diff --git a/backport-CVE-2022-0319.patch b/backport-CVE-2022-0319.patch new file mode 100644 index 0000000000000000000000000000000000000000..8bb828f953b5c5b7a2aec5ccfe4018187f08042f --- /dev/null +++ b/backport-CVE-2022-0319.patch @@ -0,0 +1,65 @@ +From 05b27615481e72e3b338bb12990fb3e0c2ecc2a9 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 20 Jan 2022 13:32:50 +0000 +Subject: [PATCH] patch 8.2.4154: ml_get error when exchanging windows in + Visual mode + +Problem: ml_get error when exchanging windows in Visual mode. +Solution: Correct end of Visual area when entering another buffer + +Reference:https://github.com/vim/vim/commit/05b27615481e72e3b338bb12990fb3e0c2ecc2a9 +Conflict:NA +--- + src/testdir/test_visual.vim | 10 ++++++++++ + src/window.c | 7 ++++++- + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index fcf6473..4f8f056 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -705,6 +705,16 @@ func Test_visual_undo_deletes_last_line() + bwipe! + endfunc + ++" this was causing an ml_get error ++func Test_visual_exchange_windows() ++ enew! ++ new ++ call setline(1, ['foo', 'bar']) ++ exe "normal G\gg\\OO\" ++ bwipe! ++ bwipe! ++endfunc ++ + func Test_visual_mode_put() + new + +diff --git a/src/window.c b/src/window.c +index 5b407d5..bb17167 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -1661,6 +1661,11 @@ win_exchange(long Prenum) + + (void)win_comp_pos(); // recompute window positions + ++ if (wp->w_buffer != curbuf) ++ reset_VIsual_and_resel(); ++ else if (VIsual_active) ++ wp->w_cursor = curwin->w_cursor; ++ + win_enter(wp, TRUE); + redraw_all_later(NOT_VALID); + } +@@ -5114,7 +5119,7 @@ frame_remove(frame_T *frp) + win_alloc_lines(win_T *wp) + { + wp->w_lines_valid = 0; +- wp->w_lines = ALLOC_CLEAR_MULT(wline_T, Rows ); ++ wp->w_lines = ALLOC_CLEAR_MULT(wline_T, Rows); + if (wp->w_lines == NULL) + return FAIL; + return OK; +-- +2.27.0 + diff --git a/backport-CVE-2022-0554.patch b/backport-CVE-2022-0554.patch new file mode 100644 index 0000000000000000000000000000000000000000..c1860e7c4c87bfa51ca6ab5780b60d8c84c4832f --- /dev/null +++ b/backport-CVE-2022-0554.patch @@ -0,0 +1,113 @@ +From e3537aec2f8d6470010547af28dcbd83d41461b8 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 8 Feb 2022 15:05:20 +0000 +Subject: [PATCH] patch 8.2.4327: may end up with no current buffer + +Problem: May end up with no current buffer. +Solution: When deleting the current buffer to not pick a quickfix buffer as + the new current buffer + +Reference:https://github.com/vim/vim/commit/e3537aec2f8d6470010547af28dcbd83d41461b8 +Conflict:NA +--- + src/buffer.c | 26 ++++++++++++++++++++++---- + src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++ + 2 files changed, 47 insertions(+), 4 deletions(-) + +diff --git a/src/buffer.c b/src/buffer.c +index e5f6a9b..3617c63 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -1520,8 +1520,14 @@ do_buffer( + buf = buflist_findnr(curwin->w_jumplist[jumpidx].fmark.fnum); + if (buf != NULL) + { +- if (buf == curbuf || !buf->b_p_bl) +- buf = NULL; // skip current and unlisted bufs ++ // Skip current and unlisted bufs. Also skip a quickfix ++ // buffer, it might be deleted soon. ++ if (buf == curbuf || !buf->b_p_bl ++#if defined(FEAT_QUICKFIX) ++ || bt_quickfix(buf) ++#endif ++ ) ++ buf = NULL; + else if (buf->b_ml.ml_mfp == NULL) + { + // skip unloaded buf, but may keep it for later +@@ -1558,7 +1564,11 @@ do_buffer( + continue; + } + // in non-help buffer, try to skip help buffers, and vv +- if (buf->b_help == curbuf->b_help && buf->b_p_bl) ++ if (buf->b_help == curbuf->b_help && buf->b_p_bl ++#if defined(FEAT_QUICKFIX) ++ && !bt_quickfix(buf) ++#endif ++ ) + { + if (buf->b_ml.ml_mfp != NULL) // found loaded buffer + break; +@@ -1576,7 +1586,11 @@ do_buffer( + if (buf == NULL) // No loaded buffer, find listed one + { + FOR_ALL_BUFFERS(buf) +- if (buf->b_p_bl && buf != curbuf) ++ if (buf->b_p_bl && buf != curbuf ++#if defined(FEAT_QUICKFIX) ++ && !bt_quickfix(buf) ++#endif ++ ) + break; + } + if (buf == NULL) // Still no buffer, just take one +@@ -1585,6 +1599,10 @@ do_buffer( + buf = curbuf->b_next; + else + buf = curbuf->b_prev; ++#if defined(FEAT_QUICKFIX) ++ if (bt_quickfix(buf)) ++ buf = NULL; ++#endif + } + } + +diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim +index 38a5236..72f3172 100644 +--- a/src/testdir/test_quickfix.vim ++++ b/src/testdir/test_quickfix.vim +@@ -325,6 +325,31 @@ func Test_copenHeight_tabline() + set tabline& showtabline& + endfunc + ++" Another sequence of commands that caused all buffers to be wiped out ++func Test_lopen_bwipe_all() ++ let lines =<< trim END ++ func R() ++ silent! tab lopen ++ e foo ++ silent! lfile ++ endfunc ++ cal R() ++ exe "norm \\0" ++ cal R() ++ bwipe ++ ++ call writefile(['done'], 'Xresult') ++ qall! ++ END ++ call writefile(lines, 'Xscript') ++ if RunVim([], [], '-u NONE -n -X -Z -e -m -s -S Xscript') ++ call assert_equal(['done'], readfile('Xresult')) ++ endif ++ ++ call delete('Xscript') ++ call delete('Xresult') ++endfunc ++ + + " Tests for the :cfile, :lfile, :caddfile, :laddfile, :cgetfile and :lgetfile + " commands. +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 10706772af0d66890ebf268650d823bbfd6d3cf9..eee7b7bfd374f755062593cf0af1a540c8e62b4d 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 26 +Release: 27 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -88,6 +88,8 @@ Patch6051: backport-CVE-2022-0572.patch Patch6052: backport-CVE-2022-0714.patch Patch6053: backport-CVE-2022-0729.patch Patch6054: backport-CVE-2022-0685.patch +Patch6055: backport-CVE-2022-0319.patch +Patch6056: backport-CVE-2022-0554.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -476,6 +478,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Mon Mar 21 2022 yuanxin - 2:8.2-27 +- Type:CVE +- ID:CVE-2022-0319 CVE-2022-0554 +- SUG:NA +- DESC:fix CVE-2022-0319 CVE-2022-0554 + * Wed Mar 09 2022 shixuantong - 2:8.2-26 - Type:CVE - ID:CVE-2022-0685 @@ -484,7 +492,7 @@ popd * Sat Mar 05 2022 yuanxin - 2:8.2-25 - Type:CVE -- ID:fix CVE-2022-0714 CVE-2022-0729 +- ID:CVE-2022-0714 CVE-2022-0729 - SUG:NA - DESC:fix CVE-2022-0714 CVE-2022-0729