diff --git a/backport-CVE-2022-1771.patch b/backport-CVE-2022-1771.patch new file mode 100644 index 0000000000000000000000000000000000000000..cc32106ea3a730a301dc12dd55149dab88e9240c --- /dev/null +++ b/backport-CVE-2022-1771.patch @@ -0,0 +1,96 @@ +From 51f0bfb88a3554ca2dde777d78a59880d1ee37a8 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 17 May 2022 20:11:02 +0100 +Subject: [PATCH] patch 8.2.4975: recursive command line loop may cause a crash + +Problem: Recursive command line loop may cause a crash. +Solution: Limit recursion of getcmdline(). + +Reference:https://github.com/vim/vim/commit/51f0bfb88a3554ca2dde777d78a59880d1ee37a8 +Conflict:(1)The src/version.c file is not modified +(2)add e_command_too_recursive in src/globals.h +--- + src/ex_getln.c | 12 ++++++++++++ + src/globals.h | 3 +++ + src/testdir/test_cmdline.vim | 12 ++++++++++++ + 3 files changed, 27 insertions(+) + +diff --git a/src/ex_getln.c b/src/ex_getln.c +index 771a9cd..e935f78 100644 +--- a/src/ex_getln.c ++++ b/src/ex_getln.c +@@ -791,6 +791,7 @@ getcmdline_int( + int indent, // indent for inside conditionals + int init_ccline) // clear ccline first + { ++ static int depth = 0; // call depth + int c; + int i; + int j; +@@ -820,6 +821,9 @@ getcmdline_int( + int did_save_ccline = FALSE; + int cmdline_type; + ++ // one recursion level deeper ++ ++depth; ++ + if (ccline.cmdbuff != NULL) + { + // Being called recursively. Since ccline is global, we need to save +@@ -873,6 +877,13 @@ getcmdline_int( + ccline.cmdlen = indent; + } + ++ if (depth == 50) ++ { ++ // Somehow got into a loop recursively calling getcmdline(), bail out. ++ emsg(_(e_command_too_recursive)); ++ goto theend; ++ } ++ + ExpandInit(&xpc); + ccline.xpc = &xpc; + +@@ -2425,6 +2436,7 @@ theend: + { + char_u *p = ccline.cmdbuff; + ++ --depth; + if (did_save_ccline) + restore_cmdline(&save_ccline); + else +diff --git a/src/globals.h b/src/globals.h +index 44162d4..e9c88ed 100644 +--- a/src/globals.h ++++ b/src/globals.h +@@ -1747,3 +1747,6 @@ EXTERN int did_repeated_msg INIT(= 0); + EXTERN char e_illegal_character_in_word[] + INIT(= N_("E1280: Illegal character in word")); + #endif ++ ++EXTERN char e_command_too_recursive[] ++ INIT(= N_("E169: Command too recursive")); +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index 1ccdbe2..b76b7f3 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -903,4 +903,16 @@ func Test_report_error_with_composing() + call assert_equal('yes', caught) + endfunc + ++func Test_recursive_register() ++ let @= = '' ++ silent! ?e/ ++ let caught = 'no' ++ try ++ normal // ++ catch /E169:/ ++ let caught = 'yes' ++ endtry ++ call assert_equal('yes', caught) ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 6ff4fa1351830a4452a0b09ae2643ad44dac489b..7a90f094cf2786f80b1e7acc64588ac11ac4ab57 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 37 +Release: 38 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -108,6 +108,7 @@ Patch6071: backport-command-line-editing-not-sufficiently-tested.patch Patch6072: backport-CVE-2022-1619.patch Patch6073: backport-CVE-2022-1733.patch Patch6074: backport-CVE-2022-1735.patch +Patch6075: backport-CVE-2022-1771.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -496,6 +497,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Tue Jun 21 2022 dongyuzhen - 2:8.2-38 +- Type:CVE +- ID:CVE-2022-1771 +- SUG:NA +- DESC:fix CVE-2022-1771 + * Tue May 31 2022 shixuantong - 2:8.2-37 - Type:CVE - ID:CVE-2022-1733 CVE-2022-1735