From c5521ca91dc920b634ca8e780a02627fd5f31520 Mon Sep 17 00:00:00 2001 From: shixuantong <1726671442@qq.com> Date: Tue, 5 Jul 2022 09:24:29 +0800 Subject: [PATCH] fix CVE-2022-2125,CVE-2022-2206 --- backport-CVE-2022-2125.patch | 48 +++ backport-CVE-2022-2206.patch | 32 ++ ...58-insufficient-testing-for-indent.c.patch | 275 ++++++++++++++++++ ...61-might-still-access-invalid-memory.patch | 30 ++ vim.spec | 12 +- 5 files changed, 396 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-2125.patch create mode 100644 backport-CVE-2022-2206.patch create mode 100644 backport-patch-8.2.0358-insufficient-testing-for-indent.c.patch create mode 100644 backport-patch-8.2.5161-might-still-access-invalid-memory.patch diff --git a/backport-CVE-2022-2125.patch b/backport-CVE-2022-2125.patch new file mode 100644 index 0000000..18126d8 --- /dev/null +++ b/backport-CVE-2022-2125.patch @@ -0,0 +1,48 @@ +From 0e8e938d497260dd57be67b4966cb27a5f72376f Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 18 Jun 2022 12:51:11 +0100 +Subject: [PATCH] patch 8.2.5122: lisp indenting my run over the end of the + line + +Problem: Lisp indenting my run over the end of the line. +Solution: Check for NUL earlier. +--- + src/indent.c | 2 ++ + src/testdir/test_indent.vim | 10 ++++++++++ + 2 files changed, 12 insertions(+) + +diff --git a/src/indent.c b/src/indent.c +index 4677d29..2d07e2e 100644 +--- a/src/indent.c ++++ b/src/indent.c +@@ -1920,6 +1920,8 @@ get_lisp_indent(void) + } + } + } ++ if (*that == NUL) ++ break; + } + if (*that == '(' || *that == '[') + ++parencount; +diff --git a/src/testdir/test_indent.vim b/src/testdir/test_indent.vim +index 91e801a..f3b8b6b 100644 +--- a/src/testdir/test_indent.vim ++++ b/src/testdir/test_indent.vim +@@ -98,4 +98,14 @@ func Test_copyindent() + close! + endfunc + ++func Test_lisp_indent_quoted() ++ " This was going past the end of the line ++ new ++ setlocal lisp autoindent ++ call setline(1, ['"[', '=']) ++ normal Gvk= ++ ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2206.patch b/backport-CVE-2022-2206.patch new file mode 100644 index 0000000..6f930f1 --- /dev/null +++ b/backport-CVE-2022-2206.patch @@ -0,0 +1,32 @@ +From e178af5a586ea023622d460779fdcabbbfac0908 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 25 Jun 2022 19:54:09 +0100 +Subject: [PATCH] patch 8.2.5160: accessing invalid memory after changing + terminal size + +Problem: Accessing invalid memory after changing terminal size. +Solution: Adjust cmdline_row and msg_row to the value of Rows. +--- + src/term.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/term.c b/src/term.c +index 77cfa7d..307e3bf 100644 +--- a/src/term.c ++++ b/src/term.c +@@ -3223,6 +3223,12 @@ check_shellsize(void) + if (Rows < min_rows()) // need room for one window and command line + Rows = min_rows(); + limit_screen_size(); ++ ++ // make sure these values are not invalid ++ if (cmdline_row >= Rows) ++ cmdline_row = Rows - 1; ++ if (msg_row >= Rows) ++ msg_row = Rows - 1; + } + + /* +-- +1.8.3.1 + diff --git a/backport-patch-8.2.0358-insufficient-testing-for-indent.c.patch b/backport-patch-8.2.0358-insufficient-testing-for-indent.c.patch new file mode 100644 index 0000000..b5d1b28 --- /dev/null +++ b/backport-patch-8.2.0358-insufficient-testing-for-indent.c.patch @@ -0,0 +1,275 @@ +From bd7206e02c957f0619e68e1628e2a3e91dd41e06 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 6 Mar 2020 20:36:04 +0100 +Subject: [PATCH] patch 8.2.0358: insufficient testing for indent.c + +Problem: Insufficient testing for indent.c. +Solution: Add indent tests. (Yegappan Lakshmanan, closes #5736) +--- + src/testdir/Make_all.mak | 2 + + src/testdir/test_expand_func.vim | 14 ++++++ + src/testdir/test_indent.vim | 101 +++++++++++++++++++++++++++++++++++++++ + src/testdir/test_lispwords.vim | 3 ++ + src/testdir/test_smartindent.vim | 23 +++++++++ + src/testdir/test_vartabs.vim | 39 +++++++++++++++ + 6 files changed, 182 insertions(+) + create mode 100644 src/testdir/test_indent.vim + +diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak +index 2a3c4ab..4ecb606 100644 +--- a/src/testdir/Make_all.mak ++++ b/src/testdir/Make_all.mak +@@ -150,6 +150,7 @@ NEW_TESTS = \ + test_iminsert \ + test_increment \ + test_increment_dbcs \ ++ test_indent \ + test_ins_complete \ + test_interrupt \ + test_job_fails \ +@@ -361,6 +362,7 @@ NEW_TESTS_RES = \ + test_iminsert.res \ + test_increment.res \ + test_increment_dbcs.res \ ++ test_indent.res \ + test_ins_complete.res \ + test_interrupt.res \ + test_job_fails.res \ +diff --git a/src/testdir/test_expand_func.vim b/src/testdir/test_expand_func.vim +index f9c5b5f..c408dea 100644 +--- a/src/testdir/test_expand_func.vim ++++ b/src/testdir/test_expand_func.vim +@@ -73,3 +73,17 @@ func Test_expand() + " Don't add any line above this, otherwise will change. + quit + endfunc ++ ++" Test for 'wildignore' with expand() ++func Test_expand_wildignore() ++ set wildignore=*.vim ++ call assert_equal('', expand('test_expand_func.vim')) ++ call assert_equal('', expand('test_expand_func.vim', 0)) ++ call assert_equal([], expand('test_expand_func.vim', 0, 1)) ++ call assert_equal('test_expand_func.vim', expand('test_expand_func.vim', 1)) ++ call assert_equal(['test_expand_func.vim'], ++ \ expand('test_expand_func.vim', 1, 1)) ++ set wildignore& ++endfunc ++ ++" vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/testdir/test_indent.vim b/src/testdir/test_indent.vim +new file mode 100644 +index 0000000..91e801a +--- /dev/null ++++ b/src/testdir/test_indent.vim +@@ -0,0 +1,101 @@ ++" Test for various indent options ++ ++func Test_preserveindent() ++ new ++ " Test for autoindent copying indent from the previous line ++ setlocal autoindent ++ call setline(1, [repeat(' ', 16) .. 'line1']) ++ call feedkeys("A\nline2", 'xt') ++ call assert_equal("\t\tline2", getline(2)) ++ setlocal autoindent& ++ ++ " Test for using CTRL-T with and without 'preserveindent' ++ set shiftwidth=4 ++ call cursor(1, 1) ++ call setline(1, " \t ") ++ call feedkeys("Al\", 'xt') ++ call assert_equal("\t\tl", getline(1)) ++ set preserveindent ++ call setline(1, " \t ") ++ call feedkeys("Al\", 'xt') ++ call assert_equal(" \t \tl", getline(1)) ++ set pi& sw& ++ ++ " Test for using CTRL-T with 'expandtab' and 'preserveindent' ++ call cursor(1, 1) ++ call setline(1, "\t \t") ++ set shiftwidth=4 expandtab preserveindent ++ call feedkeys("Al\", 'xt') ++ call assert_equal("\t \t l", getline(1)) ++ set sw& et& pi& ++ ++ close! ++endfunc ++ ++" Test for indent() ++func Test_indent_func() ++ call assert_equal(-1, indent(-1)) ++ new ++ call setline(1, "\tabc") ++ call assert_equal(8, indent(1)) ++ call setline(1, " abc") ++ call assert_equal(4, indent(1)) ++ call setline(1, " \t abc") ++ call assert_equal(12, indent(1)) ++ close! ++endfunc ++ ++" Test for reindenting a line using the '=' operator ++func Test_reindent() ++ new ++ call setline(1, 'abc') ++ set nomodifiable ++ call assert_fails('normal ==', 'E21:') ++ set modifiable ++ ++ call setline(1, ['foo', 'bar']) ++ call feedkeys('ggVG=', 'xt') ++ call assert_equal(['foo', 'bar'], getline(1, 2)) ++ close! ++endfunc ++ ++" Test for shifting a line with a preprocessor directive ('#') ++func Test_preproc_indent() ++ new ++ set sw=4 ++ call setline(1, '#define FOO 1') ++ normal >> ++ call assert_equal(' #define FOO 1', getline(1)) ++ ++ " with 'smartindent' ++ call setline(1, '#define FOO 1') ++ set smartindent ++ normal >> ++ call assert_equal('#define FOO 1', getline(1)) ++ set smartindent& ++ ++ " with 'cindent' ++ set cindent ++ normal >> ++ call assert_equal('#define FOO 1', getline(1)) ++ set cindent& ++ ++ close! ++endfunc ++ ++" Test for 'copyindent' ++func Test_copyindent() ++ new ++ set shiftwidth=4 autoindent expandtab copyindent ++ call setline(1, " \t abc") ++ call feedkeys("ol", 'xt') ++ call assert_equal(" \t l", getline(2)) ++ set noexpandtab ++ call setline(1, " \t abc") ++ call feedkeys("ol", 'xt') ++ call assert_equal(" \t l", getline(2)) ++ set sw& ai& et& ci& ++ close! ++endfunc ++ ++" vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/testdir/test_lispwords.vim b/src/testdir/test_lispwords.vim +index aa5a738..ff710b2 100644 +--- a/src/testdir/test_lispwords.vim ++++ b/src/testdir/test_lispwords.vim +@@ -45,6 +45,7 @@ func Test_lisp_indent() + \ ]) + call assert_equal(7, lispindent(2)) + call assert_equal(5, 6->lispindent()) ++ call assert_equal(-1, lispindent(-1)) + + set lisp + set lispwords& +@@ -83,3 +84,5 @@ func Test_lisp_indent() + let &cpoptions=save_copt + set nolisp + endfunc ++ ++" vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/testdir/test_smartindent.vim b/src/testdir/test_smartindent.vim +index e89ad19..dc0f99e 100644 +--- a/src/testdir/test_smartindent.vim ++++ b/src/testdir/test_smartindent.vim +@@ -38,4 +38,27 @@ func Test_smartindent_has_no_effect() + bwipe! + endfunc + ++" Test for inserting '{' and '} with smartindent ++func Test_smartindent_braces() ++ new ++ set smartindent shiftwidth=4 ++ call setline(1, [' if (a)', "\tif (b)", "\t return 1"]) ++ normal 2ggO{ ++ normal 3ggA { ++ normal 4ggo} ++ normal o} ++ normal 4ggO#define FOO 1 ++ call assert_equal([ ++ \ ' if (a)', ++ \ ' {', ++ \ "\tif (b) {", ++ \ '#define FOO 1', ++ \ "\t return 1", ++ \ "\t}", ++ \ ' }' ++ \ ], getline(1, '$')) ++ set si& sw& ai& ++ close! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/testdir/test_vartabs.vim b/src/testdir/test_vartabs.vim +index c2919d8..0ac6ad2 100644 +--- a/src/testdir/test_vartabs.vim ++++ b/src/testdir/test_vartabs.vim +@@ -91,6 +91,18 @@ func Test_vartabs() + let expect = "l\ l\l l\ l\ l" + call assert_equal(expect, getline(1)) + ++ " Test for 'retab' with vts ++ set ts=8 sts=0 vts=5,3,6,2 vsts= ++ exe "norm! S l" ++ .retab! ++ call assert_equal("\t\t\t\tl", getline(1)) ++ ++ " Test for 'retab' with same vlaues as vts ++ set ts=8 sts=0 vts=5,3,6,2 vsts= ++ exe "norm! S l" ++ .retab! 5,3,6,2 ++ call assert_equal("\t\t\t\tl", getline(1)) ++ + " Check that global and local values are set. + set ts=4 vts=6 sts=8 vsts=10 + call assert_equal(&ts, 4) +@@ -390,5 +402,32 @@ func Test_vartabstop_latin1() + let &encoding = save_encoding + endfunc + ++func s:SaveCol(l) ++ call add(a:l, [col('.'), virtcol('.')]) ++ return '' ++endfunc ++ ++" Test for 'varsofttabstop' ++func Test_varsofttabstop() ++ new ++ inoremap s:SaveCol(g:cols) ++ ++ set backspace=indent,eol,start ++ set varsofttabstop=6,2,5,3 ++ let g:cols = [] ++ call feedkeys("a\t\\t\\t\\t\ ", 'xt') ++ call assert_equal("\t\t ", getline(1)) ++ call assert_equal([[7, 7], [2, 9], [7, 14], [3, 17]], g:cols) ++ ++ let g:cols = [] ++ call feedkeys("a\\\\\\\\\\", 'xt') ++ call assert_equal('', getline(1)) ++ call assert_equal([[3, 17], [7, 14], [2, 9], [7, 7], [1, 1]], g:cols) ++ ++ set varsofttabstop& ++ set backspace& ++ iunmap ++ close! ++endfunc + + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-patch-8.2.5161-might-still-access-invalid-memory.patch b/backport-patch-8.2.5161-might-still-access-invalid-memory.patch new file mode 100644 index 0000000..bd2823d --- /dev/null +++ b/backport-patch-8.2.5161-might-still-access-invalid-memory.patch @@ -0,0 +1,30 @@ +From 0fbc9260a75dfc4d86f20e7c0eb76878f513a212 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sun, 26 Jun 2022 11:17:10 +0100 +Subject: [PATCH] patch 8.2.5161: might still access invalid memory + +Problem: Might still access invalid memory. +Solution: Add extra check for negative value. +--- + src/message.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/message.c b/src/message.c +index 0b690bb..eae6e61 100644 +--- a/src/message.c ++++ b/src/message.c +@@ -876,8 +876,10 @@ msg_may_trunc(int force, char_u *s) + int n; + int room; + ++ // If something unexpected happened "room" may be negative, check for that ++ // just in case. + room = (int)(Rows - cmdline_row - 1) * Columns + sc_col - 1; +- if ((force || (shortmess(SHM_TRUNC) && !exmode_active)) ++ if (room > 0 && (force || (shortmess(SHM_TRUNC) && !exmode_active)) + && (n = (int)STRLEN(s) - room) > 0) + { + if (has_mbyte) +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index 267d448..cbc151b 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 46 +Release: 47 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -129,6 +129,10 @@ Patch6092: backport-patch-8.2.1354-test-59-is-old-style.patch Patch6093: backport-patch-8.2.3484-crash-when-going-through-spell-sugges.patch Patch6094: backport-patch-8.2.5007-spell-suggestion-may-use-uninitialize.patch Patch6095: backport-CVE-2022-2126.patch +Patch6096: backport-patch-8.2.0358-insufficient-testing-for-indent.c.patch +Patch6097: backport-CVE-2022-2125.patch +Patch6098: backport-CVE-2022-2206.patch +Patch6099: backport-patch-8.2.5161-might-still-access-invalid-memory.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -517,6 +521,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Tue Jul 05 2022 shixuantong - 2:8.2-47 +- Type:CVE +- ID:CVE-2022-2125,CVE-2022-2206 +- SUG:NA +- DESC:fix CVE-2022-2125,CVE-2022-2206 + * Wed Jun 29 2022 shixuantong - 2:8.2-46 - Type:CVE - ID:CVE-2022-2126 -- Gitee