diff --git a/backport-CVE-2022-2257.patch b/backport-CVE-2022-2257.patch new file mode 100644 index 0000000000000000000000000000000000000000..86ea187f297abb3003c82fd1c8227e37db080948 --- /dev/null +++ b/backport-CVE-2022-2257.patch @@ -0,0 +1,53 @@ +From 083692d598139228e101b8c521aaef7bcf256e9a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 29 Jun 2022 21:16:58 +0100 +Subject: [PATCH] patch 9.0.0009: going past the end of a menu item with only + modifier + +Problem: Going past the end of a menu item with only modifier. +Solution: Check for NUL. +--- + src/message.c | 4 ++-- + src/testdir/test_menu.vim | 14 ++++++++++++++ + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/src/message.c b/src/message.c +index 363dbe1..679a992 100644 +--- a/src/message.c ++++ b/src/message.c +@@ -1735,8 +1735,8 @@ str2special( + *sp = str + 1; + } + else +- // single-byte character or illegal byte +- *sp = str + 1; ++ // single-byte character, NUL or illegal byte ++ *sp = str + (*str == NUL ? 0 : 1); + + /* Make special keys and C0 control characters in <> form, also . + * Use only for lhs of a mapping. */ +diff --git a/src/testdir/test_menu.vim b/src/testdir/test_menu.vim +index 0d6b78e..7e411cf 100644 +--- a/src/testdir/test_menu.vim ++++ b/src/testdir/test_menu.vim +@@ -84,3 +84,17 @@ func Test_menu_commands() + + unlet g:did_menu + endfun ++ ++func Test_only_modifier() ++ exe "tmenu a.b \x80\xfc0" ++ let exp =<< trim [TEXT] ++ --- Menus --- ++ 500 a ++ 500 b ++ t - ++ [TEXT] ++ call assert_equal(exp, split(execute('tmenu'), "\n")) ++ ++ tunmenu a.b ++endfunc ++ +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2264.patch b/backport-CVE-2022-2264.patch new file mode 100644 index 0000000000000000000000000000000000000000..d8caacc22fd625425bde7de96824fe06c524c958 --- /dev/null +++ b/backport-CVE-2022-2264.patch @@ -0,0 +1,49 @@ +From d25f003342aca9889067f2e839963dfeccf1fe05 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 30 Jun 2022 12:30:19 +0100 +Subject: [PATCH] patch 9.0.0011: reading beyond the end of the line with put + command + +Problem: Reading beyond the end of the line with put command. +Solution: Adjust the end mark position. +--- + src/register.c | 2 ++ + src/testdir/test_put.vim | 12 ++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/src/register.c b/src/register.c +index 87689f7..51c14b8 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -1819,6 +1819,8 @@ do_put( + vim_memset(ptr, ' ', (size_t)spaces); + ptr += spaces; + } ++ else ++ totlen -= spaces; // didn't use these spaces + } + // may insert some spaces after the new text + vim_memset(ptr, ' ', (size_t)bd.endspaces); +diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim +index 6df04cf..c8d306a 100644 +--- a/src/testdir/test_put.vim ++++ b/src/testdir/test_put.vim +@@ -152,3 +152,15 @@ func Test_put_empty_register() + bwipe! + endfunc + ++" this was putting the end mark after the end of the line ++func Test_put_visual_mode() ++ edit! SomeNewBuffer ++ set selection=exclusive ++ exe "norm o\t" ++ m0 ++ sil! norm  p p ++ ++ bwipe! ++ set selection& ++endfunc ++ +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2286.patch b/backport-CVE-2022-2286.patch new file mode 100644 index 0000000000000000000000000000000000000000..60d72ead4a8f0c41112ae6d4c3ca0263d59d2005 --- /dev/null +++ b/backport-CVE-2022-2286.patch @@ -0,0 +1,59 @@ +From f12129f1714f7d2301935bb21d896609bdac221c Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 1 Jul 2022 19:58:30 +0100 +Subject: [PATCH] patch 9.0.0020: with some completion reading past end of + string + +Problem: With some completion reading past end of string. +Solution: Check the length of the string. +--- + src/insexpand.c | 14 ++++++++++++-- + src/testdir/test_ins_complete.vim | 7 +++++++ + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/insexpand.c b/src/insexpand.c +index 50e0579..66a836e 100644 +--- a/src/insexpand.c ++++ b/src/insexpand.c +@@ -2038,11 +2038,21 @@ ins_compl_prep(int c) + // but only do this, if the Popup is still visible + if (c == Ctrl_E) + { ++ char_u *p = NULL; ++ + ins_compl_delete(); + if (compl_leader != NULL) +- ins_bytes(compl_leader + ins_compl_len()); ++ p = compl_leader; + else if (compl_first_match != NULL) +- ins_bytes(compl_orig_text + ins_compl_len()); ++ p = compl_orig_text; ++ if (p != NULL) ++ { ++ int compl_len = ins_compl_len(); ++ int len = (int)STRLEN(p); ++ ++ if (len > compl_len) ++ ins_bytes_len(p + compl_len, len - compl_len); ++ } + retval = TRUE; + } + +diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim +index 8f584d3..b7cfd29 100644 +--- a/src/testdir/test_ins_complete.vim ++++ b/src/testdir/test_ins_complete.vim +@@ -390,3 +390,10 @@ func Test_ins_complete_add() + bwipe! + endfunc + ++func Test_complete_overrun() ++ " this was going past the end of the copied text ++ new ++ sil norm si”0s0  ++ bwipe! ++endfunc ++ +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2287.patch b/backport-CVE-2022-2287.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea0b51bf2a606dfa02dc2aa3ced8311f47b4551b --- /dev/null +++ b/backport-CVE-2022-2287.patch @@ -0,0 +1,90 @@ +From 5e59ea54c0c37c2f84770f068d95280069828774 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 1 Jul 2022 22:26:20 +0100 +Subject: [PATCH] patch 9.0.0021: invalid memory access when adding word to + spell word list + +Problem: Invalid memory access when adding word with a control character to +the internal spell word list. +Solution: Disallow adding a word with control characters or a trailing +slash. +--- + src/spellfile.c | 21 +++++++++++++++++++-- + src/testdir/test_spell.vim | 15 +++++++++++++++ + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/src/spellfile.c b/src/spellfile.c +index 5171572..aeeb6ad 100644 +--- a/src/spellfile.c ++++ b/src/spellfile.c +@@ -4343,6 +4343,23 @@ wordtree_alloc(spellinfo_T *spin) + } + + /* ++ * Return TRUE if "word" contains valid word characters. ++ * Control characters and trailing '/' are invalid. Space is OK. ++ */ ++ static int ++valid_spell_word(char_u *word) ++{ ++ char_u *p; ++ ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ return FALSE; ++ for (p = word; *p != NUL; p += mb_ptr2len(p)) ++ if (*p < ' ' || (p[0] == '/' && p[1] == NUL)) ++ return FALSE; ++ return TRUE; ++} ++ ++/* + * Store a word in the tree(s). + * Always store it in the case-folded tree. For a keep-case word this is + * useful when the word can also be used with all caps (no WF_FIXCAP flag) and +@@ -4367,7 +4384,7 @@ store_word( + char_u *p; + + // Avoid adding illegal bytes to the word tree. +- if (enc_utf8 && !utf_valid_string(word, NULL)) ++ if (!valid_spell_word(word)) + return FAIL; + + (void)spell_casefold(word, len, foldword, MAXWLEN); +@@ -6171,7 +6188,7 @@ spell_add_word( + int i; + char_u *spf; + +- if (enc_utf8 && !utf_valid_string(word, NULL)) ++ if (!valid_spell_word(word)) + { + emsg(_(e_illegal_character_in_word)); + return; +diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim +index 1f79907..bc4f41d 100644 +--- a/src/testdir/test_spell.vim ++++ b/src/testdir/test_spell.vim +@@ -574,6 +574,21 @@ func Test_spell_screendump() + call delete('XtestSpell') + endfunc + ++func Test_spell_good_word_invalid() ++ " This was adding a word with a 0x02 byte, which causes havoc. ++ enew ++ norm o0 ++ sil! norm rzzWs00/ ++ 2 ++ sil! norm VzGprzzW ++ sil! norm z= ++ ++ bwipe! ++ " clear the internal word list ++ set enc=latin1 ++ set enc=utf-8 ++endfunc ++ + let g:test_data_aff1 = [ + \"SET ISO8859-1", + \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ", +-- +1.8.3.1 + diff --git a/backport-patch-8.2.4867-listing-of-mapping-with-K_SPECIAL-is-.patch b/backport-patch-8.2.4867-listing-of-mapping-with-K_SPECIAL-is-.patch new file mode 100644 index 0000000000000000000000000000000000000000..427d53d6cbff7a9ea7c81a6c4ee35cf9b94ab60b --- /dev/null +++ b/backport-patch-8.2.4867-listing-of-mapping-with-K_SPECIAL-is-.patch @@ -0,0 +1,112 @@ +From ac402f4d64bec6b6efd809fef52f5b34627bf947 Mon Sep 17 00:00:00 2001 +From: zeertzjq +Date: Wed, 4 May 2022 18:51:43 +0100 +Subject: [PATCH] patch 8.2.4867: listing of mapping with K_SPECIAL is wrong + +Problem: Listing of mapping with K_SPECIAL is wrong. +Solution: Adjust escaping of special characters. (closes #10351) +--- + src/map.c | 12 +----------- + src/message.c | 26 ++++++++++++++++++-------- + src/testdir/test_mapping.vim | 20 ++++++++++++++++++++ + 3 files changed, 39 insertions(+), 19 deletions(-) + +diff --git a/src/map.c b/src/map.c +index 645cd10..98573b5 100644 +--- a/src/map.c ++++ b/src/map.c +@@ -186,17 +186,7 @@ showmap( + if (*mp->m_str == NUL) + msg_puts_attr("", HL_ATTR(HLF_8)); + else +- { +- // Remove escaping of CSI, because "m_str" is in a format to be used +- // as typeahead. +- char_u *s = vim_strsave(mp->m_str); +- if (s != NULL) +- { +- vim_unescape_csi(s); +- msg_outtrans_special(s, FALSE, 0); +- vim_free(s); +- } +- } ++ msg_outtrans_special(mp->m_str, FALSE, 0); + #ifdef FEAT_EVAL + if (p_verbose > 0) + last_set_msg(mp->m_script_ctx); +diff --git a/src/message.c b/src/message.c +index eae6e61..0898d90 100644 +--- a/src/message.c ++++ b/src/message.c +@@ -1716,19 +1716,29 @@ str2special( + + if (has_mbyte && !IS_SPECIAL(c)) + { +- int len = (*mb_ptr2len)(str); ++ char_u *p; + +- /* For multi-byte characters check for an illegal byte. */ +- if (has_mbyte && MB_BYTE2LEN(*str) > len) ++ *sp = str; ++ // Try to un-escape a multi-byte character after modifiers. ++ p = mb_unescape(sp); ++ ++ if (p == NULL) + { +- transchar_nonprint(buf, c); +- *sp = str + 1; +- return buf; ++ int len = (*mb_ptr2len)(str); ++ ++ // Check for an illegal byte. ++ if (MB_BYTE2LEN(*str) > len) ++ { ++ transchar_nonprint(curbuf, buf, c); ++ *sp = str + 1; ++ return buf; ++ } ++ *sp = str + len; ++ p = str; + } + /* Since 'special' is TRUE the multi-byte character 'c' will be + * processed by get_special_key_name() */ +- c = (*mb_ptr2char)(str); +- *sp = str + len; ++ c = (*mb_ptr2char)(p); + } + else + *sp = str + 1; +diff --git a/src/testdir/test_mapping.vim b/src/testdir/test_mapping.vim +index 55e6af0..58c284d 100644 +--- a/src/testdir/test_mapping.vim ++++ b/src/testdir/test_mapping.vim +@@ -461,6 +461,26 @@ func Test_list_mappings() + call assert_equal(['i * ShiftSlash'], execute('imap')->trim()->split("\n")) + iunmap + call assert_equal(['No mapping found'], execute('imap')->trim()->split("\n")) ++ ++ nmap foo … ++ call assert_equal(['n foo …'], ++ \ execute('nmap foo')->trim()->split("\n")) ++ ++ " modified character with K_SPECIAL byte in rhs ++ nmap foo ++ call assert_equal(['n foo '], ++ \ execute('nmap foo')->trim()->split("\n")) ++ ++ " character with K_SPECIAL byte in lhs ++ nmap … foo ++ call assert_equal(['n … foo'], ++ \ execute('nmap …')->trim()->split("\n")) ++ ++ " modified character with K_SPECIAL byte in lhs ++ nmap foo ++ call assert_equal(['n foo'], ++ \ execute('nmap ')->trim()->split("\n")) ++ + endfunc + + func Test_expr_map_restore_cursor() +-- +1.8.3.1 + diff --git a/backport-patch-8.2.4924-maparg-may-return-a-string-that-canno.patch b/backport-patch-8.2.4924-maparg-may-return-a-string-that-canno.patch new file mode 100644 index 0000000000000000000000000000000000000000..1f9523ce4111f55893071a261953ab2524d40e45 --- /dev/null +++ b/backport-patch-8.2.4924-maparg-may-return-a-string-that-canno.patch @@ -0,0 +1,153 @@ +From 0519ce00394474055bd58c089ea90a19986443eb Mon Sep 17 00:00:00 2001 +From: zeertzjq +Date: Mon, 9 May 2022 12:16:19 +0100 +Subject: [PATCH] patch 8.2.4924: maparg() may return a string that cannot be + reused + +Problem: maparg() may return a string that cannot be reused. +Solution: use msg_outtrans_special() instead of str2special(). +(closes #10384) +--- + src/message.c | 35 +++++++++++++++-------------------- + src/option.c | 2 ++ + src/testdir/test_mapping.vim | 7 +++++++ + src/testdir/test_options.vim | 20 ++++++++++++++++++++ + 4 files changed, 44 insertions(+), 20 deletions(-) + +diff --git a/src/message.c b/src/message.c +index 0898d90..363dbe1 100644 +--- a/src/message.c ++++ b/src/message.c +@@ -1637,6 +1637,9 @@ msg_outtrans_special( + } + else + text = (char *)str2special(&str, from); ++ if (text[0] != NUL && text[1] == NUL) ++ // single-byte character or illegal byte ++ text = (char *)transchar_byte((char_u)text[0]); + len = vim_strsize((char_u *)text); + if (maxlen > 0 && retval + len >= maxlen) + break; +@@ -1671,6 +1674,7 @@ str2special_save( + + /* + * Return the printable string for the key codes at "*sp". ++ * On illegal byte return a string with only that byte. + * Used for translating the lhs or rhs of a mapping to printable chars. + * Advances "sp" to the next code. + */ +@@ -1714,7 +1718,7 @@ str2special( + special = TRUE; + } + +- if (has_mbyte && !IS_SPECIAL(c)) ++ if (has_mbyte && !IS_SPECIAL(c) && MB_BYTE2LEN(c) > 1) + { + char_u *p; + +@@ -1722,30 +1726,21 @@ str2special( + // Try to un-escape a multi-byte character after modifiers. + p = mb_unescape(sp); + +- if (p == NULL) +- { +- int len = (*mb_ptr2len)(str); +- +- // Check for an illegal byte. +- if (MB_BYTE2LEN(*str) > len) +- { +- transchar_nonprint(curbuf, buf, c); +- *sp = str + 1; +- return buf; +- } +- *sp = str + len; +- p = str; +- } +- /* Since 'special' is TRUE the multi-byte character 'c' will be +- * processed by get_special_key_name() */ +- c = (*mb_ptr2char)(p); ++ if (p != NULL) ++ // Since 'special' is TRUE the multi-byte character 'c' will be ++ // processed by get_special_key_name() ++ c = (*mb_ptr2char)(p); ++ else ++ // illegal byte ++ *sp = str + 1; + } + else ++ // single-byte character or illegal byte + *sp = str + 1; + +- /* Make unprintable characters in <> form, also and . ++ /* Make special keys and C0 control characters in <> form, also . + * Use only for lhs of a mapping. */ +- if (special || char2cells(c) > 1 || (from && c == ' ')) ++ if (special || c < ' ' || (from && c == ' ')) + return get_special_key_name(c, modifiers); + buf[0] = c; + buf[1] = NUL; +diff --git a/src/option.c b/src/option.c +index eb610dd..6a93a7b 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -3878,6 +3878,8 @@ get_option_value( + if ((char_u **)varp == &curbuf->b_p_key + && **(char_u **)(varp) != NUL) + *stringval = vim_strsave((char_u *)"*****"); ++ else if ((char_u **)varp == &p_pt) // 'pastetoggle' ++ *stringval = str2special_save(*(char_u **)(varp), FALSE); + else + #endif + *stringval = vim_strsave(*(char_u **)(varp)); +diff --git a/src/testdir/test_mapping.vim b/src/testdir/test_mapping.vim +index 58c284d..9e32b38 100644 +--- a/src/testdir/test_mapping.vim ++++ b/src/testdir/test_mapping.vim +@@ -480,6 +480,13 @@ func Test_list_mappings() + nmap foo + call assert_equal(['n foo'], + \ execute('nmap ')->trim()->split("\n")) ++ ++ " illegal bytes ++ let str = ":\x7f:\x80:\x90:\xd0:" ++ exe 'nmap foo ' .. str ++ call assert_equal(['n foo ' .. strtrans(str)], ++ \ execute('nmap foo')->trim()->split("\n")) ++ unlet str + + endfunc + +diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim +index 7584465..e494cd9 100644 +--- a/src/testdir/test_options.vim ++++ b/src/testdir/test_options.vim +@@ -31,6 +31,26 @@ func Test_isfname() + set isfname& + endfunc + ++" Test for getting the value of 'pastetoggle' ++func Test_pastetoggle() ++ " character with K_SPECIAL byte ++ let &pastetoggle = '…' ++ call assert_equal('…', &pastetoggle) ++ call assert_equal("\n pastetoggle=…", execute('set pastetoggle?')) ++ ++ " modified character with K_SPECIAL byte ++ let &pastetoggle = '' ++ call assert_equal('', &pastetoggle) ++ call assert_equal("\n pastetoggle=", execute('set pastetoggle?')) ++ ++ " illegal bytes ++ let str = ":\x7f:\x80:\x90:\xd0:" ++ let &pastetoggle = str ++ call assert_equal(str, &pastetoggle) ++ call assert_equal("\n pastetoggle=" .. strtrans(str), execute('set pastetoggle?')) ++ unlet str ++endfunc ++ + func Test_wildchar() + " Empty 'wildchar' used to access invalid memory. + call assert_fails('set wildchar=', 'E521:') +-- +1.8.3.1 + diff --git a/backport-patch-9.0.0022-spell-test-fails.patch b/backport-patch-9.0.0022-spell-test-fails.patch new file mode 100644 index 0000000000000000000000000000000000000000..00ac68cfaf9571133cc2485a24e7f0557bc9bc23 --- /dev/null +++ b/backport-patch-9.0.0022-spell-test-fails.patch @@ -0,0 +1,32 @@ +From 95afae6d1760b2efcc4968dbd3784799d24e9fdf Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 1 Jul 2022 22:44:19 +0100 +Subject: [PATCH] patch 9.0.0022: spell test fails + +Problem: Spell test fails. +Solution: Expect new error is given. +--- + src/testdir/test_spell_utf8.vim | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim +index efdecdc..42288dc 100644 +--- a/src/testdir/test_spell_utf8.vim ++++ b/src/testdir/test_spell_utf8.vim +@@ -779,7 +779,12 @@ func Test_no_crash_with_weird_text() + € + END + call setline(1, lines) +- exe "%norm \ez=>\wzG" ++ try ++ exe "%norm \ez=>\wzG" ++ catch /E1280:/ ++ let caught = 'yes' ++ endtry ++ call assert_equal('yes', caught) + + bwipe! + endfunc +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index 6e22a2656642d8fb9e0da6f3f1ec19dcf2d2fcb0..c81dd642608580ef6f27bfd60a81d24e96fd5394 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 42 +Release: 43 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -134,6 +134,13 @@ Patch6100: backport-CVE-2022-2285.patch Patch6101: backport-CVE-2022-2304.patch Patch6102: backport-CVE-2022-2344.patch Patch6103: backport-CVE-2022-2345.patch +Patch6104: backport-CVE-2022-2264.patch +Patch6105: backport-patch-8.2.4867-listing-of-mapping-with-K_SPECIAL-is-.patch +Patch6106: backport-patch-8.2.4924-maparg-may-return-a-string-that-canno.patch +Patch6107: backport-CVE-2022-2257.patch +Patch6108: backport-CVE-2022-2286.patch +Patch6109: backport-CVE-2022-2287.patch +Patch6110: backport-patch-9.0.0022-spell-test-fails.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: remove-failed-tests-due-to-patch.patch @@ -536,6 +543,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Wed Jul 13 2022 shixuantong - 2:8.2-43 +- Type:CVE +- ID:CVE-2022-2264 CVE-2022-2257 CVE-2022-2286 CVE-2022-2287 +- SUG:NA +- DESC:fix CVE-2022-2264 CVE-2022-2257 CVE-2022-2286 CVE-2022-2287 + * Mon Jul 11 2022 shixuantong - 2:8.2-42 - Type:CVE - ID:CVE-2022-2000 CVE-2022-2042 CVE-2022-2284 CVE-2022-2285 CVE-2022-2304 CVE-2022-2344 CVE-2022-2345