diff --git a/backport-CVE-2022-2580.patch b/backport-CVE-2022-2580.patch new file mode 100644 index 0000000000000000000000000000000000000000..06e36bd5468e3a457932d6e68562f0876376422f Binary files /dev/null and b/backport-CVE-2022-2580.patch differ diff --git a/backport-CVE-2022-2581.patch b/backport-CVE-2022-2581.patch new file mode 100644 index 0000000000000000000000000000000000000000..a6fe237409e4b1869b32cca36e11d7432db42964 --- /dev/null +++ b/backport-CVE-2022-2581.patch @@ -0,0 +1,65 @@ +From f50940531dd57135fe60aa393ac9d3281f352d88 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 29 Jul 2022 16:22:25 +0100 +Subject: [PATCH 002/123] patch 9.0.0105: illegal memory access when pattern + starts with illegal byte + +Problem: Illegal memory access when pattern starts with illegal byte. +Solution: Do not match a character with an illegal byte. +--- + src/regexp.c | 6 +++++- + src/testdir/test_regexp_utf8.vim | 15 +++++++++++++++ + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/src/regexp.c b/src/regexp.c +index 1a5cfd0..bec0464 100644 +--- a/src/regexp.c ++++ b/src/regexp.c +@@ -1641,7 +1641,11 @@ cstrchr(char_u *s, int c) + { + if (enc_utf8 && c > 0x80) + { +- if (utf_fold(utf_ptr2char(p)) == cc) ++ int uc = utf_ptr2char(p); ++ ++ // Do not match an illegal byte. E.g. 0xff matches 0xc3 0xbf, ++ // not 0xff. ++ if ((uc < 0x80 || uc != *p) && utf_fold(uc) == cc) + return p; + } + else if (*p == c || *p == cc) +diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim +index d88e263..e7672dd 100644 +--- a/src/testdir/test_regexp_utf8.vim ++++ b/src/testdir/test_regexp_utf8.vim +@@ -1,5 +1,7 @@ + " Tests for regexp in utf8 encoding + ++source shared.vim ++ + func s:equivalence_test() + let str = "AÀÁÂÃÄÅĀĂĄǍǞǠǺȂȦȺḀẠẢẤẦẨẪẬẮẰẲẴẶ BƁɃḂḄḆ CÇĆĈĊČƇȻḈꞒ DĎĐƊḊḌḎḐḒ EÈÉÊËĒĔĖĘĚȄȆȨɆḔḖḘḚḜẸẺẼẾỀỂỄỆ FƑḞꞘ GĜĞĠĢƓǤǦǴḠꞠ HĤĦȞḢḤḦḨḪⱧ IÌÍÎÏĨĪĬĮİƗǏȈȊḬḮỈỊ JĴɈ KĶƘǨḰḲḴⱩꝀ LĹĻĽĿŁȽḶḸḺḼⱠ MḾṀṂ NÑŃŅŇǸṄṆṈṊꞤ OÒÓÔÕÖØŌŎŐƟƠǑǪǬǾȌȎȪȬȮȰṌṎṐṒỌỎỐỒỔỖỘỚỜỞỠỢ PƤṔṖⱣ QɊ RŔŖŘȐȒɌṘṚṜṞⱤꞦ SŚŜŞŠȘṠṢṤṦṨⱾꞨ TŢŤŦƬƮȚȾṪṬṮṰ UÙÚÛÜŨŪŬŮŰƯǕǙǛǓǗȔȖɄṲṴṶṸṺỤỦỨỪỬỮỰ VƲṼṾ WŴẀẂẄẆẈ XẊẌ YÝŶŸƳȲɎẎỲỴỶỸ ZŹŻŽƵẐẒẔⱫ aàáâãäåāăąǎǟǡǻȃȧᶏḁẚạảấầẩẫậắằẳẵặⱥ bƀɓᵬᶀḃḅḇ cçćĉċčƈȼḉꞓꞔ dďđɗᵭᶁᶑḋḍḏḑḓ eèéêëēĕėęěȅȇȩɇᶒḕḗḙḛḝẹẻẽếềểễệ fƒᵮᶂḟꞙ gĝğġģǥǧǵɠᶃḡꞡ hĥħȟḣḥḧḩḫẖⱨꞕ iìíîïĩīĭįǐȉȋɨᶖḭḯỉị jĵǰɉ kķƙǩᶄḱḳḵⱪꝁ lĺļľŀłƚḷḹḻḽⱡ mᵯḿṁṃ nñńņňʼnǹᵰᶇṅṇṉṋꞥ oòóôõöøōŏőơǒǫǭǿȍȏȫȭȯȱɵṍṏṑṓọỏốồổỗộớờởỡợ pƥᵱᵽᶈṕṗ qɋʠ rŕŗřȑȓɍɽᵲᵳᶉṛṝṟꞧ sśŝşšșȿᵴᶊṡṣṥṧṩꞩ tţťŧƫƭțʈᵵṫṭṯṱẗⱦ uùúûüũūŭůűųǚǖưǔǘǜȕȗʉᵾᶙṳṵṷṹṻụủứừửữự vʋᶌṽṿ wŵẁẃẅẇẉẘ xẋẍ yýÿŷƴȳɏẏẙỳỵỷỹ zźżžƶᵶᶎẑẓẕⱬ" + let groups = split(str) +@@ -560,6 +562,19 @@ func Test_match_invalid_byte() + call delete('Xinvalid') + endfunc + ++func Test_match_illegal_byte() ++ let lines =<< trim END ++ silent! buffer ÿ\c ++ next ÿ ++ 0scriptnames ++ source ++ END ++ call writefile(lines, 'Xregexp') ++ call system(GetVimCommand() .. ' -X -Z -e -s -S Xregexp -c qa!') ++ ++ call delete('Xregexp') ++endfunc ++ + func Test_match_too_complicated() + set regexpengine=1 + exe "noswapfile vsplit \xeb\xdb\x99" +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index b95e79d6978713fb344c58cc54706d2da0354569..a269076d3eb84ff7c97617bf81d5d9cd7fa3baf5 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 4 +Release: 5 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -44,6 +44,8 @@ Patch6013: backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-co.pa Patch6014: backport-CVE-2022-2522.patch Patch6015: backport-CVE-2022-2598.patch Patch6016: backport-CVE-2022-2571.patch +Patch6017: backport-CVE-2022-2580.patch +Patch6018: backport-CVE-2022-2581.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -437,6 +439,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Wed Aug 17 2022 wangjiang - 2:9.0-5 +- Type:bugfix +- ID:CVE-2022-2580 CVE-2022-2581 +- SUG:NA +- DESC:fix CVE-2022-2580 CVE-2022-2581 + * Wed Aug 10 2022 shixuantong - 2:9.0-4 - Type:bugfix - ID:NA