From afdc32037ec91f018977a8eef876b3600bf20138 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Fri, 29 Jul 2022 11:56:00 +0800 Subject: [PATCH] fix CVE-2022-2522 --- ...warning-for-size_t-to-int-conversion.patch | 27 +++++++++++ backport-CVE-2022-2343.patch | 15 +++--- backport-CVE-2022-2522.patch | 46 +++++++++++++++++++ ...-autocmd-test-fails-on-a-slow-system.patch | 36 +++++++++++++++ vim.spec | 11 ++++- 5 files changed, 126 insertions(+), 9 deletions(-) create mode 100644 backport-9.0.0054-compiler-warning-for-size_t-to-int-conversion.patch create mode 100644 backport-CVE-2022-2522.patch create mode 100644 backport-patch-8.2.0310-autocmd-test-fails-on-a-slow-system.patch diff --git a/backport-9.0.0054-compiler-warning-for-size_t-to-int-conversion.patch b/backport-9.0.0054-compiler-warning-for-size_t-to-int-conversion.patch new file mode 100644 index 0000000..7348500 --- /dev/null +++ b/backport-9.0.0054-compiler-warning-for-size_t-to-int-conversion.patch @@ -0,0 +1,27 @@ +From c7bd2f08e531f08723cdc677212a3633d11c9a97 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 15 Jul 2022 20:45:20 +0100 +Subject: [PATCH] patch 9.0.0054: compiler warning for size_t to int conversion + +Problem: Compiler warning for size_t to int conversion. +Solution: Add type cast. (Mike Williams, closes #10741) +--- + src/insexpand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/insexpand.c b/src/insexpand.c +index 1a64c57..b1114b5 100644 +--- a/src/insexpand.c ++++ b/src/insexpand.c +@@ -527,7 +527,7 @@ ins_compl_infercase_gettext( + if (ga_grow(&gap, IOSIZE) == FAIL) + return (char_u *)"[failed]"; + STRCPY(gap.ga_data, IObuff); +- gap.ga_len = STRLEN(IObuff); ++ gap.ga_len = (int)STRLEN(IObuff); + } + else if (has_mbyte) + p += (*mb_char2bytes)(wca[i++], p); +-- +2.27.0 + diff --git a/backport-CVE-2022-2343.patch b/backport-CVE-2022-2343.patch index ff6e162..8733fe4 100644 --- a/backport-CVE-2022-2343.patch +++ b/backport-CVE-2022-2343.patch @@ -5,15 +5,15 @@ Subject: [PATCH] patch 9.0.0045: reading past end of completion with a long line Problem: Reading past end of completion with a long line and 'infercase' -set. + set. Solution: Allocate the string if needed. --- - src/insexpand.c | 96 +++++++++++++++++++++++++++------------ - src/testdir/test_ins_complete.vim | 14 ++++++ - 2 files changed, 81 insertions(+), 29 deletions(-) + src/insexpand.c | 94 ++++++++++++++++++++++--------- + src/testdir/test_ins_complete.vim | 14 +++++ + 2 files changed, 80 insertions(+), 28 deletions(-) diff --git a/src/insexpand.c b/src/insexpand.c -index 3b4d530..e8ba82e 100644 +index 3b4d530..1a64c57 100644 --- a/src/insexpand.c +++ b/src/insexpand.c @@ -408,29 +408,32 @@ ins_compl_accept_char(int c) @@ -40,8 +40,7 @@ index 3b4d530..e8ba82e 100644 int was_letter = FALSE; + garray_T gap; -- IObuff[0] = NUL; -+ vim_memset(IObuff, NUL, IOSIZE * sizeof(char_u)); + IObuff[0] = NUL; // Allocate wide character array for the completion and fill it. - wca = ALLOC_MULT(int, actual_len); @@ -229,5 +228,5 @@ index b7cfd29..aa054f2 100644 + set noic noinfercase +endfunc -- -1.8.3.1 +2.27.0 diff --git a/backport-CVE-2022-2522.patch b/backport-CVE-2022-2522.patch new file mode 100644 index 0000000..dec7f48 --- /dev/null +++ b/backport-CVE-2022-2522.patch @@ -0,0 +1,46 @@ +From b9e717367c395490149495cf375911b5d9de889e Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 23 Jul 2022 06:53:08 +0100 +Subject: [PATCH] patch 9.0.0060: accessing uninitialized memory when + completing long line + +Problem: Accessing uninitialized memory when completing long line. +Solution: Terminate string with NUL. +--- + src/insexpand.c | 1 + + src/testdir/test_ins_complete.vim | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/src/insexpand.c b/src/insexpand.c +index b1114b5..88dbac6 100644 +--- a/src/insexpand.c ++++ b/src/insexpand.c +@@ -526,6 +526,7 @@ ins_compl_infercase_gettext( + // growarray. Add the character in the next round. + if (ga_grow(&gap, IOSIZE) == FAIL) + return (char_u *)"[failed]"; ++ *p = NUL; + STRCPY(gap.ga_data, IObuff); + gap.ga_len = (int)STRLEN(IObuff); + } +diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim +index aa054f2..5e7353c 100644 +--- a/src/testdir/test_ins_complete.vim ++++ b/src/testdir/test_ins_complete.vim +@@ -408,6 +408,13 @@ func Test_infercase_very_long_line() + exe "normal 2Go\\\" + call assert_equal(longLine, getline(3)) + ++ " check that the too long text is NUL terminated ++ %del ++ norm o ++ norm 1987ax ++ exec "norm ox\\" ++ call assert_equal(repeat('x', 1987), getline(3)) ++ + bwipe! + set noic noinfercase + endfunc +-- +2.27.0 + diff --git a/backport-patch-8.2.0310-autocmd-test-fails-on-a-slow-system.patch b/backport-patch-8.2.0310-autocmd-test-fails-on-a-slow-system.patch new file mode 100644 index 0000000..f525dd7 --- /dev/null +++ b/backport-patch-8.2.0310-autocmd-test-fails-on-a-slow-system.patch @@ -0,0 +1,36 @@ +From 8fb1b47a5e24892b23c3923a07d8a850d99b14b2 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sun, 23 Feb 2020 16:16:26 +0100 +Subject: [PATCH] patch 8.2.0310: autocmd test fails on a slow system + +Problem: Autocmd test fails on a slow system. +Solution: Adjust the expectations. (James McCoy, closes #5685) +--- + src/testdir/test_autocmd.vim | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim +index 4fa3b51..0130c9b 100755 +--- a/src/testdir/test_autocmd.vim ++++ b/src/testdir/test_autocmd.vim +@@ -2251,12 +2251,14 @@ func Test_autocmd_SafeState() + call writefile(lines, 'XSafeState') + let buf = RunVimInTerminal('-S XSafeState', #{rows: 6}) + +- " Sometimes we loop to handle an K_IGNORE ++ " Sometimes we loop to handle a K_IGNORE, SafeState may be trigered once or ++ " more often. + call term_sendkeys(buf, ":echo g:safe\") +- call WaitForAssert({-> assert_match('^[12] ', term_getline(buf, 6))}, 1000) ++ call WaitForAssert({-> assert_match('^\d ', term_getline(buf, 6))}, 1000) + ++ " SafeStateAgain should be invoked at least three times + call term_sendkeys(buf, ":echo g:again\") +- call WaitForAssert({-> assert_match('^xxxx', term_getline(buf, 6))}, 1000) ++ call WaitForAssert({-> assert_match('^xxx', term_getline(buf, 6))}, 1000) + + call term_sendkeys(buf, ":let g:again = ''\:call CallTimer()\") + call term_wait(buf, 50) +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index e48a495..da7886c 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 55 +Release: 56 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -157,6 +157,9 @@ Patch6120: backport-CVE-2022-2210.patch Patch6121: backport-CVE-2022-2289.patch Patch6122: backport-patch-8.2.3953-insert-completion-code-is-too-complic.patch Patch6123: backport-CVE-2022-2343.patch +Patch6124: backport-9.0.0054-compiler-warning-for-size_t-to-int-conversion.patch +Patch6125: backport-CVE-2022-2522.patch +Patch6126: backport-patch-8.2.0310-autocmd-test-fails-on-a-slow-system.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -545,6 +548,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Fri Jul 29 2022 dongyuzhen - 2:8.2-56 +- Type:CVE +- ID:CVE-2022-2522 +- SUG:NA +- DESC:fix CVE-2022-2522 + * Fri Jul 22 2022 dongyuzhen - 2:8.2-55 - Type:bugfix - ID:NA -- Gitee