diff --git a/backport-CVE-2022-0351.patch b/backport-CVE-2022-0351.patch new file mode 100644 index 0000000000000000000000000000000000000000..a9096830b8ed7a9fed026e25661da94c3dc972d9 --- /dev/null +++ b/backport-CVE-2022-0351.patch @@ -0,0 +1,78 @@ +From: Bram Moolenaar +Date: Mon, 24 Jan 2022 18:16:12 +0000 +Subject: [PATCH] patch 8.2.4206: condition with many "(" causes a crash + +Problem: Condition with many "(" causes a crash. +Solution: Limit recursion to 1000. +--- + src/eval.c | 12 ++++++++++++ + src/globals.h | 2 ++ + src/testdir/test_eval_stuff.vim | 5 +++++ + 3 files changed, 19 insertions(+) + +diff --git a/src/eval.c b/src/eval.c +index 3b563f7..95dda90 100644 +--- a/src/eval.c ++++ b/src/eval.c +@@ -2495,6 +2495,7 @@ eval7( + char_u *start_leader, *end_leader; + int ret = OK; + char_u *alias; ++ static int recurse = 0; + + /* + * Initialise variable so that clear_tv() can't mistake this for a +@@ -2521,6 +2522,15 @@ eval7( + return FAIL; + } + ++ // Limit recursion to 1000 levels. At least at 10000 we run out of stack ++ // and crash. ++ if (recurse == 1000) ++ { ++ semsg(_(e_expression_too_recursive_str), *arg); ++ return FAIL; ++ } ++ ++recurse; ++ + switch (**arg) + { + /* +@@ -2761,6 +2771,8 @@ eval7( + */ + if (ret == OK && evaluate && end_leader > start_leader) + ret = eval7_leader(rettv, start_leader, &end_leader); ++ ++ --recurse; + return ret; + } + +diff --git a/src/globals.h b/src/globals.h +index 75092b7..659bad6 100644 +--- a/src/globals.h ++++ b/src/globals.h +@@ -1464,6 +1464,8 @@ EXTERN char e_endwhile[] INIT(= N_("E170: Missing :endwhile")); + EXTERN char e_endfor[] INIT(= N_("E170: Missing :endfor")); + EXTERN char e_while[] INIT(= N_("E588: :endwhile without :while")); + EXTERN char e_for[] INIT(= N_("E588: :endfor without :for")); ++EXTERN char e_expression_too_recursive_str[] ++ INIT(= N_("E1169: Expression too recursive: %s")); + #endif + EXTERN char e_exists[] INIT(= N_("E13: File exists (add ! to override)")); + EXTERN char e_failed[] INIT(= N_("E472: Command failed")); +diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim +index ec566da..32a5411 100644 +--- a/src/testdir/test_eval_stuff.vim ++++ b/src/testdir/test_eval_stuff.vim +@@ -216,3 +216,8 @@ func Test_scriptversion_fail() + call assert_fails('source Xversionscript', 'E999:') + call delete('Xversionscript') + endfunc ++ ++func Test_deep_recursion() ++ " this was running out of stack ++ call assert_fails("exe 'if ' .. repeat('(', 1002)", 'E1169: Expression too recursive: ((')+endfunc ++endfunc +-- +1.8.3.1 + diff --git a/backport-CVE-2022-0359.patch b/backport-CVE-2022-0359.patch new file mode 100644 index 0000000000000000000000000000000000000000..cd2f04b8a39e5acfe362e586cc3cafa034faa790 --- /dev/null +++ b/backport-CVE-2022-0359.patch @@ -0,0 +1,28 @@ +From 85b6747abc15a7a81086db31289cf1b8b17e6cb1 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 25 Jan 2022 11:55:02 +0000 +Subject: [PATCH] patch 8.2.4214: illegal memory access with large 'tabstop' in + Ex mode + +Problem: Illegal memory access with large 'tabstop' in Ex mode. +Solution: Allocate enough memory. +--- + src/ex_getln.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/ex_getln.c b/src/ex_getln.c +index 769dcb8..68b4757 100644 +--- a/src/ex_getln.c ++++ b/src/ex_getln.c +@@ -856,7 +856,7 @@ getcmdline_int( + ccline.cmdindent = (firstc > 0 ? indent : 0); + + // alloc initial ccline.cmdbuff +- alloc_cmdbuff(exmode_active ? 250 : indent + 1); ++ alloc_cmdbuff(indent + 50); + if (ccline.cmdbuff == NULL) + goto theend; // out of memory + ccline.cmdlen = ccline.cmdpos = 0; +-- +1.8.3.1 + diff --git a/backport-CVE-2022-0361.patch b/backport-CVE-2022-0361.patch new file mode 100644 index 0000000000000000000000000000000000000000..f0ad2e0b4c918bf3f9f5111ff9b75d12b45f89cd --- /dev/null +++ b/backport-CVE-2022-0361.patch @@ -0,0 +1,51 @@ +From dc5490e2cbc8c16022a23b449b48c1bd0083f366 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 25 Jan 2022 13:52:53 +0000 +Subject: [PATCH] patch 8.2.4215: illegal memory access when copying lines in + Visual mode + +Problem: Illegal memory access when copying lines in Visual mode. +Solution: Adjust the Visual position after copying lines. +--- + src/ex_cmds.c | 2 ++ + src/testdir/test_visual.vim | 11 +++++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index 8f6444f..cccdf47 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -864,6 +864,8 @@ ex_copy(linenr_T line1, linenr_T line2, linenr_T n) + } + + appended_lines_mark(n, count); ++ if (VIsual_active) ++ check_pos(curbuf, &VIsual); + + msgmore((long)count); + } +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index 3ed927a..dbc28eb 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -659,6 +659,17 @@ func Test_linewise_select_mode() + exe "normal GkkgH\" + call assert_equal(['', 'b', 'c'], getline(1, '$')) + ++" this was leaving the end of the Visual area beyond the end of a line ++func Test_visual_ex_copy_line() ++ new ++ call setline(1, ["aaa", "bbbbbbbbbxbb"]) ++ /x ++ exe "normal ggvjfxO" ++ t0 ++ normal gNU ++ bwipe! ++endfunc ++ + + " linewise select mode: delete middle two lines + call deletebufline('', 1, '$') +-- +1.8.3.1 + diff --git a/backport-CVE-2022-0368.patch b/backport-CVE-2022-0368.patch new file mode 100644 index 0000000000000000000000000000000000000000..8f34f2264f5d5a02cc1cbaa2321a08231d03bba2 --- /dev/null +++ b/backport-CVE-2022-0368.patch @@ -0,0 +1,55 @@ +From 8d02ce1ed75d008c34a5c9aaa51b67cbb9d33baa Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 25 Jan 2022 18:24:00 +0000 +Subject: [PATCH] patch 8.2.4217: illegal memory access when undo makes Visual + area invalid + +Problem: Illegal memory access when undo makes Visual area invalid. +Solution: Correct the Visual area after undo. +--- + src/testdir/test_visual.vim | 15 +++++++++++++++ + src/undo.c | 2 ++ + 2 files changed, 17 insertions(+) + +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index dbc28eb..cf7e351 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -670,6 +670,21 @@ func Test_visual_ex_copy_line() + bwipe! + endfunc + ++" This was leaving the end of the Visual area beyond the end of a line. ++" Set 'undolevels' to start a new undo block. ++func Test_visual_undo_deletes_last_line() ++ new ++ call setline(1, ["aaa", "ccc", "dyd"]) ++ set undolevels=100 ++ exe "normal obbbbbbbbbxbb\" ++ set undolevels=100 ++ /y ++ exe "normal ggvjfxO" ++ undo ++ normal gNU ++ bwipe! ++endfunc ++ + + " linewise select mode: delete middle two lines + call deletebufline('', 1, '$') +diff --git a/src/undo.c b/src/undo.c +index 54a6e1c..706dee9 100644 +--- a/src/undo.c ++++ b/src/undo.c +@@ -2985,6 +2985,8 @@ u_undo_end( + } + } + #endif ++ if (VIsual_active) ++ check_pos(curbuf, &VIsual); + + smsg_attr_keep(0, _("%ld %s; %s #%ld %s"), + u_oldcount < 0 ? -u_oldcount : u_oldcount, +-- +1.8.3.1 + diff --git a/backport-CVE-2022-0408.patch b/backport-CVE-2022-0408.patch new file mode 100644 index 0000000000000000000000000000000000000000..7267533c7ad98b8a02d576e754714f27abb7f1b4 --- /dev/null +++ b/backport-CVE-2022-0408.patch @@ -0,0 +1,92 @@ +From 06f15416bb8d5636200a10776f1752c4d6e49f31 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 29 Jan 2022 10:51:59 +0000 +Subject: [PATCH] patch 8.2.4247: stack corruption when looking for spell + suggestions + +Problem: Stack corruption when looking for spell suggestions. +Solution: Prevent the depth increased too much. Add a five second time +limit to finding suggestions. +--- + src/spellsuggest.c | 17 +++++++++++++++-- + src/testdir/test_spell.vim | 8 ++++++++ + 2 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/src/spellsuggest.c b/src/spellsuggest.c +index 8615d52..a73e695 100644 +--- a/src/spellsuggest.c ++++ b/src/spellsuggest.c +@@ -1187,7 +1187,7 @@ suggest_try_change(suginfo_T *su) + + // Check the maximum score, if we go over it we won't try this change. + #define TRY_DEEPER(su, stack, depth, add) \ +- (stack[depth].ts_score + (add) < su->su_maxscore) ++ (depth < MAXWLEN && stack[depth].ts_score + (add) < su->su_maxscore) + + /* + * Try finding suggestions by adding/removing/swapping letters. +@@ -1259,6 +1259,9 @@ suggest_trie_walk( + char_u changename[MAXWLEN][80]; + #endif + int breakcheckcount = 1000; ++#ifdef FEAT_RELTIME ++ proftime_T time_limit; ++#endif + int compound_ok; + + // Go through the whole case-fold tree, try changes at each node. +@@ -1303,6 +1306,11 @@ suggest_trie_walk( + sp->ts_state = STATE_START; + } + } ++#ifdef FEAT_RELTIME ++ // The loop may take an indefinite amount of time. Break out after five ++ // sectonds. TODO: add an option for the time limit. ++ profile_setlimit(5000, &time_limit); ++#endif + + // Loop to find all suggestions. At each round we either: + // - For the current state try one operation, advance "ts_curi", +@@ -1337,7 +1345,8 @@ suggest_trie_walk( + + // At end of a prefix or at start of prefixtree: check for + // following word. +- if (byts[arridx] == 0 || n == (int)STATE_NOPREFIX) ++ if (depth < MAXWLEN ++ && (byts[arridx] == 0 || n == (int)STATE_NOPREFIX)) + { + // Set su->su_badflags to the caps type at this position. + // Use the caps type until here for the prefix itself. +@@ -2630,6 +2639,10 @@ suggest_trie_walk( + { + ui_breakcheck(); + breakcheckcount = 1000; ++#ifdef FEAT_RELTIME ++ if (profile_passed_limit(&time_limit)) ++ got_int = TRUE; ++#endif + } + } + } +diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim +index e435e91..271d034 100644 +--- a/src/testdir/test_spell.vim ++++ b/src/testdir/test_spell.vim +@@ -427,6 +427,14 @@ func Test_spell_long_word() + set nospell + endfunc + ++func Test_spellsuggest_too_deep() ++ " This was incrementing "depth" over MAXWLEN. ++ new ++ norm s000G00ý000000000000 ++ sil norm ..vzG................vvzG0 v z= ++ bwipe! ++endfunc ++ + func LoadAffAndDic(aff_contents, dic_contents) + set enc=latin1 + set spellfile= +-- +1.8.3.1 + diff --git a/backport-CVE-2022-0413.patch b/backport-CVE-2022-0413.patch new file mode 100644 index 0000000000000000000000000000000000000000..dfc5fd41610f50f4c80b59cbaa939d99f85a1e21 --- /dev/null +++ b/backport-CVE-2022-0413.patch @@ -0,0 +1,85 @@ +From 37f47958b8a2a44abc60614271d9537e7f14e51a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 29 Jan 2022 14:21:51 +0000 +Subject: [PATCH] patch 8.2.4253: using freed memory when substitute with + function call + +Problem: Using freed memory when substitute uses a recursive function call. +Solution: Make a copy of the substitute text. +--- + src/ex_cmds.c | 19 +++++++++++++++---- + src/testdir/test_substitute.vim | 16 ++++++++++++++++ + 2 files changed, 31 insertions(+), 4 deletions(-) + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index cccdf47..aa97b40 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -3577,6 +3577,7 @@ do_sub(exarg_T *eap) + int save_do_all; // remember user specified 'g' flag + int save_do_ask; // remember user specified 'c' flag + char_u *pat = NULL, *sub = NULL; // init for GCC ++ char_u *sub_copy = NULL; + int delimiter; + int sublen; + int got_quit = FALSE; +@@ -3866,11 +3867,20 @@ do_sub(exarg_T *eap) + sub_firstline = NULL; + + /* +- * ~ in the substitute pattern is replaced with the old pattern. +- * We do it here once to avoid it to be replaced over and over again. +- * But don't do it when it starts with "\=", then it's an expression. ++ * If the substitute pattern starts with "\=" then it's an expression. ++ * Make a copy, a recursive function may free it. ++ * Otherwise, '~' in the substitute pattern is replaced with the old ++ * pattern. We do it here once to avoid it to be replaced over and over ++ * again. + */ +- if (!(sub[0] == '\\' && sub[1] == '=')) ++ if (sub[0] == '\\' && sub[1] == '=') ++ { ++ sub = vim_strsave(sub); ++ if (sub == NULL) ++ return; ++ sub_copy = sub; ++ } ++ else + sub = regtilde(sub, p_magic); + + /* +@@ -4670,6 +4680,7 @@ outofmem: + #endif + + vim_regfree(regmatch.regprog); ++ vim_free(sub_copy); + + // Restore the flag values, they can be used for ":&&". + subflags.do_all = save_do_all; +diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim +index c7532fb..3e6bc5c 100644 +--- a/src/testdir/test_substitute.vim ++++ b/src/testdir/test_substitute.vim +@@ -745,3 +745,19 @@ func Test_sub_beyond_end() + call assert_equal('#', getline(1)) + bwipe! + endfunc ++ ++" This was using "old_sub" after it was freed. ++func Test_using_old_sub() ++ set compatible maxfuncdepth=10 ++ new ++ call setline(1, 'some text.') ++ func Repl() ++ ~ ++ s/ ++ endfunc ++ silent! s/\%')/\=Repl() ++ ++ delfunc Repl ++ bwipe! ++ set nocompatible ++endfunc +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index b28d50e4db7380f4f86825c73a02cce0a0168cf9..6615a3c5af98313531d3269fe2b2d28940e4b979 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 14 +Release: 15 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -58,6 +58,12 @@ Patch6024: backport-CVE-2022-0213.patch Patch6025: backport-CVE-2022-0261.patch Patch6026: backport-CVE-2022-0318.patch Patch6027: backport-vim-fix-garbled-characters-display-when-file-name-ma.patch +Patch6028: backport-CVE-2022-0351.patch +Patch6029: backport-CVE-2022-0408.patch +Patch6030: backport-CVE-2022-0361.patch +Patch6031: backport-CVE-2022-0359.patch +Patch6032: backport-CVE-2022-0413.patch +Patch6033: backport-CVE-2022-0368.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -446,6 +452,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Mon Feb 07 2022 shixuantong - 2:8.2-15 +- Type:CVE +- ID:CVE-2022-0351 CVE-2022-0361 CVE-2022-0408 CVE-2022-0359 CVE-2022-0368 CVE-2022-0413 +- SUG:NA +- DESC:fix CVE-2022-0351 CVE-2022-0361 CVE-2022-0408 CVE-2022-0359 CVE-2022-0368 CVE-2022-0413 + * Sun Jan 30 2022 yuanxin - 2:8.2-14 - Type:bugfix - ID:NA