diff --git a/backport-CVE-2022-2000.patch b/backport-CVE-2022-2000.patch new file mode 100644 index 0000000000000000000000000000000000000000..0f6e78eed1cfad98d9d473da71012ce1667690ee --- /dev/null +++ b/backport-CVE-2022-2000.patch @@ -0,0 +1,54 @@ +From 44a3f3353e0407e9fffee138125a6927d1c9e7e5 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 6 Jun 2022 15:38:21 +0100 +Subject: [PATCH] patch 8.2.5063: error for a command may go over the end of + IObuff + +Problem: Error for a command may go over the end of IObuff. +Solution: Truncate the message. +--- + src/ex_docmd.c | 12 ++++++++++-- + src/testdir/test_cmdline.vim | 5 +++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/ex_docmd.c b/src/ex_docmd.c +index 1644573..7c00a26 100644 +--- a/src/ex_docmd.c ++++ b/src/ex_docmd.c +@@ -3098,9 +3098,17 @@ checkforcmd( + static void + append_command(char_u *cmd) + { +- char_u *s = cmd; +- char_u *d; ++ size_t len = STRLEN(IObuff); ++ char_u *s = cmd; ++ char_u *d; + ++ if (len > IOSIZE - 100) ++ { ++ // Not enough space, truncate and put in "...". ++ d = IObuff + IOSIZE - 100; ++ d -= mb_head_off(IObuff, d); ++ STRCPY(d, "..."); ++ } + STRCAT(IObuff, ": "); + d = IObuff + STRLEN(IObuff); + while (*s != NUL && d - IObuff + 5 < IOSIZE) +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index 2588a0d..735b0a5 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -930,4 +930,9 @@ func Test_cmdline_expr_register() + exe "sil! norm! ?\e0\0\?\e0\" + endfunc + ++func Test_long_error_message() ++ " the error should be truncated, not overrun IObuff ++ silent! norm Q00000000000000     000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000                                                                                                                                                                                                                         ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2042.patch b/backport-CVE-2022-2042.patch new file mode 100644 index 0000000000000000000000000000000000000000..caf52937463c3f9ab761a4905cfb0220ab23775c --- /dev/null +++ b/backport-CVE-2022-2042.patch @@ -0,0 +1,83 @@ +From 2813f38e021c6e6581c0c88fcf107e41788bc835 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 9 Jun 2022 19:54:24 +0100 +Subject: [PATCH] patch 8.2.5072: using uninitialized value and freed memory in + spell command + +Problem: Using uninitialized value and freed memory in spell command. +Solution: Initialize "attr". Check for empty line early. +--- + src/spell.c | 10 +++++++--- + src/testdir/test_spell_utf8.vim | 15 +++++++++++++++ + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/src/spell.c b/src/spell.c +index d8310fa..5b25950 100644 +--- a/src/spell.c ++++ b/src/spell.c +@@ -1254,7 +1254,7 @@ spell_move_to( + char_u *line; + char_u *p; + char_u *endp; +- hlf_T attr; ++ hlf_T attr = 0; + int len; + #ifdef FEAT_SYN_HL + int has_syntax = syntax_present(wp); +@@ -1287,6 +1287,8 @@ spell_move_to( + + while (!got_int) + { ++ int empty_line; ++ + line = ml_get_buf(wp->w_buffer, lnum, FALSE); + + len = (int)STRLEN(line); +@@ -1319,7 +1321,9 @@ spell_move_to( + } + + // Copy the line into "buf" and append the start of the next line if +- // possible. ++ // possible. Note: this ml_get_buf() may make "line" invalid, check ++ // for empty line first. ++ empty_line = *skipwhite(line) == NUL; + STRCPY(buf, line); + if (lnum < wp->w_buffer->b_ml.ml_line_count) + spell_cat_line(buf + STRLEN(buf), +@@ -1467,7 +1471,7 @@ spell_move_to( + --capcol; + + // But after empty line check first word in next line +- if (*skipwhite(line) == NUL) ++ if (empty_line) + capcol = 0; + } + +diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim +index 491a406..efdecdc 100644 +--- a/src/testdir/test_spell_utf8.vim ++++ b/src/testdir/test_spell_utf8.vim +@@ -797,5 +797,20 @@ func Test_word_index() + call delete('Xtmpfile') + endfunc + ++func Test_check_empty_line() ++ " This was using freed memory ++ enew ++ spellgood! fl ++ norm z= ++ norm yy ++ sil! norm P]svc ++ norm P]s ++ ++ " set 'encoding' to clear the wordt list ++ set enc=latin1 ++ set enc=utf-8 ++ bwipe! ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2284.patch b/backport-CVE-2022-2284.patch new file mode 100644 index 0000000000000000000000000000000000000000..eb87d8b2ddfaae4ebc475079c323217ffdfcf212 --- /dev/null +++ b/backport-CVE-2022-2284.patch @@ -0,0 +1,48 @@ +From 3d51ce18ab1be4f9f6061568a4e7fabf00b21794 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 1 Jul 2022 15:26:15 +0100 +Subject: [PATCH] patch 9.0.0017: accessing memory beyond the end of the line + +Problem: Accessing memory beyond the end of the line. +Solution: Stop Visual mode when closing a window. +--- + src/testdir/test_visual.vim | 12 ++++++++++++ + src/window.c | 2 ++ + 2 files changed, 14 insertions(+) + +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index d21f8f1..ebb6f27 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -966,3 +966,15 @@ func Test_visual_block_with_substitute() + bwipe! + endfunc + ++func Test_visual_area_adjusted_when_hiding() ++ " The Visual area ended after the end of the line after :hide ++ call setline(1, 'xxx') ++ vsplit Xfile ++ call setline(1, 'xxxxxxxx') ++ norm! $o ++ hid ++ norm! zW ++ bwipe! ++ bwipe! ++endfunc ++ +diff --git a/src/window.c b/src/window.c +index d8091f9..e0df540 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -2506,6 +2506,8 @@ win_close(win_T *win, int free_buf) + */ + if (wp->w_buffer != curbuf) + { ++ reset_VIsual_and_resel(); // stop Visual mode ++ + other_buffer = TRUE; + win->w_closing = TRUE; + apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf); +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2285.patch b/backport-CVE-2022-2285.patch new file mode 100644 index 0000000000000000000000000000000000000000..38b9a9cb09cbdcebb06e7fe4643fa889056f6234 --- /dev/null +++ b/backport-CVE-2022-2285.patch @@ -0,0 +1,44 @@ +From 27efc62f5d86afcb2ecb7565587fe8dea4b036fe Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 1 Jul 2022 16:35:45 +0100 +Subject: [PATCH] patch 9.0.0018: going over the end of the typahead + +Problem: Going over the end of the typahead. +Solution: Put a NUL after the typeahead. +--- + src/term.c | 1 + + src/testdir/test_mapping.vim | 9 +++++++++ + 2 files changed, 10 insertions(+) + +diff --git a/src/term.c b/src/term.c +index 307e3bf..ee80f0f 100644 +--- a/src/term.c ++++ b/src/term.c +@@ -4419,6 +4419,7 @@ check_termcode( + if (*tp == ESC && !p_ek && (State & INSERT)) + continue; + ++ tp[len] = NUL; + key_name[0] = NUL; // no key name found yet + key_name[1] = NUL; // no key name found yet + modifiers = 0; // no modifiers yet +diff --git a/src/testdir/test_mapping.vim b/src/testdir/test_mapping.vim +index d3abaff..55e6af0 100644 +--- a/src/testdir/test_mapping.vim ++++ b/src/testdir/test_mapping.vim +@@ -492,3 +492,12 @@ func Test_expr_map_restore_cursor() + call StopVimInTerminal(buf) + call delete('XtestExprMap') + endfunc ++ ++func Test_using_past_typeahead() ++ nnoremap :00 0 ++ exe "norm :set \x80\xfb0=0\" ++ exe "sil norm :0\x0f\\" ++ ++ exe "norm :set \x80\xfb0=\" ++ nunmap :00 ++endfunc +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2304.patch b/backport-CVE-2022-2304.patch new file mode 100644 index 0000000000000000000000000000000000000000..ae0934cbc7007d46d91e54656d29f404e7badc40 --- /dev/null +++ b/backport-CVE-2022-2304.patch @@ -0,0 +1,55 @@ +From 54e5fed6d27b747ff152cdb6edfb72ff60e70939 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 4 Jul 2022 13:37:07 +0100 +Subject: [PATCH] patch 9.0.0035: spell dump may go beyond end of an array + +Problem: Spell dump may go beyond end of an array. +Solution: Limit the word length. +--- + src/spell.c | 5 +++-- + src/testdir/test_spell.vim | 12 ++++++++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/spell.c b/src/spell.c +index 5b25950..1d7a1ae 100644 +--- a/src/spell.c ++++ b/src/spell.c +@@ -3958,9 +3958,10 @@ spell_dump_compl( + n = arridx[depth] + curi[depth]; + ++curi[depth]; + c = byts[n]; +- if (c == 0) ++ if (c == 0 || depth >= MAXWLEN - 1) + { +- // End of word, deal with the word. ++ // End of word or reached maximum length, deal with the ++ // word. + // Don't use keep-case words in the fold-case tree, + // they will appear in the keep-case tree. + // Only use the word when the region matches. +diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim +index ff50ecd..1f79907 100644 +--- a/src/testdir/test_spell.vim ++++ b/src/testdir/test_spell.vim +@@ -141,6 +141,18 @@ func Test_spellreall() + bwipe! + endfunc + ++func Test_spell_dump_word_length() ++ " this was running over MAXWLEN ++ new ++ noremap 0 0a0zW0000000 ++ sil! norm 0z=0 ++ sil norm 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ++ sil! norm 0z=0 ++ ++ bwipe! ++ nunmap 0 ++endfunc ++ + func Test_spellsuggest_visual_end_of_line() + let enc_save = &encoding + set encoding=iso8859 +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2344.patch b/backport-CVE-2022-2344.patch new file mode 100644 index 0000000000000000000000000000000000000000..b231a2e32f84316cb846cffbd8f2001b4e7071a7 --- /dev/null +++ b/backport-CVE-2022-2344.patch @@ -0,0 +1,48 @@ +From baefde14550231f6468ac2ed2ed495bc381c0c92 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 7 Jul 2022 19:59:49 +0100 +Subject: [PATCH] patch 9.0.0046: reading past end of completion with duplicate + match + +Problem: Reading past end of completion with duplicate match. +Solution: Check string length +--- + src/insexpand.c | 3 ++- + src/testdir/test_ins_complete.vim | 10 ++++++++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/insexpand.c b/src/insexpand.c +index bf98cee..50e0579 100644 +--- a/src/insexpand.c ++++ b/src/insexpand.c +@@ -597,7 +597,8 @@ ins_compl_add( + { + if ( !(match->cp_flags & CP_ORIGINAL_TEXT) + && STRNCMP(match->cp_str, str, len) == 0 +- && match->cp_str[len] == NUL) ++ && ((int)STRLEN(match->cp_str) <= len ++ || match->cp_str[len] == NUL)) + return NOTDONE; + match = match->cp_next; + } while (match != NULL && match != compl_first_match); +diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim +index e48a72c..8f584d3 100644 +--- a/src/testdir/test_ins_complete.vim ++++ b/src/testdir/test_ins_complete.vim +@@ -380,3 +380,13 @@ func Test_ins_completeslash() + set completeslash= + endfunc + ++func Test_ins_complete_add() ++ " this was reading past the end of allocated memory ++ new ++ norm o ++ norm 7o€€ ++ sil! norm o ++ ++ bwipe! ++endfunc ++ +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2345.patch b/backport-CVE-2022-2345.patch new file mode 100644 index 0000000000000000000000000000000000000000..2f8340880903c6a8ad563e2b3ab13dcec41a1286 --- /dev/null +++ b/backport-CVE-2022-2345.patch @@ -0,0 +1,78 @@ +From 32acf1f1a72ebb9d8942b9c9d80023bf1bb668ea Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 7 Jul 2022 22:20:31 +0100 +Subject: [PATCH] patch 9.0.0047: using freed memory with recursive substitute + +Problem: Using freed memory with recursive substitute. +Solution: Always make a copy for reg_prev_sub. +--- + src/ex_cmds.c | 11 ++++++++++- + src/regexp.c | 8 ++++---- + src/testdir/test_regexp_latin.vim | 12 ++++++++++++ + 3 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index 0a22f59..5a90c2f 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -3881,7 +3881,16 @@ do_sub(exarg_T *eap) + sub_copy = sub; + } + else +- sub = regtilde(sub, p_magic); ++ { ++ char_u *newsub = regtilde(sub, p_magic); ++ ++ if (newsub != sub) ++ { ++ // newsub was allocated, free it later. ++ sub_copy = newsub; ++ sub = newsub; ++ } ++ } + + /* + * Check for a match on each line. +diff --git a/src/regexp.c b/src/regexp.c +index 6849cba..c2f29c8 100644 +--- a/src/regexp.c ++++ b/src/regexp.c +@@ -1761,11 +1761,11 @@ regtilde(char_u *source, int magic) + } + } + ++ // Store a copy of newsub in reg_prev_sub. It is always allocated, ++ // because recursive calls may make the returned string invalid. + vim_free(reg_prev_sub); +- if (newsub != source) // newsub was allocated, just keep it +- reg_prev_sub = newsub; +- else // no ~ found, need to save newsub +- reg_prev_sub = vim_strsave(newsub); ++ reg_prev_sub = vim_strsave(newsub); ++ + return newsub; + } + +diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim +index a242d91..b668f87 100644 +--- a/src/testdir/test_regexp_latin.vim ++++ b/src/testdir/test_regexp_latin.vim +@@ -172,3 +172,15 @@ func Test_using_invalid_visual_position() + /\%V + bwipe! + endfunc ++ ++func Test_recursive_substitute_expr() ++ new ++ func Repl() ++ s ++ endfunc ++ silent! s/\%')/~\=Repl() ++ ++ bwipe! ++ delfunc Repl ++endfunc ++ +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index 1800f8c35ab517b7247bfbc255ff604e18d59130..6e22a2656642d8fb9e0da6f3f1ec19dcf2d2fcb0 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 41 +Release: 42 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -127,6 +127,13 @@ Patch6093: backport-cannot-list-options-one-per-line.patch Patch6094: backport-CVE-2022-2207.patch Patch6095: backport-CVE-2022-2208.patch Patch6096: backport-test-for-DiffUpdated-fails.patch +Patch6097: backport-CVE-2022-2000.patch +Patch6098: backport-CVE-2022-2042.patch +Patch6099: backport-CVE-2022-2284.patch +Patch6100: backport-CVE-2022-2285.patch +Patch6101: backport-CVE-2022-2304.patch +Patch6102: backport-CVE-2022-2344.patch +Patch6103: backport-CVE-2022-2345.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: remove-failed-tests-due-to-patch.patch @@ -529,6 +536,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Mon Jul 11 2022 shixuantong - 2:8.2-42 +- Type:CVE +- ID:CVE-2022-2000 CVE-2022-2042 CVE-2022-2284 CVE-2022-2285 CVE-2022-2304 CVE-2022-2344 CVE-2022-2345 +- SUG:NA +- DESC:fix CVE-2022-2000 CVE-2022-2042 CVE-2022-2284 CVE-2022-2285 CVE-2022-2304 CVE-2022-2344 CVE-2022-2345 + * Mon Jul 11 2022 tianwei - 2:8.2-41 - Type:CVE - ID:CVE-2022-2207 CVE-2022-2208