diff --git a/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch b/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch new file mode 100644 index 0000000..b5a9272 --- /dev/null +++ b/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch @@ -0,0 +1,59 @@ +diff -up vim82/src/ex_cmds.c.cve1785 vim82/src/ex_cmds.c +--- vim82/src/ex_cmds.c.cve1785 2022-06-10 10:26:16.883312704 +0200 ++++ vim82/src/ex_cmds.c 2022-06-10 10:26:16.910312568 +0200 +@@ -4356,12 +4356,17 @@ ex_substitute(exarg_T *eap) + // Save flags for recursion. They can change for e.g. + // :s/^/\=execute("s#^##gn") + subflags_save = subflags; ++ ++ // Disallow changing text or switching window in an expression. ++ ++textwinlock; + #endif + // get length of substitution part + sublen = vim_regsub_multi(®match, + sub_firstlnum - regmatch.startpos[0].lnum, + sub, sub_firstline, FALSE, magic_isset(), TRUE); + #ifdef FEAT_EVAL ++ --textwinlock; ++ + // If getting the substitute string caused an error, don't do + // the replacement. + // Don't keep flags set by a recursive call. +@@ -4462,9 +4467,15 @@ ex_substitute(exarg_T *eap) + mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len); + new_end += copy_len; + ++#ifdef FEAT_EVAL ++ ++textwinlock; ++#endif + (void)vim_regsub_multi(®match, + sub_firstlnum - regmatch.startpos[0].lnum, + sub, new_end, TRUE, magic_isset(), TRUE); ++#ifdef FEAT_EVAL ++ --textwinlock; ++#endif + sub_nsubs++; + did_sub = TRUE; + +diff -up vim82/src/testdir/test_substitute.vim.cve1785 vim82/src/testdir/test_substitute.vim +--- vim82/src/testdir/test_substitute.vim.cve1785 2022-06-10 10:26:16.910312568 +0200 ++++ vim82/src/testdir/test_substitute.vim 2022-06-10 10:27:02.166084629 +0200 +@@ -942,5 +942,18 @@ func Test_using_old_sub() + set nocompatible + endfunc + ++" This was switching windows in between computing the length and using it. ++func Test_sub_change_window() ++ silent! lfile ++ sil! norm o0000000000000000000000000000000000000000000000000000 ++ func Repl() ++ lopen ++ endfunc ++ silent! s/\%')/\=Repl() ++ bwipe! ++ bwipe! ++ delfunc Repl ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab diff --git a/vim.spec b/vim.spec index c6e40da..e1913f6 100644 --- a/vim.spec +++ b/vim.spec @@ -27,7 +27,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 18%{?dist} +Release: 19%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: virc @@ -128,6 +128,7 @@ Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch # CVE-2022-1629 vim: buffer over-read Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch +Patch3050: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -364,6 +365,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3047 -p1 -b .cve1420 %patch3048 -p1 -b .cve1621 %patch3049 -p1 -b .cve1629 +%patch3050 -p1 -b .cve1785 %build cd src @@ -921,6 +923,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Mon Jun 13 2022 Zdenek Dohnal - 2:8.2.2637-19 +- CVE-2022-1785 vim: Out-of-bounds Write + * Tue May 24 2022 Zdenek Dohnal - 2:8.2.2637-18 - CVE-2022-1621 vim: heap buffer overflow - CVE-2022-1629 vim: buffer over-read