From b651559d6039da7a0a488823b12a67ef4f05ef4e Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Wed, 6 Jul 2022 15:12:13 +0800 Subject: [PATCH] fix CVE-2022-2182 --- backport-CVE-2022-2182.patch | 54 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 +++++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-2182.patch diff --git a/backport-CVE-2022-2182.patch b/backport-CVE-2022-2182.patch new file mode 100644 index 0000000..1c675da --- /dev/null +++ b/backport-CVE-2022-2182.patch @@ -0,0 +1,54 @@ +From f7c7c3fad6d2135d558f3b36d0d1a943118aeb5e Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 22 Jun 2022 19:08:38 +0100 +Subject: [PATCH] patch 8.2.5150: read past the end of the first line with + ":0;'{" + +Problem: Read past the end of the first line with ":0;'{". +Solution: When on line zero check the column is valid for line one. +--- + src/ex_docmd.c | 5 ++++- + src/testdir/test_cmdline.vim | 8 ++++++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/ex_docmd.c b/src/ex_docmd.c +index 0be3eda..01ebf48 100644 +--- a/src/ex_docmd.c ++++ b/src/ex_docmd.c +@@ -3040,10 +3040,13 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent) + curwin->w_cursor.lnum = eap->line2; + + // Don't leave the cursor on an illegal line or column, but do +- // accept zero as address, so 0;/PATTERN/ works correctly. ++ // accept zero as address, so 0;/PATTERN/ works correctly ++ // (where zero usually means to use the first line). + // Check the cursor position before returning. + if (eap->line2 > 0) + check_cursor(); ++ else ++ check_cursor_col(); + need_check_cursor = TRUE; + } + } +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index 0a70742..8273e6f 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -513,6 +513,14 @@ func Test_illegal_address2() + call delete('Xtest.vim') + endfunc + ++func Test_mark_from_line_zero() ++ " this was reading past the end of the first (empty) line ++ new ++ norm oxxxx ++ call assert_fails("0;'(", 'E20:') ++ bwipe! ++endfunc ++ + func Test_cmdline_complete_wildoptions() + help + call feedkeys(":tag /\\\"\", 'tx') +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 262d343..60ff482 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 40 +Release: 41 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -123,6 +123,7 @@ Patch6089: backport-CVE-2022-2206.patch Patch6090: backport-patch-8.2.5161-might-still-access-invalid-memory.patch Patch6091: backport-CVE-2022-1720.patch Patch6092: backport-CVE-2022-2183.patch +Patch6093: backport-CVE-2022-2182.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: remove-failed-tests-due-to-patch.patch @@ -525,6 +526,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Wed Jul 06 2022 dongyuzhen - 2:8.2-41 +- Type:CVE +- ID:CVE-2022-2182 +- SUG:NA +- DESC:fix CVE-2022-2182 + * Tue Jul 05 2022 renhongxun - 2:8.2-40 - Type:CVE - ID:CVE-2022-1720,CVE-2022-2183 -- Gitee