From bb324c55d855131dde61d940d540fb4096c20127 Mon Sep 17 00:00:00 2001 From: rwx403335 Date: Wed, 15 Jun 2022 18:11:34 +0800 Subject: [PATCH] Fix CVE-2022-1898 CVE-2022-1942 (cherry picked from commit 6e6d375fb6a945059a984b3a0e650f9e2169a78d) --- backport-CVE-2022-1898.patch | 57 ++++++++++++++ backport-CVE-2022-1942.patch | 140 +++++++++++++++++++++++++++++++++ backport-fix-test-failed.patch | 58 ++++++++++++++ vim.spec | 11 ++- 4 files changed, 265 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-1898.patch create mode 100644 backport-CVE-2022-1942.patch create mode 100644 backport-fix-test-failed.patch diff --git a/backport-CVE-2022-1898.patch b/backport-CVE-2022-1898.patch new file mode 100644 index 0000000..0390605 --- /dev/null +++ b/backport-CVE-2022-1898.patch @@ -0,0 +1,57 @@ +From e2fa213cf571041dbd04ab0329303ffdc980678a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 26 May 2022 16:32:44 +0100 +Subject: [PATCH] patch 8.2.5024: using freed memory with "]d" + +Problem: Using freed memory with "]d". +Solution: Copy the pattern before searching. + +--- + src/normal.c | 6 ++++++ + src/testdir/test_tagjump.vim | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/src/normal.c b/src/normal.c +index e9e587d..f122627 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -4425,6 +4425,11 @@ nv_brackets(cmdarg_T *cap) + clearop(cap->oap); + else + { ++ // Make a copy, if the line was changed it will be freed. ++ ptr = vim_strnsave(ptr, len); ++ if (ptr == NULL) ++ return; ++ + find_pattern_in_path(ptr, 0, len, TRUE, + cap->count0 == 0 ? !isupper(cap->nchar) : FALSE, + ((cap->nchar & 0xf) == ('d' & 0xf)) ? FIND_DEFINE : FIND_ANY, +@@ -4433,6 +4438,7 @@ nv_brackets(cmdarg_T *cap) + islower(cap->nchar) ? ACTION_SHOW : ACTION_GOTO, + cap->cmdchar == ']' ? curwin->w_cursor.lnum + 1 : (linenr_T)1, + (linenr_T)MAXLNUM); ++ vim_free(ptr); + curwin->w_set_curswant = TRUE; + } + } +diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim +index 24df68f..c682682 100644 +--- a/src/testdir/test_tagjump.vim ++++ b/src/testdir/test_tagjump.vim +@@ -563,6 +563,12 @@ func Test_define_search() + sil norm o0 + sil! norm  + bwipe! ++ ++ new somefile +++ call setline(1, ['first line', '', '#define something 0']) +++ sil norm 0o0 +++ sil! norm ]d +++ bwipe! + endfunc + + " vim: shiftwidth=2 sts=2 expandtab +-- +2.27.0 + diff --git a/backport-CVE-2022-1942.patch b/backport-CVE-2022-1942.patch new file mode 100644 index 0000000..7cd9cba --- /dev/null +++ b/backport-CVE-2022-1942.patch @@ -0,0 +1,140 @@ +From 71223e2db87c2bf3b09aecb46266b56cda26191d Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 30 May 2022 15:23:09 +0100 +Subject: [PATCH] patch 8.2.5043: can open a cmdline window from a substitute + expression + +Problem: Can open a cmdline window from a substitute expression. +Solution: Disallow opening a command line window when text or buffer is + locked. + +--- + src/buffer.c | 7 +------ + src/ex_getln.c | 19 +++++++++++++++++++ + src/proto/ex_getln.pro | 1 + + src/testdir/test_substitute.vim | 24 ++++++++++++++++++++++++ + src/window.c | 5 +---- + 5 files changed, 46 insertions(+), 10 deletions(-) + +diff --git a/src/buffer.c b/src/buffer.c +index 88094ee..8fabbdb 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -2364,12 +2364,7 @@ buflist_getfile( + if (buf == curbuf) + return OK; + +- if (text_locked()) +- { +- text_locked_msg(); +- return FAIL; +- } +- if (curbuf_locked()) ++ if (text_or_buf_locked()) + return FAIL; + + // altfpos may be changed by getfile(), get it now +diff --git a/src/ex_getln.c b/src/ex_getln.c +index 64b393d..d5fc38d 100644 +--- a/src/ex_getln.c ++++ b/src/ex_getln.c +@@ -2588,6 +2588,21 @@ text_locked(void) + return text_and_win_locked() || textlock != 0; + } + ++/* ++ * Check for text, window or buffer locked. ++ * Give an error message and return TRUE if something is locked. ++ */ ++ int ++text_or_buf_locked(void) ++{ ++ if (text_locked()) ++ { ++ text_locked_msg(); ++ return TRUE; ++ } ++ return curbuf_locked(); ++} ++ + /* + * Check if "curbuf_lock" or "allbuf_lock" is set and return TRUE when it is + * and give an error message. +@@ -4170,6 +4185,10 @@ open_cmdwin(void) + int save_KeyTyped; + #endif + ++ // Can't do this when text or buffer is locked. ++ if (text_or_buf_locked()) ++ return K_IGNORE; ++ + // Can't do this recursively. Can't do it when typing a password. + if (cmdwin_type != 0 + # if defined(FEAT_CRYPT) || defined(FEAT_EVAL) +diff --git a/src/proto/ex_getln.pro b/src/proto/ex_getln.pro +index f64bb1f..7597457 100644 +--- a/src/proto/ex_getln.pro ++++ b/src/proto/ex_getln.pro +@@ -7,6 +7,7 @@ int text_and_win_locked(void); + void text_locked_msg(void); + char *get_text_locked_msg(void); + int text_locked(void); ++int text_or_buf_locked(void); + int curbuf_locked(void); + int allbuf_locked(void); + char_u *getexline(int c, void *cookie, int indent, int do_concat); +diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim +index bda96f6..ebc0839 100644 +--- a/src/testdir/test_substitute.vim ++++ b/src/testdir/test_substitute.vim +@@ -775,3 +775,27 @@ func Test_sub_change_window() + delfunc Repl + endfunc + ++" This was opening a command line window from the expression ++func Test_sub_open_cmdline_win() ++ " the error only happens in a very specific setup, run a new Vim instance to ++ " get a clean starting point. ++ let lines =<< trim [SCRIPT] ++ norm o0000000000000000000000000000000000000000000000000000 ++ func Replace() ++ norm q/ ++ endfunc ++ s/\%')/\=Replace() ++ redir >Xresult ++ messages ++ redir END ++ qall! ++ [SCRIPT] ++ call writefile(lines, 'Xscript') ++ if RunVim([], [], '-u NONE -S Xscript') ++ let messages = readfile('Xresult') ++ call assert_match('E565: Not allowed to change text or change window', messages[3]) ++ endif ++ ++ call delete('Xscript') ++ call delete('Xresult') ++endfunc +diff --git a/src/window.c b/src/window.c +index 0a154b0..d8091f9 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -4343,14 +4343,11 @@ win_goto(win_T *wp) + + if (ERROR_IF_POPUP_WINDOW) + return; +- if (text_and_win_locked()) ++ if (text_or_buf_locked()) + { + beep_flush(); +- text_locked_msg(); + return; + } +- if (curbuf_locked()) +- return; + + if (wp->w_buffer != curbuf) + reset_VIsual_and_resel(); +-- +2.27.0 + diff --git a/backport-fix-test-failed.patch b/backport-fix-test-failed.patch new file mode 100644 index 0000000..349d64e --- /dev/null +++ b/backport-fix-test-failed.patch @@ -0,0 +1,58 @@ +From be99042b03edf7b8156c9adbc23516bfcf2cec0f Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 30 May 2022 16:01:42 +0100 +Subject: [PATCH] patch 8.2.5044: command line test fails + +Problem: Command line test fails. +Solution: Also beep when cmdline win can't be opened because of locks. + Make the test not beep. Make the test pass on MS-Windows. + +--- + src/ex_getln.c | 6 ++---- + src/testdir/test_substitute.vim | 5 +++-- + 2 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/src/ex_getln.c b/src/ex_getln.c +index d5fc38d..7571ae2 100644 +--- a/src/ex_getln.c ++++ b/src/ex_getln.c +@@ -4186,11 +4186,9 @@ open_cmdwin(void) + #endif + + // Can't do this when text or buffer is locked. +- if (text_or_buf_locked()) +- return K_IGNORE; +- + // Can't do this recursively. Can't do it when typing a password. +- if (cmdwin_type != 0 ++ if (text_or_buf_locked() ++ || cmdwin_type != 0 + # if defined(FEAT_CRYPT) || defined(FEAT_EVAL) + || cmdline_star > 0 + # endif +diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim +index 367f472..3450c4f 100644 +--- a/src/testdir/test_substitute.vim ++++ b/src/testdir/test_substitute.vim +@@ -781,6 +781,7 @@ func Test_sub_open_cmdline_win() + " the error only happens in a very specific setup, run a new Vim instance to + " get a clean starting point. + let lines =<< trim [SCRIPT] ++ set vb t_vb= + norm o0000000000000000000000000000000000000000000000000000 + func Replace() + norm q/ +@@ -793,8 +794,8 @@ func Test_sub_open_cmdline_win() + [SCRIPT] + call writefile(lines, 'Xscript') + if RunVim([], [], '-u NONE -S Xscript') +- let messages = readfile('Xresult') +- call assert_match('E565: Not allowed to change text or change window', messages[3]) ++ call assert_match('E565: Not allowed to change text or change window', ++ \ readfile('Xresult')->join('XX')) + endif + + call delete('Xscript') +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 522fc81..5a3a4bd 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 40 +Release: 41 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -116,6 +116,9 @@ Patch6079: backport-CVE-2022-1927.patch Patch6080: backport-after-a-put-the-mark-is-on-the-last-byte.patch Patch6081: backport-illegal-memory-access.patch Patch6082: backport-CVE-2022-1886.patch +Patch6083: backport-CVE-2022-1898.patch +Patch6084: backport-CVE-2022-1942.patch +Patch6085: backport-fix-test-failed.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -504,6 +507,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Wed Jun 15 2022 tianwei - 2:8.2-41 +- Type:CVE +- ID:CVE-2022-1898 CVE-2022-1942 +- SUG:NA +- DESC:fix CVE-2022-1898 CVE-2022-1942 + * Wed Jun 15 2022 renhongxun - 2:8.2-40 - Type:CVE - ID:CVE-2022-1886 -- Gitee