From e1a6446135f41a2395499af592079cc656317531 Mon Sep 17 00:00:00 2001 From: weiwei_tiantian Date: Wed, 15 Jun 2022 08:57:10 +0800 Subject: [PATCH 1/2] fix CVE-2022-1898 --- backport-CVE-2022-1898.patch | 54 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 +++++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-1898.patch diff --git a/backport-CVE-2022-1898.patch b/backport-CVE-2022-1898.patch new file mode 100644 index 0000000..217cd2d --- /dev/null +++ b/backport-CVE-2022-1898.patch @@ -0,0 +1,54 @@ +From c3eed57a9c6c75b9c2b832450b68716f6355ca74 Mon Sep 17 00:00:00 2001 +From: root +Date: Tue, 14 Jun 2022 17:18:25 +0800 +Subject: [PATCH] backport-CVE-2022-1898 + +--- + src/normal.c | 6 ++++++ + src/testdir/test_tagjump.vim | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/src/normal.c b/src/normal.c +index e9e587d..f122627 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -4425,6 +4425,11 @@ nv_brackets(cmdarg_T *cap) + clearop(cap->oap); + else + { ++ // Make a copy, if the line was changed it will be freed. ++ ptr = vim_strnsave(ptr, len); ++ if (ptr == NULL) ++ return; ++ + find_pattern_in_path(ptr, 0, len, TRUE, + cap->count0 == 0 ? !isupper(cap->nchar) : FALSE, + ((cap->nchar & 0xf) == ('d' & 0xf)) ? FIND_DEFINE : FIND_ANY, +@@ -4433,6 +4438,7 @@ nv_brackets(cmdarg_T *cap) + islower(cap->nchar) ? ACTION_SHOW : ACTION_GOTO, + cap->cmdchar == ']' ? curwin->w_cursor.lnum + 1 : (linenr_T)1, + (linenr_T)MAXLNUM); ++ vim_free(ptr); + curwin->w_set_curswant = TRUE; + } + } +diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim +index 24df68f..c682682 100644 +--- a/src/testdir/test_tagjump.vim ++++ b/src/testdir/test_tagjump.vim +@@ -563,6 +563,12 @@ func Test_define_search() + sil norm o0 + sil! norm  + bwipe! ++ ++ new somefile +++ call setline(1, ['first line', '', '#define something 0']) +++ sil norm 0o0 +++ sil! norm ]d +++ bwipe! + endfunc + + " vim: shiftwidth=2 sts=2 expandtab +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 6676310..418f8ec 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 39 +Release: 40 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -113,6 +113,7 @@ Patch6076: backport-CVE-2022-1785.patch Patch6077: backport-CVE-2022-1851.patch Patch6078: backport-semicolon-search-dose-not-work-in-first-line.patch Patch6079: backport-CVE-2022-1927.patch +Patch6080: backport-CVE-2022-1898.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -501,6 +502,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Wed Jun 15 2022 tianwei - 2:8.2-40 +- Type:CVE +- ID:CVE-2022-1898 +- SUG:NA +- DESC:fix CVE-2022-1898 + * Tue Jun 14 2022 renhongxun - 2:8.2-39 - Type:CVE - ID:CVE-2022-1927 -- Gitee From 7897760d38110d046154d2afd045bc7a86993f08 Mon Sep 17 00:00:00 2001 From: tianwei Date: Wed, 15 Jun 2022 09:04:15 +0000 Subject: [PATCH 2/2] update backport-CVE-2022-1898.patch. --- backport-CVE-2022-1898.patch | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/backport-CVE-2022-1898.patch b/backport-CVE-2022-1898.patch index 217cd2d..0390605 100644 --- a/backport-CVE-2022-1898.patch +++ b/backport-CVE-2022-1898.patch @@ -1,7 +1,10 @@ -From c3eed57a9c6c75b9c2b832450b68716f6355ca74 Mon Sep 17 00:00:00 2001 -From: root -Date: Tue, 14 Jun 2022 17:18:25 +0800 -Subject: [PATCH] backport-CVE-2022-1898 +From e2fa213cf571041dbd04ab0329303ffdc980678a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 26 May 2022 16:32:44 +0100 +Subject: [PATCH] patch 8.2.5024: using freed memory with "]d" + +Problem: Using freed memory with "]d". +Solution: Copy the pattern before searching. --- src/normal.c | 6 ++++++ -- Gitee