import vim-8.0.1763-19.el8_6.4
This commit is contained in:
		
							parent
							
								
									426fa15a29
								
							
						
					
					
						commit
						ed9e36b87e
					
				| @ -1,7 +1,8 @@ | ||||
| diff -up vim80/src/globals.h.cve1621 vim80/src/globals.h
 | ||||
| --- vim80/src/globals.h.cve1621	2022-05-24 12:46:44.883952323 +0200
 | ||||
| +++ vim80/src/globals.h	2022-05-24 12:47:30.534183523 +0200
 | ||||
| @@ -1657,6 +1657,11 @@ EXTERN int *eval_lavars_used INIT(= NULL
 | ||||
| diff --git a/src/globals.h b/src/globals.h
 | ||||
| index d5320d7..968ba33 100644
 | ||||
| --- a/src/globals.h
 | ||||
| +++ b/src/globals.h
 | ||||
| @@ -1657,6 +1657,11 @@ EXTERN int *eval_lavars_used INIT(= NULL);
 | ||||
|  EXTERN int ctrl_break_was_pressed INIT(= FALSE); | ||||
|  #endif | ||||
|   | ||||
| @ -13,9 +14,10 @@ diff -up vim80/src/globals.h.cve1621 vim80/src/globals.h | ||||
|  /* | ||||
|   * Optional Farsi support.  Include it here, so EXTERN and INIT are defined. | ||||
|   */ | ||||
| diff -up vim80/src/mbyte.c.cve1621 vim80/src/mbyte.c
 | ||||
| --- vim80/src/mbyte.c.cve1621	2018-04-09 14:55:56.000000000 +0200
 | ||||
| +++ vim80/src/mbyte.c	2022-05-24 12:22:13.166893098 +0200
 | ||||
| diff --git a/src/mbyte.c b/src/mbyte.c
 | ||||
| index 6d21f11..a7531f1 100644
 | ||||
| --- a/src/mbyte.c
 | ||||
| +++ b/src/mbyte.c
 | ||||
| @@ -4034,7 +4034,7 @@ theend:
 | ||||
|      convert_setup(&vimconv, NULL, NULL); | ||||
|  } | ||||
| @ -25,9 +27,10 @@ diff -up vim80/src/mbyte.c.cve1621 vim80/src/mbyte.c | ||||
|  /* | ||||
|   * Return TRUE if string "s" is a valid utf-8 string. | ||||
|   * When "end" is NULL stop at the first NUL. | ||||
| diff -up vim80/src/spellfile.c.cve1621 vim80/src/spellfile.c
 | ||||
| --- vim80/src/spellfile.c.cve1621	2022-05-24 12:22:13.167893104 +0200
 | ||||
| +++ vim80/src/spellfile.c	2022-05-24 12:49:55.816919350 +0200
 | ||||
| diff --git a/src/spellfile.c b/src/spellfile.c
 | ||||
| index 496e07f..92997ef 100644
 | ||||
| --- a/src/spellfile.c
 | ||||
| +++ b/src/spellfile.c
 | ||||
| @@ -4441,6 +4441,10 @@ store_word(
 | ||||
|      int		res = OK; | ||||
|      char_u	*p; | ||||
| @ -45,7 +48,7 @@ diff -up vim80/src/spellfile.c.cve1621 vim80/src/spellfile.c | ||||
|   | ||||
| +    if (enc_utf8 && !utf_valid_string(word, NULL))
 | ||||
| +    {
 | ||||
| +	emsg(_(e_illegal_character_in_word));
 | ||||
| +	EMSG(_(e_illegal_character_in_word));
 | ||||
| +	return;
 | ||||
| +    }
 | ||||
| +
 | ||||
|  | ||||
| @ -0,0 +1,57 @@ | ||||
| diff -up vim80/src/ex_cmds.c.cve1785 vim80/src/ex_cmds.c
 | ||||
| --- vim80/src/ex_cmds.c.cve1785	2022-06-10 10:46:33.818286626 +0200
 | ||||
| +++ vim80/src/ex_cmds.c	2022-06-10 10:58:04.009515524 +0200
 | ||||
| @@ -5486,12 +5486,17 @@ do_sub(exarg_T *eap)
 | ||||
|  		/* Save flags for recursion.  They can change for e.g. | ||||
|  		 * :s/^/\=execute("s#^##gn") */ | ||||
|  		subflags_save = subflags; | ||||
| +
 | ||||
| +		// Disallow changing text or switching window in an expression.
 | ||||
| +		++textlock;
 | ||||
|  #endif | ||||
|  		/* get length of substitution part */ | ||||
|  		sublen = vim_regsub_multi(®match, | ||||
|  				    sub_firstlnum - regmatch.startpos[0].lnum, | ||||
|  				    sub, sub_firstline, FALSE, p_magic, TRUE); | ||||
|  #ifdef FEAT_EVAL | ||||
| +		--textlock;
 | ||||
| +
 | ||||
|  		/* Don't keep flags set by a recursive call. */ | ||||
|  		subflags = subflags_save; | ||||
|  		if (subflags.do_count) | ||||
| @@ -5570,9 +5575,15 @@ do_sub(exarg_T *eap)
 | ||||
|  		mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len); | ||||
|  		new_end += copy_len; | ||||
|   | ||||
| +#ifdef FEAT_EVAL
 | ||||
| +		++textlock;
 | ||||
| +#endif
 | ||||
|  		(void)vim_regsub_multi(®match, | ||||
|  				    sub_firstlnum - regmatch.startpos[0].lnum, | ||||
|  					   sub, new_end, TRUE, p_magic, TRUE); | ||||
| +#ifdef FEAT_EVAL
 | ||||
| +		--textlock;
 | ||||
| +#endif
 | ||||
|  		sub_nsubs++; | ||||
|  		did_sub = TRUE; | ||||
|   | ||||
| diff -up vim80/src/testdir/test_substitute.vim.cve1785 vim80/src/testdir/test_substitute.vim
 | ||||
| --- vim80/src/testdir/test_substitute.vim.cve1785	2022-06-10 10:46:33.818286626 +0200
 | ||||
| +++ vim80/src/testdir/test_substitute.vim	2022-06-10 10:59:17.168437630 +0200
 | ||||
| @@ -500,3 +500,16 @@ func Test_sub_cmd_8()
 | ||||
|    enew! | ||||
|    set titlestring& | ||||
|  endfunc | ||||
| +
 | ||||
| +" This was switching windows in between computing the length and using it.
 | ||||
| +func Test_sub_change_window()
 | ||||
| +  silent! lfile
 | ||||
| +  sil! norm o0000000000000000000000000000000000000000000000000000
 | ||||
| +  func Repl()
 | ||||
| +    lopen
 | ||||
| +  endfunc
 | ||||
| +  silent!  s/\%')/\=Repl()
 | ||||
| +  bwipe!
 | ||||
| +  bwipe!
 | ||||
| +  delfunc Repl
 | ||||
| +endfunc
 | ||||
| @ -0,0 +1,120 @@ | ||||
| diff -up vim80/src/normal.c.cve1897 vim80/src/normal.c
 | ||||
| --- vim80/src/normal.c.cve1897	2022-06-13 14:50:22.800290132 +0200
 | ||||
| +++ vim80/src/normal.c	2022-06-13 14:55:06.082861349 +0200
 | ||||
| @@ -532,6 +532,22 @@ find_command(int cmdchar)
 | ||||
|  } | ||||
|   | ||||
|  /* | ||||
| + * If currently editing a cmdline or text is locked: beep and give an error
 | ||||
| + * message, return TRUE.
 | ||||
| + */
 | ||||
| +    static int
 | ||||
| +check_text_locked(oparg_T *oap)
 | ||||
| +{
 | ||||
| +    if (text_locked())
 | ||||
| +    {
 | ||||
| +	clearopbeep(oap);
 | ||||
| +	text_locked_msg();
 | ||||
| +	return TRUE;
 | ||||
| +    }
 | ||||
| +    return FALSE;
 | ||||
| +}
 | ||||
| +
 | ||||
| +/*
 | ||||
|   * Execute a command in Normal mode. | ||||
|   */ | ||||
|      void | ||||
| @@ -792,14 +808,9 @@ getcount:
 | ||||
|  	goto normal_end; | ||||
|      } | ||||
|   | ||||
| -    if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
 | ||||
| -    {
 | ||||
| -	/* This command is not allowed while editing a cmdline: beep. */
 | ||||
| -	clearopbeep(oap);
 | ||||
| -	text_locked_msg();
 | ||||
| -	goto normal_end;
 | ||||
| -    }
 | ||||
| -    if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
 | ||||
| +    if ((nv_cmds[idx].cmd_flags & NV_NCW)
 | ||||
| +				&& (check_text_locked(oap) || curbuf_locked()))
 | ||||
| +	// this command is not allowed now
 | ||||
|  	goto normal_end; | ||||
|   | ||||
|      /* | ||||
| @@ -6234,12 +6245,8 @@ nv_gotofile(cmdarg_T *cap)
 | ||||
|      char_u	*ptr; | ||||
|      linenr_T	lnum = -1; | ||||
|   | ||||
| -    if (text_locked())
 | ||||
| -    {
 | ||||
| -	clearopbeep(cap->oap);
 | ||||
| -	text_locked_msg();
 | ||||
| +    if (check_text_locked(cap->oap))
 | ||||
|  	return; | ||||
| -    }
 | ||||
|      if (curbuf_locked()) | ||||
|      { | ||||
|  	clearop(cap->oap); | ||||
| @@ -8420,14 +8427,7 @@ nv_g_cmd(cmdarg_T *cap)
 | ||||
|   | ||||
|      /* "gQ": improved Ex mode */ | ||||
|      case 'Q': | ||||
| -	if (text_locked())
 | ||||
| -	{
 | ||||
| -	    clearopbeep(cap->oap);
 | ||||
| -	    text_locked_msg();
 | ||||
| -	    break;
 | ||||
| -	}
 | ||||
| -
 | ||||
| -	if (!checkclearopq(oap))
 | ||||
| +	if (!check_text_locked(cap->oap) && !checkclearopq(oap))
 | ||||
|  	    do_exmode(TRUE); | ||||
|  	break; | ||||
|   | ||||
| diff -up vim80/src/testdir/test_substitute.vim.cve1897 vim80/src/testdir/test_substitute.vim
 | ||||
| --- vim80/src/testdir/test_substitute.vim.cve1897	2022-06-13 14:50:22.849290402 +0200
 | ||||
| +++ vim80/src/testdir/test_substitute.vim	2022-06-13 14:55:50.370111134 +0200
 | ||||
| @@ -513,3 +513,26 @@ func Test_sub_change_window()
 | ||||
|    bwipe! | ||||
|    delfunc Repl | ||||
|  endfunc | ||||
| +
 | ||||
| +" This was undoign a change in between computing the length and using it.
 | ||||
| +func Do_Test_sub_undo_change()
 | ||||
| +  new
 | ||||
| +  norm o0000000000000000000000000000000000000000000000000000
 | ||||
| +  silent! s/\%')/\=Repl()
 | ||||
| +  bwipe!
 | ||||
| +endfunc
 | ||||
| +
 | ||||
| +func Test_sub_undo_change()
 | ||||
| +  func Repl()
 | ||||
| +    silent! norm g-
 | ||||
| +  endfunc
 | ||||
| +  call Do_Test_sub_undo_change()
 | ||||
| +
 | ||||
| +  func! Repl()
 | ||||
| +    silent earlier
 | ||||
| +  endfunc
 | ||||
| +  call Do_Test_sub_undo_change()
 | ||||
| +
 | ||||
| +  delfunc Repl
 | ||||
| +endfunc
 | ||||
| +
 | ||||
| diff -up vim80/src/undo.c.cve1897 vim80/src/undo.c
 | ||||
| --- vim80/src/undo.c.cve1897	2022-06-13 14:50:22.849290402 +0200
 | ||||
| +++ vim80/src/undo.c	2022-06-13 14:56:57.916492090 +0200
 | ||||
| @@ -2283,6 +2283,12 @@ undo_time(
 | ||||
|      if (curbuf->b_u_synced == FALSE) | ||||
|  	u_sync(TRUE); | ||||
|   | ||||
| +    if (text_locked())
 | ||||
| +    {
 | ||||
| +	text_locked_msg();
 | ||||
| +	return;
 | ||||
| +    }
 | ||||
| +
 | ||||
|      u_newcount = 0; | ||||
|      u_oldcount = 0; | ||||
|      if (curbuf->b_ml.ml_flags & ML_EMPTY) | ||||
| @ -0,0 +1,85 @@ | ||||
| diff -up vim80/src/ex_docmd.c.cve1927 vim80/src/ex_docmd.c
 | ||||
| --- vim80/src/ex_docmd.c.cve1927	2022-06-13 16:31:41.841068554 +0200
 | ||||
| +++ vim80/src/ex_docmd.c	2022-06-13 16:37:02.789876973 +0200
 | ||||
| @@ -1720,6 +1720,8 @@ do_one_cmd(
 | ||||
|      int			ni;			/* set when Not Implemented */ | ||||
|      char_u		*cmd; | ||||
|      int			address_count = 1; | ||||
| +    int			need_check_cursor = FALSE;
 | ||||
| +    int			ret_addr = FAIL;
 | ||||
|   | ||||
|      vim_memset(&ea, 0, sizeof(ea)); | ||||
|      ea.line1 = 1; | ||||
| @@ -2084,7 +2086,7 @@ do_one_cmd(
 | ||||
|  	lnum = get_address(&ea, &ea.cmd, ea.addr_type, ea.skip, | ||||
|  					  ea.addr_count == 0, address_count++); | ||||
|  	if (ea.cmd == NULL)		    /* error detected */ | ||||
| -	    goto doend;
 | ||||
| +	    goto addr_end;
 | ||||
|  	if (lnum == MAXLNUM) | ||||
|  	{ | ||||
|  	    if (*ea.cmd == '%')		    /* '%' - all lines */ | ||||
| @@ -2128,12 +2130,12 @@ do_one_cmd(
 | ||||
|  			    /* there is no Vim command which uses '%' and | ||||
|  			     * ADDR_WINDOWS or ADDR_TABS */ | ||||
|  			    errormsg = (char_u *)_(e_invrange); | ||||
| -			    goto doend;
 | ||||
| +			    goto addr_end;
 | ||||
|  			} | ||||
|  			break; | ||||
|  		    case ADDR_TABS_RELATIVE: | ||||
|  			errormsg = (char_u *)_(e_invrange); | ||||
| -			goto doend;
 | ||||
| +			goto addr_end;
 | ||||
|  			break; | ||||
|  		    case ADDR_ARGUMENTS: | ||||
|  			if (ARGCOUNT == 0) | ||||
| @@ -2163,7 +2165,7 @@ do_one_cmd(
 | ||||
|  		if (ea.addr_type != ADDR_LINES) | ||||
|  		{ | ||||
|  		    errormsg = (char_u *)_(e_invrange); | ||||
| -		    goto doend;
 | ||||
| +		    goto addr_end;
 | ||||
|  		} | ||||
|   | ||||
|  		++ea.cmd; | ||||
| @@ -2171,11 +2173,11 @@ do_one_cmd(
 | ||||
|  		{ | ||||
|  		    fp = getmark('<', FALSE); | ||||
|  		    if (check_mark(fp) == FAIL) | ||||
| -			goto doend;
 | ||||
| +			goto addr_end;
 | ||||
|  		    ea.line1 = fp->lnum; | ||||
|  		    fp = getmark('>', FALSE); | ||||
|  		    if (check_mark(fp) == FAIL) | ||||
| -			goto doend;
 | ||||
| +			goto addr_end;
 | ||||
|  		    ea.line2 = fp->lnum; | ||||
|  		    ++ea.addr_count; | ||||
|  		} | ||||
| @@ -2190,8 +2192,11 @@ do_one_cmd(
 | ||||
|  	    if (!ea.skip) | ||||
|  	    { | ||||
|  		curwin->w_cursor.lnum = ea.line2; | ||||
| +
 | ||||
|  		/* don't leave the cursor on an illegal line or column */ | ||||
| +		// Check the cursor position before returning.
 | ||||
|  		check_cursor(); | ||||
| +		need_check_cursor = TRUE;
 | ||||
|  	    } | ||||
|  	} | ||||
|  	else if (*ea.cmd != ',') | ||||
| @@ -2208,6 +2213,13 @@ do_one_cmd(
 | ||||
|  	    ea.addr_count = 0; | ||||
|      } | ||||
|   | ||||
| +    ret_addr = OK;
 | ||||
| +
 | ||||
| +addr_end:
 | ||||
| +    if (need_check_cursor)
 | ||||
| +	check_cursor();
 | ||||
| +    if (ret_addr == FAIL)
 | ||||
| +	goto doend;
 | ||||
|  /* | ||||
|   * 5. Parse the command. | ||||
|   */ | ||||
| @ -24,7 +24,7 @@ Summary: The VIM editor | ||||
| URL:     http://www.vim.org/ | ||||
| Name: vim | ||||
| Version: %{baseversion}.%{patchlevel} | ||||
| Release: 19%{?dist}.2 | ||||
| Release: 19%{?dist}.4 | ||||
| License: Vim and MIT | ||||
| Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 | ||||
| Source1: vim.sh | ||||
| @ -106,6 +106,12 @@ Patch3035: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch | ||||
| Patch3036: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch | ||||
| # CVE-2022-1629 vim: buffer over-read | ||||
| Patch3037: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch | ||||
| # CVE-2022-1785 vim: Out-of-bounds Write | ||||
| Patch3038: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch | ||||
| # CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c | ||||
| Patch3039: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch | ||||
| # CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c | ||||
| Patch3040: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch | ||||
| 
 | ||||
| # gcc is no longer in buildroot by default | ||||
| BuildRequires: gcc | ||||
| @ -320,6 +326,9 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk | ||||
| %patch3035 -p1 -b .cve1154 | ||||
| %patch3036 -p1 -b .cve1621 | ||||
| %patch3037 -p1 -b .cve1629 | ||||
| %patch3038 -p1 -b .cve1785 | ||||
| %patch3039 -p1 -b .cve1897 | ||||
| %patch3040 -p1 -b .cve1927 | ||||
| 
 | ||||
| %build | ||||
| %if 0%{?rhel} > 7 | ||||
| @ -838,6 +847,14 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags | ||||
| %{_datadir}/icons/locolor/*/apps/* | ||||
| 
 | ||||
| %changelog | ||||
| * Tue Jun 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.4 | ||||
| - fix issue reported by covscan | ||||
| 
 | ||||
| * Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.3 | ||||
| - CVE-2022-1785 vim: Out-of-bounds Write | ||||
| - CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c | ||||
| - CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c | ||||
| 
 | ||||
| * Wed May 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.2 | ||||
| - CVE-2022-1621 vim: heap buffer overflow | ||||
| - CVE-2022-1629 vim: buffer over-read | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user