rpms
/
vim
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import vim-8.0.1763-16.el8_5.12

This commit is contained in:
CentOS Sources 2022-02-11 05:33:40 +00:00 committed by Stepan Oksanichenko
parent d3233f0430
commit f2d6eb89c1
4 changed files with 200 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
SOURCES/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch Normal file
View File

@ -0,0 +1,33 @@
diff -up vim80/src/ex_cmds.c.cve0361 vim80/src/ex_cmds.c
--- vim80/src/ex_cmds.c.cve0361 2022-02-08 12:20:51.277666290 +0100
+++ vim80/src/ex_cmds.c 2022-02-08 12:20:51.280666209 +0100
@@ -983,6 +983,8 @@ ex_copy(linenr_T line1, linenr_T line2,
}
appended_lines_mark(n, count);
+ if (VIsual_active)
+ check_pos(curbuf, &VIsual);
msgmore((long)count);
}
diff -up vim80/src/testdir/test_visual.vim.cve0361 vim80/src/testdir/test_visual.vim
--- vim80/src/testdir/test_visual.vim.cve0361 2022-02-08 12:20:51.280666209 +0100
+++ vim80/src/testdir/test_visual.vim 2022-02-08 12:21:44.530356814 +0100
@@ -263,3 +263,17 @@ func Test_visual_block_append_invalid_ch
call assert_equal([' - let xxx', 'xxxxx -ˆ', 'xxxxxxxx-xxx'], getline(1, 3))
bwipe!
endfunc
+
+" this was leaving the end of the Visual area beyond the end of a line
+func Test_visual_ex_copy_line()
+ new
+ call setline(1, ["aaa", "bbbbbbbbbxbb"])
+ /x
+ exe "normal ggvjfxO"
+ t0
+ normal gNU
+ bwipe!
+endfunc
+
+
+" vim: shiftwidth=2 sts=2 expandtab

85
SOURCES/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch Normal file
View File

@ -0,0 +1,85 @@
commit ec45bc7682fd698d8d39f43732129c4d092355f3
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Wed Feb 2 16:30:11 2022 +0100
Fix illegal memory access with bracketed paste in Ex mode
diff --git a/src/edit.c b/src/edit.c
index f29fbc7..57b8dce 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -9519,27 +9519,33 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
int ret_char = -1;
int save_allow_keys = allow_keys;
int save_paste = p_paste;
- int save_ai = curbuf->b_p_ai;
- /* If the end code is too long we can't detect it, read everything. */
- if (STRLEN(end) >= NUMBUFLEN)
+ // If the end code is too long we can't detect it, read everything.
+ if (end != NULL && STRLEN(end) >= NUMBUFLEN)
end = NULL;
++no_mapping;
allow_keys = 0;
- p_paste = TRUE;
- curbuf->b_p_ai = FALSE;
+ if (!p_paste)
+ // Also have the side effects of setting 'paste' to make it work much
+ // faster.
+ set_option_value((char_u *)"paste", TRUE, NULL, 0);
for (;;)
{
/* When the end is not defined read everything. */
if (end == NULL && vpeekc() == NUL)
break;
- c = plain_vgetc();
-#ifdef FEAT_MBYTE
+ do
+ c = vgetc();
+ while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR);
+ if (c == NUL || got_int || (ex_normal_busy > 0 && c == Ctrl_C))
+ // When CTRL-C was encountered the typeahead will be flushed and we
+ // won't get the end sequence. Except when using ":normal".
+ break;
+
if (has_mbyte)
idx += (*mb_char2bytes)(c, buf + idx);
else
-#endif
buf[idx++] = c;
buf[idx] = NUL;
if (end != NULL && STRNCMP(buf, end, idx) == 0)
@@ -9557,7 +9563,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
break;
case PASTE_EX:
- if (gap != NULL && ga_grow(gap, idx) == OK)
+ // add one for the NUL that is going to be appended
+ if (gap != NULL && ga_grow(gap, idx + 1) == OK)
{
mch_memmove((char *)gap->ga_data + gap->ga_len,
buf, (size_t)idx);
@@ -9582,11 +9589,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
case PASTE_ONE_CHAR:
if (ret_char == -1)
{
-#ifdef FEAT_MBYTE
if (has_mbyte)
ret_char = (*mb_ptr2char)(buf);
else
-#endif
ret_char = buf[0];
}
break;
@@ -9597,8 +9602,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
--no_mapping;
allow_keys = save_allow_keys;
- p_paste = save_paste;
- curbuf->b_p_ai = save_ai;
+ if (!save_paste)
+ set_option_value((char_u *)"paste", FALSE, NULL, 0);
return ret_char;
}

51
SOURCES/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch Normal file
View File

@ -0,0 +1,51 @@
commit c604f3ad4782fde770617ff688e1ceac0dc1bd7c
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Thu Feb 3 10:14:42 2022 +0100
Fix using freed memory when substitute with function call
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index e69fbd3..0788573 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4767,6 +4767,7 @@ do_sub(exarg_T *eap)
int save_do_all; /* remember user specified 'g' flag */
int save_do_ask; /* remember user specified 'c' flag */
char_u *pat = NULL, *sub = NULL; /* init for GCC */
+ char_u *sub_copy = NULL;
int delimiter;
int sublen;
int got_quit = FALSE;
@@ -5062,11 +5063,20 @@ do_sub(exarg_T *eap)
sub_firstline = NULL;
/*
- * ~ in the substitute pattern is replaced with the old pattern.
- * We do it here once to avoid it to be replaced over and over again.
- * But don't do it when it starts with "\=", then it's an expression.
+ * If the substitute pattern starts with "\=" then it's an expression.
+ * Make a copy, a recursive function may free it.
+ * Otherwise, '~' in the substitute pattern is replaced with the old
+ * pattern. We do it here once to avoid it to be replaced over and over
+ * again.
*/
- if (!(sub[0] == '\\' && sub[1] == '='))
+ if (sub[0] == '\\' && sub[1] == '=')
+ {
+ sub = vim_strsave(sub);
+ if (sub == NULL)
+ return;
+ sub_copy = sub;
+ }
+ else
sub = regtilde(sub, p_magic);
/*
@@ -5825,6 +5835,7 @@ outofmem:
#endif
vim_regfree(regmatch.regprog);
+ vim_free(sub_copy);
/* Restore the flag values, they can be used for ":&&". */
subflags.do_all = save_do_all;

32
SPECS/vim.spec
View File

@ -24,7 +24,7 @@ Summary: The VIM editor
URL: http://www.vim.org/
Name: vim
Version: %{baseversion}.%{patchlevel}
Release: 16%{?dist}.7
Release: 16%{?dist}.12
License: Vim and MIT
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
Source1: vim.sh
@ -94,6 +94,12 @@ Patch3029: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
Patch3030: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch
# CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
Patch3031: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch
# CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
Patch3032: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
# CVE-2022-0413 vim: use after free in src/ex_cmds.c
Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
# CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch
# gcc is no longer in buildroot by default
BuildRequires: gcc
@ -302,6 +308,9 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
%patch3029 -p1 -b .cve0261
%patch3030 -p1 -b .cve0318
%patch3031 -p1 -b .cve0359
%patch3032 -p1 -b .cve0392
%patch3033 -p1 -b .cve0413
%patch3034 -p1 -b .cve0361
%build
%if 0%{?rhel} > 7
@ -820,6 +829,27 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
%{_datadir}/icons/locolor/*/apps/*
%changelog
* Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.12
- CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
* Fri Feb 04 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.11
- CVE-2022-0413 vim: use after free in src/ex_cmds.c
- Fix specfile problems
- Resolves: rhbz#2048525
* Thu Feb 03 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.10
- CVE-2022-0413 vim: use after free in src/ex_cmds.c
- Resolves: rhbz#2048525
* Wed Feb 02 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.9
- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
- Improve fix
- Resolves: rhbz#2049403
* Wed Feb 02 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.8
- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
- Resolves: rhbz#2049403
* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.7
- CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c