diff --git a/backport-CVE-2022-1898.patch b/backport-CVE-2022-1898.patch new file mode 100644 index 0000000000000000000000000000000000000000..0390605e26177c5194a9050039b2bbf56b3e5449 --- /dev/null +++ b/backport-CVE-2022-1898.patch @@ -0,0 +1,57 @@ +From e2fa213cf571041dbd04ab0329303ffdc980678a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 26 May 2022 16:32:44 +0100 +Subject: [PATCH] patch 8.2.5024: using freed memory with "]d" + +Problem: Using freed memory with "]d". +Solution: Copy the pattern before searching. + +--- + src/normal.c | 6 ++++++ + src/testdir/test_tagjump.vim | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/src/normal.c b/src/normal.c +index e9e587d..f122627 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -4425,6 +4425,11 @@ nv_brackets(cmdarg_T *cap) + clearop(cap->oap); + else + { ++ // Make a copy, if the line was changed it will be freed. ++ ptr = vim_strnsave(ptr, len); ++ if (ptr == NULL) ++ return; ++ + find_pattern_in_path(ptr, 0, len, TRUE, + cap->count0 == 0 ? !isupper(cap->nchar) : FALSE, + ((cap->nchar & 0xf) == ('d' & 0xf)) ? FIND_DEFINE : FIND_ANY, +@@ -4433,6 +4438,7 @@ nv_brackets(cmdarg_T *cap) + islower(cap->nchar) ? ACTION_SHOW : ACTION_GOTO, + cap->cmdchar == ']' ? curwin->w_cursor.lnum + 1 : (linenr_T)1, + (linenr_T)MAXLNUM); ++ vim_free(ptr); + curwin->w_set_curswant = TRUE; + } + } +diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim +index 24df68f..c682682 100644 +--- a/src/testdir/test_tagjump.vim ++++ b/src/testdir/test_tagjump.vim +@@ -563,6 +563,12 @@ func Test_define_search() + sil norm o0 + sil! norm  + bwipe! ++ ++ new somefile +++ call setline(1, ['first line', '', '#define something 0']) +++ sil norm 0o0 +++ sil! norm ]d +++ bwipe! + endfunc + + " vim: shiftwidth=2 sts=2 expandtab +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 66763107f5da9625d540e6c71b9d9b6feecd5ba0..418f8ec418a0a8702106f1a986eea76cf038bcfc 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 39 +Release: 40 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -113,6 +113,7 @@ Patch6076: backport-CVE-2022-1785.patch Patch6077: backport-CVE-2022-1851.patch Patch6078: backport-semicolon-search-dose-not-work-in-first-line.patch Patch6079: backport-CVE-2022-1927.patch +Patch6080: backport-CVE-2022-1898.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -501,6 +502,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Wed Jun 15 2022 tianwei - 2:8.2-40 +- Type:CVE +- ID:CVE-2022-1898 +- SUG:NA +- DESC:fix CVE-2022-1898 + * Tue Jun 14 2022 renhongxun - 2:8.2-39 - Type:CVE - ID:CVE-2022-1927