diff --git a/backport-CVE-2022-0392.patch b/backport-CVE-2022-0392.patch new file mode 100644 index 0000000000000000000000000000000000000000..b4f2c3ba2467906ba1de67fdb2ebc61a873ea22f --- /dev/null +++ b/backport-CVE-2022-0392.patch @@ -0,0 +1,50 @@ +From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 25 Jan 2022 20:45:16 +0000 +Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in + Ex mode + +Problem: Illegal memory access with bracketed paste in Ex mode. +Solution: Reserve space for the trailing NUL. + +--- + src/edit.c | 3 ++- + src/testdir/test_paste.vim | 11 +++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/edit.c b/src/edit.c +index c67f67c..3767769 100644 +--- a/src/edit.c ++++ b/src/edit.c +@@ -4984,7 +4984,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + break; + + case PASTE_EX: +- if (gap != NULL && ga_grow(gap, idx) == OK) ++ // add one for the NUL that is going to be appended ++ if (gap != NULL && ga_grow(gap, idx + 1) == OK) + { + mch_memmove((char *)gap->ga_data + gap->ga_len, + buf, (size_t)idx); +diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim +index c30140f..263f084 100644 +--- a/src/testdir/test_paste.vim ++++ b/src/testdir/test_paste.vim +@@ -134,3 +134,14 @@ func Test_xrestore() + + bwipe! + endfunc ++ ++" bracketed paste in Ex-mode ++func Test_paste_ex_mode() ++ unlet! foo ++ call feedkeys("Qlet foo=\"\[200~foo\bar\[201~\"\vi\", 'xt') ++ call assert_equal("foo\rbar", foo) ++ ++ ++ " pasting more than 40 bytes ++ exe "norm Q\0000000000000000000000000000000000000000000000000000000000000000000000\" ++endfunc +-- +2.27.0 + diff --git a/backport-CVE-2022-0417.patch b/backport-CVE-2022-0417.patch new file mode 100644 index 0000000000000000000000000000000000000000..a96345952d7c5ba2397810f7e7d330e8d2e2e1ab --- /dev/null +++ b/backport-CVE-2022-0417.patch @@ -0,0 +1,117 @@ +From 652dee448618589de5528a9e9a36995803f5557a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 28 Jan 2022 20:47:49 +0000 +Subject: [PATCH] patch 8.2.4245: ":retab 0" may cause illegal memory access + +Problem: ":retab 0" may cause illegal memory access. +Solution: Limit the value of 'tabstop' to 10000. + +--- + src/indent.c | 4 ++-- + src/option.c | 16 +++++++++------- + src/testdir/test_options.vim | 2 ++ + src/vim.h | 2 ++ + 4 files changed, 15 insertions(+), 9 deletions(-) + +diff --git a/src/indent.c b/src/indent.c +index 7d04373..e8e93b9 100644 +--- a/src/indent.c ++++ b/src/indent.c +@@ -71,7 +71,7 @@ tabstop_set(char_u *var, int **array) + int n = atoi((char *)cp); + + // Catch negative values, overflow and ridiculous big values. +- if (n < 0 || n > 9999) ++ if (n < 0 || n > TABSTOP_MAX) + { + semsg(_(e_invarg2), cp); + vim_free(*array); +@@ -1590,7 +1590,7 @@ ex_retab(exarg_T *eap) + emsg(_(e_positive)); + return; + } +- if (new_ts < 0 || new_ts > 9999) ++ if (new_ts < 0 || new_ts > TABSTOP_MAX) + { + semsg(_(e_invarg2), eap->arg); + return; +diff --git a/src/option.c b/src/option.c +index e9598d6..382b01b 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -3557,6 +3557,11 @@ set_num_option( + errmsg = e_positive; + curbuf->b_p_ts = 8; + } ++ else if (curbuf->b_p_ts > TABSTOP_MAX) ++ { ++ errmsg = e_invalid_argument; ++ curbuf->b_p_ts = 8; ++ } + if (p_tm < 0) + { + errmsg = e_positive; +@@ -5758,7 +5763,7 @@ buf_copy_options(buf_T *buf, int flags) + if (p_vsts && p_vsts != empty_option) + (void)tabstop_set(p_vsts, &buf->b_p_vsts_array); + else +- buf->b_p_vsts_array = 0; ++ buf->b_p_vsts_array = NULL; + buf->b_p_vsts_nopaste = p_vsts_nopaste + ? vim_strsave(p_vsts_nopaste) : NULL; + #endif +@@ -6583,9 +6588,7 @@ paste_option_changed(void) + if (buf->b_p_vsts) + free_string_option(buf->b_p_vsts); + buf->b_p_vsts = empty_option; +- if (buf->b_p_vsts_array) +- vim_free(buf->b_p_vsts_array); +- buf->b_p_vsts_array = 0; ++ VIM_CLEAR(buf->b_p_vsts_array); + #endif + } + +@@ -6631,12 +6634,11 @@ paste_option_changed(void) + free_string_option(buf->b_p_vsts); + buf->b_p_vsts = buf->b_p_vsts_nopaste + ? vim_strsave(buf->b_p_vsts_nopaste) : empty_option; +- if (buf->b_p_vsts_array) +- vim_free(buf->b_p_vsts_array); ++ vim_free(buf->b_p_vsts_array); + if (buf->b_p_vsts && buf->b_p_vsts != empty_option) + (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array); + else +- buf->b_p_vsts_array = 0; ++ buf->b_p_vsts_array = NULL; + #endif + } + +diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim +index 65600ee..d4213c1 100644 +--- a/src/testdir/test_options.vim ++++ b/src/testdir/test_options.vim +@@ -263,6 +263,8 @@ func Test_set_errors() + call assert_fails('set shiftwidth=-1', 'E487:') + call assert_fails('set sidescroll=-1', 'E487:') + call assert_fails('set tabstop=-1', 'E487:') ++ call assert_fails('set tabstop=10000', 'E474:') ++ call assert_fails('set tabstop=5500000000', 'E474:') + call assert_fails('set textwidth=-1', 'E487:') + call assert_fails('set timeoutlen=-1', 'E487:') + call assert_fails('set updatecount=-1', 'E487:') +diff --git a/src/vim.h b/src/vim.h +index 68e2de1..cd917a3 100644 +--- a/src/vim.h ++++ b/src/vim.h +@@ -2031,6 +2031,8 @@ typedef int sock_T; + + #define DICT_MAXNEST 100 // maximum nesting of lists and dicts + ++#define TABSTOP_MAX 9999 ++ + #ifdef FEAT_CLIPBOARD + + // VIM_ATOM_NAME is the older Vim-specific selection type for X11. Still +-- +2.27.0 + diff --git a/backport-CVE-2022-0443.patch b/backport-CVE-2022-0443.patch new file mode 100644 index 0000000000000000000000000000000000000000..c2f351fa1b94d5d8d555aaa87d22ca1d63c28e48 --- /dev/null +++ b/backport-CVE-2022-0443.patch @@ -0,0 +1,91 @@ +From 9b4a80a66544f2782040b641498754bcb5b8d461 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 1 Feb 2022 13:54:17 +0000 +Subject: [PATCH] patch 8.2.4281: using freed memory with :lopen and :bwipe + +Problem: Using freed memory with :lopen and :bwipe. +Solution: Do not use a wiped out buffer. +--- + src/buffer.c | 14 ++++++++++---- + src/testdir/test_quickfix.vim | 16 ++++++++++++++++ + 2 files changed, 26 insertions(+), 4 deletions(-) + +diff --git a/src/buffer.c b/src/buffer.c +index b4992dd..0f4957d 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -1666,6 +1666,7 @@ set_curbuf(buf_T *buf, int action) + #endif + bufref_T newbufref; + bufref_T prevbufref; ++ int valid; + + setpcmark(); + if (!cmdmod.keepalt) +@@ -1717,13 +1718,19 @@ set_curbuf(buf_T *buf, int action) + // An autocommand may have deleted "buf", already entered it (e.g., when + // it did ":bunload") or aborted the script processing. + // If curwin->w_buffer is null, enter_buffer() will make it valid again +- if ((buf_valid(buf) && buf != curbuf ++ valid = buf_valid(buf); ++ if ((valid && buf != curbuf + #ifdef FEAT_EVAL + && !aborting() + #endif + ) || curwin->w_buffer == NULL) + { +- enter_buffer(buf); ++ // If the buffer is not valid but curwin->w_buffer is NULL we must ++ // enter some buffer. Using the last one is hopefully OK. ++ if (!valid) ++ enter_buffer(lastbuf); ++ else ++ enter_buffer(buf); + #ifdef FEAT_SYN_HL + if (old_tw != curbuf->b_p_tw) + check_colorcolumn(curwin); +@@ -2236,8 +2243,7 @@ free_buf_options( + clear_string_option(&buf->b_p_vsts); + vim_free(buf->b_p_vsts_nopaste); + buf->b_p_vsts_nopaste = NULL; +- vim_free(buf->b_p_vsts_array); +- buf->b_p_vsts_array = NULL; ++ VIM_CLEAR(buf->b_p_vsts_array); + clear_string_option(&buf->b_p_vts); + VIM_CLEAR(buf->b_p_vts_array); + #endif +diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim +index f7c73f4..38a5236 100644 +--- a/src/testdir/test_quickfix.vim ++++ b/src/testdir/test_quickfix.vim +@@ -876,6 +876,7 @@ func Test_locationlist_curwin_was_closed() + call assert_fails('lrewind', 'E924:') + + augroup! testgroup ++ delfunc R + endfunc + + func Test_locationlist_cross_tab_jump() +@@ -4674,4 +4675,19 @@ func Test_search_in_dirstack() + call delete('Xtestdir', 'rf') + endfunc + ++" Weird sequence of commands that caused entering a wiped-out buffer ++func Test_lopen_bwipe() ++ func R() ++ silent! tab lopen ++ e x ++ silent! lfile ++ endfunc ++ ++ cal R() ++ cal R() ++ cal R() ++ bw! ++ delfunc R ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.27.0 + diff --git a/backport-invalid-argument-errmsg.patch b/backport-invalid-argument-errmsg.patch new file mode 100644 index 0000000000000000000000000000000000000000..a3f1c977a573365d2cd21d6933f4f60f31918928 --- /dev/null +++ b/backport-invalid-argument-errmsg.patch @@ -0,0 +1,27 @@ +From 436b5adc9770a2568209dd5ab1f98bd1afc91898 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 31 Dec 2021 22:49:24 +0000 +Subject: [PATCH] patch 8.2.3961: error messages are spread out + +Problem: Error messages are spread out. +Solution: Move more errors to errors.h. + +--- + src/globals.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/globals.h b/src/globals.h +index 75092b7..45d9111 100644 +--- a/src/globals.h ++++ b/src/globals.h +@@ -1453,6 +1453,7 @@ EXTERN char e_abort[] INIT(= N_("E470: Command aborted")); + EXTERN char e_argreq[] INIT(= N_("E471: Argument required")); + EXTERN char e_cannot_change_arglist_recursively[] INIT(= N_("E1156: Cannot change the argument list recursively")); + EXTERN char e_backslash[] INIT(= N_("E10: \\ should be followed by /, ? or &")); ++EXTERN char e_invalid_argument[] INIT(= N_("E474: Invalid argument")); + #ifdef FEAT_CMDWIN + EXTERN char e_cmdwin[] INIT(= N_("E11: Invalid in command-line window; executes, CTRL-C quits")); + #endif +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index b71798add71c27c645194a38c2d76d6d35f95a3b..3d49fdc6520a3e4ce7a9ef30b8b37bf3dff01590 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 21 +Release: 22 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -68,6 +68,10 @@ Patch6030: backport-CVE-2022-0361.patch Patch6031: backport-CVE-2022-0359.patch Patch6032: backport-CVE-2022-0413.patch Patch6033: backport-CVE-2022-0368.patch +Patch6034: backport-CVE-2022-0443.patch +Patch6035: backport-CVE-2022-0392.patch +Patch6036: backport-invalid-argument-errmsg.patch +Patch6037: backport-CVE-2022-0417.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -456,6 +460,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Sun May 22 2022 extinctfire - 2:8.2-22 +- Type:CVE +- ID:CVE-2022-0443 CVE-2022-0392 CVE-2022-0417 +- SUG:NA +- DESC:fix CVE-2022-0443 CVE-2022-0392 CVE-2022-0417 + * Wed Apr 27 2022 extinctfire - 2:8.2-21 - Type:CVE - ID:CVE-2022-0351 CVE-2022-0361 CVE-2022-0408 CVE-2022-0359 CVE-2022-0368 CVE-2022-0413