From 6e4c716c53348caa7ba5b6c1dae28d39e543ecba Mon Sep 17 00:00:00 2001 From: shixuantong <1726671442@qq.com> Date: Thu, 9 Jun 2022 10:14:15 +0800 Subject: [PATCH] fix CVE-2022-1796 --- backport-CVE-2022-1796.patch | 54 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 +++++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-1796.patch diff --git a/backport-CVE-2022-1796.patch b/backport-CVE-2022-1796.patch new file mode 100644 index 0000000..1118b30 --- /dev/null +++ b/backport-CVE-2022-1796.patch @@ -0,0 +1,54 @@ +From 28d032cc688ccfda18c5bbcab8b50aba6e18cde5 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 18 May 2022 16:29:08 +0100 +Subject: [PATCH] patch 8.2.4979: accessing freed memory when line is flushed + +Problem: Accessing freed memory when line is flushed. +Solution: Make a copy of the pattern to search for. +--- + src/testdir/test_tagjump.vim | 9 +++++++++ + src/window.c | 7 +++++++ + 2 files changed, 16 insertions(+) + +diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim +index 14ba1f7..24df68f 100644 +--- a/src/testdir/test_tagjump.vim ++++ b/src/testdir/test_tagjump.vim +@@ -556,4 +556,13 @@ func Test_tagline() + set tags& + endfunc + ++func Test_define_search() ++ " this was accessing freed memory ++ new ++ call setline(1, ['first line', '', '#define something 0']) ++ sil norm o0 ++ sil! norm  ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/window.c b/src/window.c +index bb17167..ee2a374 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -554,9 +554,16 @@ wingotofile: + CHECK_CMDWIN; + if ((len = find_ident_under_cursor(&ptr, FIND_IDENT)) == 0) + break; ++ ++ // Make a copy, if the line was changed it will be freed. ++ ptr = vim_strnsave(ptr, len); ++ if (ptr == NULL) ++ break; ++ + find_pattern_in_path(ptr, 0, len, TRUE, + Prenum == 0 ? TRUE : FALSE, type, + Prenum1, ACTION_SPLIT, (linenr_T)1, (linenr_T)MAXLNUM); ++ vim_free(ptr); + curwin->w_set_curswant = TRUE; + break; + #endif +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index 4bf233a..416add2 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 35 +Release: 36 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -106,6 +106,7 @@ Patch6069: backport-command-line-editing-not-sufficiently-tested.patch Patch6070: backport-CVE-2022-1619.patch Patch6071: backport-CVE-2022-1733.patch Patch6072: backport-CVE-2022-1735.patch +Patch6073: backport-CVE-2022-1796.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -494,6 +495,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Thu Jun 09 2022 shixuantong - 2:8.2-36 +- Type:CVE +- ID:CVE-2022-1796 +- SUG:NA +- DESC:fix CVE-2022-1796 + * Tue May 31 2022 shixuantong - 2:8.2-35 - Type:CVE - ID:CVE-2022-1733 CVE-2022-1735 -- Gitee