From 828482a6cfc09ec36a3419399f9b6c13a021d715 Mon Sep 17 00:00:00 2001 From: shixuantong <1726671442@qq.com> Date: Thu, 9 Jun 2022 10:09:32 +0800 Subject: [PATCH] fix CVE-2022-1796 --- backport-CVE-2022-1796.patch | 54 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 +++++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-1796.patch diff --git a/backport-CVE-2022-1796.patch b/backport-CVE-2022-1796.patch new file mode 100644 index 0000000..1118b30 --- /dev/null +++ b/backport-CVE-2022-1796.patch @@ -0,0 +1,54 @@ +From 28d032cc688ccfda18c5bbcab8b50aba6e18cde5 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 18 May 2022 16:29:08 +0100 +Subject: [PATCH] patch 8.2.4979: accessing freed memory when line is flushed + +Problem: Accessing freed memory when line is flushed. +Solution: Make a copy of the pattern to search for. +--- + src/testdir/test_tagjump.vim | 9 +++++++++ + src/window.c | 7 +++++++ + 2 files changed, 16 insertions(+) + +diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim +index 14ba1f7..24df68f 100644 +--- a/src/testdir/test_tagjump.vim ++++ b/src/testdir/test_tagjump.vim +@@ -556,4 +556,13 @@ func Test_tagline() + set tags& + endfunc + ++func Test_define_search() ++ " this was accessing freed memory ++ new ++ call setline(1, ['first line', '', '#define something 0']) ++ sil norm o0 ++ sil! norm  ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/window.c b/src/window.c +index bb17167..ee2a374 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -554,9 +554,16 @@ wingotofile: + CHECK_CMDWIN; + if ((len = find_ident_under_cursor(&ptr, FIND_IDENT)) == 0) + break; ++ ++ // Make a copy, if the line was changed it will be freed. ++ ptr = vim_strnsave(ptr, len); ++ if (ptr == NULL) ++ break; ++ + find_pattern_in_path(ptr, 0, len, TRUE, + Prenum == 0 ? TRUE : FALSE, type, + Prenum1, ACTION_SPLIT, (linenr_T)1, (linenr_T)MAXLNUM); ++ vim_free(ptr); + curwin->w_set_curswant = TRUE; + break; + #endif +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index 4fc8666..3cdc6df 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 28 +Release: 29 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -94,6 +94,7 @@ Patch6060: backport-spell-test-fails-because-of-new-illegal-byte-check.patc Patch6061: backport-CVE-2022-1619.patch Patch6062: backport-CVE-2022-1733.patch Patch6063: backport-CVE-2022-1735.patch +Patch6064: backport-CVE-2022-1796.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: remove-failed-tests-due-to-patch.patch @@ -496,6 +497,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Thu Jun 09 2022 shixuantong - 2:8.2-29 +- Type:CVE +- ID:CVE-2022-1796 +- SUG:NA +- DESC:fix CVE-2022-1796 + * Tue May 31 2022 shixuantong - 2:8.2-28 - Type:CVE - ID:CVE-2022-1733 CVE-2022-1735 -- Gitee