From c24c79dd61e16638d516ebd2ec5c168d83e643b9 Mon Sep 17 00:00:00 2001 From: shangyibin Date: Fri, 15 Jul 2022 11:43:48 +0800 Subject: [PATCH] fix CVE-2022-2289 --- backport-CVE-2022-2289.patch | 65 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 ++++- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-2289.patch diff --git a/backport-CVE-2022-2289.patch b/backport-CVE-2022-2289.patch new file mode 100644 index 0000000..e9ef81e --- /dev/null +++ b/backport-CVE-2022-2289.patch @@ -0,0 +1,65 @@ +From c5274dd12224421f2430b30c53b881b9403d649e Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 2 Jul 2022 15:10:00 +0100 +Subject: [PATCH] patch 9.0.0026: accessing freed memory with diff put + +Problem: Accessing freed memory with diff put. +Solution: Bail out when diff pointer is no longer valid. +--- + src/diff.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/src/diff.c b/src/diff.c +index 8569a9f..d79dfee 100644 +--- a/src/diff.c ++++ b/src/diff.c +@@ -2560,6 +2560,20 @@ nv_diffgetput(int put, long count) + ex_diffgetput(&ea); + } + ++/* ++ * Return TRUE if "diff" appears in the list of diff blocks of the current tab. ++ */ ++ static int ++valid_diff(diff_T *diff) ++{ ++ diff_T *dp; ++ ++ for (dp = curtab->tp_first_diff; dp != NULL; dp = dp->df_next) ++ if (dp == diff) ++ return TRUE; ++ return FALSE; ++} ++ + /* + * ":diffget" + * ":diffput" +@@ -2817,9 +2831,9 @@ ex_diffgetput(exarg_T *eap) + } + } + +- // Adjust marks. This will change the following entries! + if (added != 0) + { ++ // Adjust marks. This will change the following entries! + mark_adjust(lnum, lnum + count - 1, (long)MAXLNUM, (long)added); + if (curwin->w_cursor.lnum >= lnum) + { +@@ -2841,7 +2855,13 @@ ex_diffgetput(exarg_T *eap) + #endif + vim_free(dfree); + } +- else ++ ++ // mark_adjust() may have made "dp" invalid. We don't know where ++ // to continue then, bail out. ++ if (added != 0 && !valid_diff(dp)) ++ break; ++ ++ if (dfree == NULL) + // mark_adjust() may have changed the count in a wrong way + dp->df_count[idx_to] = new_count; + +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index ebaab85..0ebb754 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 44 +Release: 45 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -142,6 +142,7 @@ Patch6108: backport-CVE-2022-2286.patch Patch6109: backport-CVE-2022-2287.patch Patch6110: backport-patch-9.0.0022-spell-test-fails.patch Patch6111: backport-CVE-2022-2210.patch +Patch6112: backport-CVE-2022-2289.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: remove-failed-tests-due-to-patch.patch @@ -544,6 +545,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Fri Jul 15 2022 shangyibin - 2:8.2-45 +- Type:CVE +- ID:CVE-2022-2289 +- SUG:NA +- DESC:fix CVE-2022-2289 + * Wed Jul 13 2022 yanglongkang - 2:8.2-44 - Type:CVE - ID:CVE-2022-2210 -- Gitee