE-2022-0629 vim: Stack-based Buffer Overflow in vim prior to 8.2 + * Wed Feb 16 2022 Zdenek Dohnal - 2:8.2.2637-13 - CVE-2022-0572 vim: heap overflow in ex_retab() may lead to crash