From eef1a6b9e5ce24a6118c37cd5e797135367433e3 Mon Sep 17 00:00:00 2001 From: shixuantong Date: Tue, 2 Aug 2022 10:50:05 +0800 Subject: [PATCH] fix CVE-2022-2598 CVE-2022-2571 (cherry picked from commit c35d8e69ae40b4e76d0d0c013d41886a74f3cbf5) --- backport-CVE-2022-2571.patch | 47 +++++++++++++++++++++++++ backport-CVE-2022-2598.patch | 67 ++++++++++++++++++++++++++++++++++++ vim.spec | 10 +++++- 3 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-2571.patch create mode 100644 backport-CVE-2022-2598.patch diff --git a/backport-CVE-2022-2571.patch b/backport-CVE-2022-2571.patch new file mode 100644 index 0000000..ddd9380 --- /dev/null +++ b/backport-CVE-2022-2571.patch @@ -0,0 +1,47 @@ +From a6f9e300161f4cb54713da22f65b261595e8e614 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 28 Jul 2022 21:51:37 +0100 +Subject: [PATCH] patch 9.0.0102: reading past end of line with insert mode + completion + +Problem: Reading past end of line with insert mode completion. +Solution: Check text length. +--- + src/insexpand.c | 2 +- + src/testdir/test_ins_complete.vim | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/insexpand.c b/src/insexpand.c +index 7339ce9..fc3eff0 100644 +--- a/src/insexpand.c ++++ b/src/insexpand.c +@@ -3501,7 +3501,7 @@ ins_comp_get_next_word_or_line( + { + char_u *tmp_ptr = ptr; + +- if (compl_status_adding()) ++ if (compl_status_adding() && compl_length <= (int)STRLEN(tmp_ptr)) + { + tmp_ptr += compl_length; + // Skip if already inside a word. +diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim +index 35c5785..2b0a294 100644 +--- a/src/testdir/test_ins_complete.vim ++++ b/src/testdir/test_ins_complete.vim +@@ -2142,5 +2142,13 @@ func Test_ins_complete_add() + bwipe! + endfunc + ++func Test_ins_complete_end_of_line() ++ " this was reading past the end of the line ++ new ++ norm 8o€ý  ++ sil! norm o ++ ++ bwipe! ++endfunc + + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/backport-CVE-2022-2598.patch b/backport-CVE-2022-2598.patch new file mode 100644 index 0000000..7f13c2b --- /dev/null +++ b/backport-CVE-2022-2598.patch @@ -0,0 +1,67 @@ +From 4e677b9c40ccbc5f090971b31dc2fe07bf05541d Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 28 Jul 2022 18:44:27 +0100 +Subject: [PATCH] patch 9.0.0101: invalid memory access in diff mode with "dp" + and undo + +Problem: Invalid memory access in diff mode with "dp" and undo. +Solution: Make sure the line number does not go below one. +--- + src/diff.c | 9 ++++++--- + src/testdir/test_diffmode.vim | 14 ++++++++++++++ + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/src/diff.c b/src/diff.c +index e4bafe2..fb43eee 100644 +--- a/src/diff.c ++++ b/src/diff.c +@@ -464,7 +464,10 @@ diff_mark_adjust_tp( + for (i = 0; i < DB_COUNT; ++i) + if (tp->tp_diffbuf[i] != NULL && i != idx) + { +- dp->df_lnum[i] -= off; ++ if (dp->df_lnum[i] > off) ++ dp->df_lnum[i] -= off; ++ else ++ dp->df_lnum[i] = 1; + dp->df_count[i] += n; + } + } +@@ -2863,8 +2866,8 @@ ex_diffgetput(exarg_T *eap) + { + // remember deleting the last line of the buffer + buf_empty = curbuf->b_ml.ml_line_count == 1; +- ml_delete(lnum); +- --added; ++ if (ml_delete(lnum) == OK) ++ --added; + } + for (i = 0; i < dp->df_count[idx_from] - start_skip - end_skip; ++i) + { +diff --git a/src/testdir/test_diffmode.vim b/src/testdir/test_diffmode.vim +index dcacd55..41f7fe3 100644 +--- a/src/testdir/test_diffmode.vim ++++ b/src/testdir/test_diffmode.vim +@@ -1628,5 +1628,19 @@ func Test_diff_manipulations() + %bwipe! + endfunc + ++" This was causing the line number in the diff block to go below one. ++" FIXME: somehow this causes a valgrind error when run directly but not when ++" run as a test. ++func Test_diff_put_and_undo() ++ set diff ++ next 0 ++ split 00 ++ sil! norm o0gguudpo0ggJuudp ++ ++ bwipe! ++ bwipe! ++ set nodiff ++endfunc ++ + + " vim: shiftwidth=2 sts=2 expandtab +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index 60bf542..b38b279 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 2 +Release: 3 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -42,6 +42,8 @@ Patch6011: backport-CVE-2022-2344.patch Patch6012: backport-CVE-2022-2345.patch Patch6013: backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-co.patch Patch6014: backport-CVE-2022-2522.patch +Patch6015: backport-CVE-2022-2598.patch +Patch6016: backport-CVE-2022-2571.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -434,6 +436,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Tue Aug 02 2022 shixuantong - 2:9.0-3 +- Type:CVE +- ID:CVE-2022-2598 CVE-2022-2571 +- SUG:NA +- DESC:fix CVE-2022-2598 CVE-2022-2571 + * Sat Jul 30 2022 shixuantong - 2:9.0-2 - Type:CVE - ID:CVE-2022-2257 CVE-2022-2264 CVE-2022-2284 CVE-2022-2285 CVE-2022-2286 CVE-2022-2287 CVE-2022-2288 CVE-2022-2289 CVE-2022-2304 CVE-2022-2343 CVE-2022-2344 CVE-2022-2345 CVE-2022-2522 -- Gitee