diff --git a/backport-CVE-2022-1897.patch b/backport-CVE-2022-1897.patch new file mode 100644 index 0000000000000000000000000000000000000000..77a67cc42044faa50c47835ace3a41728abcbb64 --- /dev/null +++ b/backport-CVE-2022-1897.patch @@ -0,0 +1,139 @@ +From 338f1fc0ee3ca929387448fe464579d6113fa76a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 26 May 2022 15:56:23 +0100 +Subject: [PATCH] patch 8.2.5023: substitute overwrites allocated buffer + +Problem: Substitute overwrites allocated buffer. +Solution: Disallow undo when in a substitute command. +--- + src/normal.c | 42 ++++++++++++++++++++--------------------- + src/testdir/test_substitute.vim | 23 ++++++++++++++++++++++ + src/undo.c | 6 ++++++ + 3 files changed, 50 insertions(+), 21 deletions(-) + +diff --git a/src/normal.c b/src/normal.c +index 71c05bb..e294706 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -161,6 +161,22 @@ typedef void (*nv_func_T)(cmdarg_T *cap); + */ + + /* ++ * If currently editing a cmdline or text is locked: beep and give an error ++ * message, return TRUE. ++ */ ++ static int ++check_text_locked(oparg_T *oap) ++{ ++ if (text_locked()) ++ { ++ clearopbeep(oap); ++ text_locked_msg(); ++ return TRUE; ++ } ++ return FALSE; ++} ++ ++/* + * This table contains one entry for every Normal or Visual mode command. + * The order doesn't matter, init_normal_cmds() will create a sorted index. + * It is faster when all keys from zero to '~' are present. +@@ -738,14 +754,9 @@ getcount: + goto normal_end; + } + +- if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW)) +- { +- // This command is not allowed while editing a cmdline: beep. +- clearopbeep(oap); +- text_locked_msg(); +- goto normal_end; +- } +- if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked()) ++ if ((nv_cmds[idx].cmd_flags & NV_NCW) ++ && (check_text_locked(oap) || curbuf_locked())) ++ // this command is not allowed now + goto normal_end; + + /* +@@ -4155,12 +4166,8 @@ nv_gotofile(cmdarg_T *cap) + char_u *ptr; + linenr_T lnum = -1; + +- if (text_locked()) +- { +- clearopbeep(cap->oap); +- text_locked_msg(); ++ if (check_text_locked(cap->oap)) + return; +- } + if (curbuf_locked()) + { + clearop(cap->oap); +@@ -6288,14 +6295,7 @@ nv_g_cmd(cmdarg_T *cap) + + // "gQ": improved Ex mode + case 'Q': +- if (text_locked()) +- { +- clearopbeep(cap->oap); +- text_locked_msg(); +- break; +- } +- +- if (!checkclearopq(oap)) ++ if (!check_text_locked(cap->oap) && !checkclearopq(oap)) + do_exmode(TRUE); + break; + +diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim +index 3450c4f..b1d1bde 100644 +--- a/src/testdir/test_substitute.vim ++++ b/src/testdir/test_substitute.vim +@@ -801,3 +801,26 @@ func Test_sub_open_cmdline_win() + call delete('Xscript') + call delete('Xresult') + endfunc ++ ++" This was undoign a change in between computing the length and using it. ++func Do_Test_sub_undo_change() ++ new ++ norm o0000000000000000000000000000000000000000000000000000 ++ silent! s/\%')/\=Repl() ++ bwipe! ++endfunc ++ ++func Test_sub_undo_change() ++ func Repl() ++ silent! norm g- ++ endfunc ++ call Do_Test_sub_undo_change() ++ ++ func! Repl() ++ silent earlier ++ endfunc ++ call Do_Test_sub_undo_change() ++ ++ delfunc Repl ++endfunc ++ +diff --git a/src/undo.c b/src/undo.c +index 3dcf277..b3a91b5 100644 +--- a/src/undo.c ++++ b/src/undo.c +@@ -2283,6 +2283,12 @@ undo_time( + int above = FALSE; + int did_undo = TRUE; + ++ if (text_locked()) ++ { ++ text_locked_msg(); ++ return; ++ } ++ + // First make sure the current undoable change is synced. + if (curbuf->b_u_synced == FALSE) + u_sync(TRUE); +-- +1.8.3.1 + diff --git a/backport-CVE-2022-1968.patch b/backport-CVE-2022-1968.patch new file mode 100644 index 0000000000000000000000000000000000000000..b25b827b5459ee5ff000a06a1574871117bf7f29 --- /dev/null +++ b/backport-CVE-2022-1968.patch @@ -0,0 +1,89 @@ +From 409510c588b1eec1ae33511ae97a21eb8e110895 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 1 Jun 2022 15:23:13 +0100 +Subject: [PATCH] patch 8.2.5050: using freed memory when searching for pattern + in path + +Problem: Using freed memory when searching for pattern in path. +Solution: Make a copy of the line. +--- + src/search.c | 21 ++++++++++++++++++--- + src/testdir/test_tagjump.vim | 11 +++++++++++ + 2 files changed, 29 insertions(+), 3 deletions(-) + +diff --git a/src/search.c b/src/search.c +index 75f0c59..701a8ed 100644 +--- a/src/search.c ++++ b/src/search.c +@@ -5143,6 +5143,21 @@ search_stat( + } + + #if defined(FEAT_FIND_ID) || defined(PROTO) ++ ++/* ++ * Get line "lnum" and copy it into "buf[LSIZE]". ++ * The copy is made because the regexp may make the line invalid when using a ++ * mark. ++ */ ++ static char_u * ++get_line_and_copy(linenr_T lnum, char_u *buf) ++{ ++ char_u *line = ml_get(lnum); ++ ++ vim_strncpy(buf, line, LSIZE - 1); ++ return buf; ++} ++ + /* + * Find identifiers or defines in included files. + * If p_ic && (compl_cont_status & CONT_SOL) then ptr must be in lowercase. +@@ -5245,7 +5260,7 @@ find_pattern_in_path( + end_lnum = curbuf->b_ml.ml_line_count; + if (lnum > end_lnum) // do at least one line + lnum = end_lnum; +- line = ml_get(lnum); ++ line = get_line_and_copy(lnum, file_line); + + for (;;) + { +@@ -5573,7 +5588,7 @@ search_line: + { + if (lnum >= end_lnum) + goto exit_matched; +- line = ml_get(++lnum); ++ line = get_line_and_copy(++lnum, file_line); + } + else if (vim_fgets(line = file_line, + LSIZE, files[depth].fp)) +@@ -5783,7 +5798,7 @@ exit_matched: + { + if (++lnum > end_lnum) + break; +- line = ml_get(lnum); ++ line = get_line_and_copy(lnum, file_line); + } + already = NULL; + } +diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim +index 0eb9491..9e08a49 100644 +--- a/src/testdir/test_tagjump.vim ++++ b/src/testdir/test_tagjump.vim +@@ -571,4 +571,15 @@ func Test_define_search() + bwipe! + endfunc + ++" this was using a line from ml_get() freed by the regexp ++func Test_isearch_copy_line() ++ new ++ norm o ++ norm 0 ++ 0norm o ++ sil! norm bc0 ++ sil! isearch \%') ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index 3bf08695c67edaac3c4411b2cc80b930e980f831..9560a25572a68c9ea76b4eaf97941dfd7090daae 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 33 +Release: 34 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -107,6 +107,8 @@ Patch6073: backport-CVE-2022-1851.patch Patch6074: backport-CVE-2022-1898.patch Patch6075: backport-CVE-2022-1942.patch Patch6076: backport-fix-test-failed.patch +Patch6077: backport-CVE-2022-1897.patch +Patch6078: backport-CVE-2022-1968.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: remove-failed-tests-due-to-patch.patch @@ -509,6 +511,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Sat Jun 18 202 shixuantong - 2:8.2-34 +- Type:CVE +- ID:CVE-2022-1897 CVE-2022-1968 +- SUG:NA +- DESC:fix CVE-2022-1897 CVE-2022-1968 + * Wed Jun 15 2022 tianwei - 2:8.2-33 - Type:CVE - ID:CVE-2022-1851 CVE-2022-1898 CVE-2022-1942