import vim-8.0.1763-19.el8_6.4

2022-06-23 16:36:12 +00:00 · 2022-06-23 16:36:12 +00:00 · ed9e36b87e
commit ed9e36b87e
parent 426fa15a29
5 changed files with 294 additions and 12 deletions
--- a/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
+++ b/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
@ -1,7 +1,8 @@
-diff -up vim80/src/globals.h.cve1621 vim80/src/globals.h
+diff --git a/src/globals.h b/src/globals.h
--- vim80/src/globals.h.cve1621	2022-05-24 12:46:44.883952323 +0200
+index d5320d7..968ba33 100644
-+++ vim80/src/globals.h	2022-05-24 12:47:30.534183523 +0200
+--- a/src/globals.h
-@@ -1657,6 +1657,11 @@ EXTERN int *eval_lavars_used INIT(= NULL
+++ b/src/globals.h
@@ -1657,6 +1657,11 @@ EXTERN int *eval_lavars_used INIT(= NULL);
 EXTERN int ctrl_break_was_pressed INIT(= FALSE);
 #endif
@ -13,9 +14,10 @@ diff -up vim80/src/globals.h.cve1621 vim80/src/globals.h
 /*
  * Optional Farsi support.  Include it here, so EXTERN and INIT are defined.
  */
-diff -up vim80/src/mbyte.c.cve1621 vim80/src/mbyte.c
+diff --git a/src/mbyte.c b/src/mbyte.c
--- vim80/src/mbyte.c.cve1621	2018-04-09 14:55:56.000000000 +0200
+index 6d21f11..a7531f1 100644
-+++ vim80/src/mbyte.c	2022-05-24 12:22:13.166893098 +0200
+--- a/src/mbyte.c
 +++ b/src/mbyte.c
@@ -4034,7 +4034,7 @@ theend:
     convert_setup(&vimconv, NULL, NULL);
 }
@ -25,9 +27,10 @@ diff -up vim80/src/mbyte.c.cve1621 vim80/src/mbyte.c
 /*
  * Return TRUE if string "s" is a valid utf-8 string.
  * When "end" is NULL stop at the first NUL.
-diff -up vim80/src/spellfile.c.cve1621 vim80/src/spellfile.c
+diff --git a/src/spellfile.c b/src/spellfile.c
--- vim80/src/spellfile.c.cve1621	2022-05-24 12:22:13.167893104 +0200
+index 496e07f..92997ef 100644
-+++ vim80/src/spellfile.c	2022-05-24 12:49:55.816919350 +0200
+--- a/src/spellfile.c
 +++ b/src/spellfile.c
@@ -4441,6 +4441,10 @@ store_word(
     int		res = OK;
     char_u	*p;
@ -45,7 +48,7 @@ diff -up vim80/src/spellfile.c.cve1621 vim80/src/spellfile.c
 +    if (enc_utf8 && !utf_valid_string(word, NULL))
 +    {
-+	emsg(_(e_illegal_character_in_word));
+	EMSG(_(e_illegal_character_in_word));
 +	return;
 +    }
 +
--- a/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
+++ b/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
@ -0,0 +1,57 @@
 diff -up vim80/src/ex_cmds.c.cve1785 vim80/src/ex_cmds.c
 --- vim80/src/ex_cmds.c.cve1785	2022-06-10 10:46:33.818286626 +0200
 +++ vim80/src/ex_cmds.c	2022-06-10 10:58:04.009515524 +0200
@@ -5486,12 +5486,17 @@ do_sub(exarg_T *eap)
 		/* Save flags for recursion.  They can change for e.g.
 		 * :s/^/\=execute("s#^##gn") */
 		subflags_save = subflags;
 +
 +		// Disallow changing text or switching window in an expression.
 +		++textlock;
 #endif
 		/* get length of substitution part */
 		sublen = vim_regsub_multi(&regmatch,
 				    sub_firstlnum - regmatch.startpos[0].lnum,
 				    sub, sub_firstline, FALSE, p_magic, TRUE);
 #ifdef FEAT_EVAL
 +		--textlock;
 +
 		/* Don't keep flags set by a recursive call. */
 		subflags = subflags_save;
 		if (subflags.do_count)
@@ -5570,9 +5575,15 @@ do_sub(exarg_T *eap)
 		mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
 		new_end += copy_len;
 +#ifdef FEAT_EVAL
 +		++textlock;
 +#endif
 		(void)vim_regsub_multi(&regmatch,
 				    sub_firstlnum - regmatch.startpos[0].lnum,
 					   sub, new_end, TRUE, p_magic, TRUE);
 +#ifdef FEAT_EVAL
 +		--textlock;
 +#endif
 		sub_nsubs++;
 		did_sub = TRUE;
 diff -up vim80/src/testdir/test_substitute.vim.cve1785 vim80/src/testdir/test_substitute.vim
 --- vim80/src/testdir/test_substitute.vim.cve1785	2022-06-10 10:46:33.818286626 +0200
 +++ vim80/src/testdir/test_substitute.vim	2022-06-10 10:59:17.168437630 +0200
@@ -500,3 +500,16 @@ func Test_sub_cmd_8()
   enew!
   set titlestring&
 endfunc
 +
 +" This was switching windows in between computing the length and using it.
 +func Test_sub_change_window()
 +  silent! lfile
 +  sil! norm o0000000000000000000000000000000000000000000000000000
 +  func Repl()
 +    lopen
 +  endfunc
 +  silent!  s/\%')/\=Repl()
 +  bwipe!
 +  bwipe!
 +  delfunc Repl
 +endfunc
--- a/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
+++ b/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
@ -0,0 +1,120 @@
 diff -up vim80/src/normal.c.cve1897 vim80/src/normal.c
 --- vim80/src/normal.c.cve1897	2022-06-13 14:50:22.800290132 +0200
 +++ vim80/src/normal.c	2022-06-13 14:55:06.082861349 +0200
@@ -532,6 +532,22 @@ find_command(int cmdchar)
 }
 /*
 + * If currently editing a cmdline or text is locked: beep and give an error
 + * message, return TRUE.
 + */
 +    static int
 +check_text_locked(oparg_T *oap)
 +{
 +    if (text_locked())
 +    {
 +	clearopbeep(oap);
 +	text_locked_msg();
 +	return TRUE;
 +    }
 +    return FALSE;
 +}
 +
 +/*
  * Execute a command in Normal mode.
  */
     void
@@ -792,14 +808,9 @@ getcount:
 	goto normal_end;
     }
 -    if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
 -    {
 -	/* This command is not allowed while editing a cmdline: beep. */
 -	clearopbeep(oap);
 -	text_locked_msg();
 -	goto normal_end;
 -    }
 -    if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
 +    if ((nv_cmds[idx].cmd_flags & NV_NCW)
 +				&& (check_text_locked(oap) || curbuf_locked()))
 +	// this command is not allowed now
 	goto normal_end;
     /*
@@ -6234,12 +6245,8 @@ nv_gotofile(cmdarg_T *cap)
     char_u	*ptr;
     linenr_T	lnum = -1;
 -    if (text_locked())
 -    {
 -	clearopbeep(cap->oap);
 -	text_locked_msg();
 +    if (check_text_locked(cap->oap))
 	return;
 -    }
     if (curbuf_locked())
     {
 	clearop(cap->oap);
@@ -8420,14 +8427,7 @@ nv_g_cmd(cmdarg_T *cap)
     /* "gQ": improved Ex mode */
     case 'Q':
 -	if (text_locked())
 -	{
 -	    clearopbeep(cap->oap);
 -	    text_locked_msg();
 -	    break;
 -	}
 -
 -	if (!checkclearopq(oap))
 +	if (!check_text_locked(cap->oap) && !checkclearopq(oap))
 	    do_exmode(TRUE);
 	break;
 diff -up vim80/src/testdir/test_substitute.vim.cve1897 vim80/src/testdir/test_substitute.vim
 --- vim80/src/testdir/test_substitute.vim.cve1897	2022-06-13 14:50:22.849290402 +0200
 +++ vim80/src/testdir/test_substitute.vim	2022-06-13 14:55:50.370111134 +0200
@@ -513,3 +513,26 @@ func Test_sub_change_window()
   bwipe!
   delfunc Repl
 endfunc
 +
 +" This was undoign a change in between computing the length and using it.
 +func Do_Test_sub_undo_change()
 +  new
 +  norm o0000000000000000000000000000000000000000000000000000
 +  silent! s/\%')/\=Repl()
 +  bwipe!
 +endfunc
 +
 +func Test_sub_undo_change()
 +  func Repl()
 +    silent! norm g-
 +  endfunc
 +  call Do_Test_sub_undo_change()
 +
 +  func! Repl()
 +    silent earlier
 +  endfunc
 +  call Do_Test_sub_undo_change()
 +
 +  delfunc Repl
 +endfunc
 +
 diff -up vim80/src/undo.c.cve1897 vim80/src/undo.c
 --- vim80/src/undo.c.cve1897	2022-06-13 14:50:22.849290402 +0200
 +++ vim80/src/undo.c	2022-06-13 14:56:57.916492090 +0200
@@ -2283,6 +2283,12 @@ undo_time(
     if (curbuf->b_u_synced == FALSE)
 	u_sync(TRUE);
 +    if (text_locked())
 +    {
 +	text_locked_msg();
 +	return;
 +    }
 +
     u_newcount = 0;
     u_oldcount = 0;
     if (curbuf->b_ml.ml_flags & ML_EMPTY)
--- a/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
+++ b/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
@ -0,0 +1,85 @@
 diff -up vim80/src/ex_docmd.c.cve1927 vim80/src/ex_docmd.c
 --- vim80/src/ex_docmd.c.cve1927	2022-06-13 16:31:41.841068554 +0200
 +++ vim80/src/ex_docmd.c	2022-06-13 16:37:02.789876973 +0200
@@ -1720,6 +1720,8 @@ do_one_cmd(
     int			ni;			/* set when Not Implemented */
     char_u		*cmd;
     int			address_count = 1;
 +    int			need_check_cursor = FALSE;
 +    int			ret_addr = FAIL;
     vim_memset(&ea, 0, sizeof(ea));
     ea.line1 = 1;
@@ -2084,7 +2086,7 @@ do_one_cmd(
 	lnum = get_address(&ea, &ea.cmd, ea.addr_type, ea.skip,
 					  ea.addr_count == 0, address_count++);
 	if (ea.cmd == NULL)		    /* error detected */
 -	    goto doend;
 +	    goto addr_end;
 	if (lnum == MAXLNUM)
 	{
 	    if (*ea.cmd == '%')		    /* '%' - all lines */
@@ -2128,12 +2130,12 @@ do_one_cmd(
 			    /* there is no Vim command which uses '%' and
 			     * ADDR_WINDOWS or ADDR_TABS */
 			    errormsg = (char_u *)_(e_invrange);
 -			    goto doend;
 +			    goto addr_end;
 			}
 			break;
 		    case ADDR_TABS_RELATIVE:
 			errormsg = (char_u *)_(e_invrange);
 -			goto doend;
 +			goto addr_end;
 			break;
 		    case ADDR_ARGUMENTS:
 			if (ARGCOUNT == 0)
@@ -2163,7 +2165,7 @@ do_one_cmd(
 		if (ea.addr_type != ADDR_LINES)
 		{
 		    errormsg = (char_u *)_(e_invrange);
 -		    goto doend;
 +		    goto addr_end;
 		}
 		++ea.cmd;
@@ -2171,11 +2173,11 @@ do_one_cmd(
 		{
 		    fp = getmark('<', FALSE);
 		    if (check_mark(fp) == FAIL)
 -			goto doend;
 +			goto addr_end;
 		    ea.line1 = fp->lnum;
 		    fp = getmark('>', FALSE);
 		    if (check_mark(fp) == FAIL)
 -			goto doend;
 +			goto addr_end;
 		    ea.line2 = fp->lnum;
 		    ++ea.addr_count;
 		}
@@ -2190,8 +2192,11 @@ do_one_cmd(
 	    if (!ea.skip)
 	    {
 		curwin->w_cursor.lnum = ea.line2;
 +
 		/* don't leave the cursor on an illegal line or column */
 +		// Check the cursor position before returning.
 		check_cursor();
 +		need_check_cursor = TRUE;
 	    }
 	}
 	else if (*ea.cmd != ',')
@@ -2208,6 +2213,13 @@ do_one_cmd(
 	    ea.addr_count = 0;
     }
 +    ret_addr = OK;
 +
 +addr_end:
 +    if (need_check_cursor)
 +	check_cursor();
 +    if (ret_addr == FAIL)
 +	goto doend;
 /*
  * 5. Parse the command.
  */
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 19%{?dist}.2
+Release: 19%{?dist}.4
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@ -106,6 +106,12 @@ Patch3035: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
 Patch3036: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
 # CVE-2022-1629 vim: buffer over-read
 Patch3037: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
 # CVE-2022-1785 vim: Out-of-bounds Write
 Patch3038: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
 # CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
 Patch3039: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
 # CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
 Patch3040: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -320,6 +326,9 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3035 -p1 -b .cve1154
 %patch3036 -p1 -b .cve1621
 %patch3037 -p1 -b .cve1629
 %patch3038 -p1 -b .cve1785
 %patch3039 -p1 -b .cve1897
 %patch3040 -p1 -b .cve1927
 %build
 %if 0%{?rhel} > 7
@ -838,6 +847,14 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*
 %changelog
 * Tue Jun 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.4
 - fix issue reported by covscan
 * Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.3
 - CVE-2022-1785 vim: Out-of-bounds Write
 - CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
 - CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
 * Wed May 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.2
 - CVE-2022-1621 vim: heap buffer overflow
 - CVE-2022-1629 vim: buffer over-read