diff --git a/backport-CVE-2022-2946.patch b/backport-CVE-2022-2946.patch index 9d3f8f9db8a1336e18e9a7f475678a9714cfbf8b..0811388c4f7c1f3c2cc78ae732dbcccc771ccb5c 100644 --- a/backport-CVE-2022-2946.patch +++ b/backport-CVE-2022-2946.patch @@ -59,7 +59,7 @@ index 242aa3a..74ad3d1 100644 + endfunc + set tagfunc=g:Tag0unc0 + new -+ cal assert_fails('tag 0', 'E426:') ++ cal assert_fails('tag 0', 'E1299:') + + delfunc g:Tag0unc0 + set tagfunc= diff --git a/backport-CVE-2022-3134.patch b/backport-CVE-2022-3134.patch new file mode 100644 index 0000000000000000000000000000000000000000..352fbff8b4d1b2f196518ed7910e84305faccab1 --- /dev/null +++ b/backport-CVE-2022-3134.patch @@ -0,0 +1,70 @@ +From ccfde4d028e891a41e3548323c3d47b06fb0b83e Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 5 Sep 2022 19:51:13 +0100 +Subject: [PATCH] patch 9.0.0389: crash when 'tagfunc' closes the window + +Problem: Crash when 'tagfunc' closes the window. +Solution: Bail out when the window was closed. + +--- + src/globals.h | 3 +++ + src/tag.c | 10 ++++++++++ + src/testdir/test_tagfunc.vim | 12 ++++++++++++ + 3 files changed, 25 insertions(+) + +diff --git a/src/globals.h b/src/globals.h +index 3067cfa..1ea3c14 100644 +--- a/src/globals.h ++++ b/src/globals.h +@@ -1764,3 +1764,6 @@ EXTERN char e_command_too_recursive[] + + EXTERN char e_regexp_number_after_dot_pos_search[] + INIT(= N_("E1204: No Number allowed after .: '\\%%%c'")); ++ ++EXTERN char e_window_unexpectedly_close_while_searching_for_tags[] ++ INIT(= N_("E1299: Window unexpectedly closed while searching for tags")); +diff --git a/src/tag.c b/src/tag.c +index aceb6e4..e49a4d4 100644 +--- a/src/tag.c ++++ b/src/tag.c +@@ -570,6 +570,16 @@ do_tag( + max_num_matches = MAXCOL; // If less than max_num_matches + // found: all matches found. + ++ // A tag function may do anything, which may cause various ++ // information to become invalid. At least check for the tagstack ++ // to still be the same. ++ if (tagstack != curwin->w_tagstack) ++ { ++ emsg(_(e_window_unexpectedly_close_while_searching_for_tags)); ++ FreeWild(new_num_matches, new_matches); ++ break; ++ } ++ + // If there already were some matches for the same name, move them + // to the start. Avoids that the order changes when using + // ":tnext" and jumping to another file. +diff --git a/src/testdir/test_tagfunc.vim b/src/testdir/test_tagfunc.vim +index 68f2a50..cd60afe 100644 +--- a/src/testdir/test_tagfunc.vim ++++ b/src/testdir/test_tagfunc.vim +@@ -93,4 +93,16 @@ func Test_tagfunc_wipes_buffer() + set tagfunc= + endfunc + ++func Test_tagfunc_closes_window() ++ split any ++ func MytagfuncClose(pat, flags, info) ++ close ++ return [{'name' : 'mytag', 'filename' : 'Xtest', 'cmd' : '1'}] ++ endfunc ++ set tagfunc=MytagfuncClose ++ call assert_fails('tag xyz', 'E1299:') ++ ++ set tagfunc= ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.33.0 + diff --git a/vim.spec b/vim.spec index 24664264a99ffc1f7284a12d3a27dc4d92851343..d384f01207143c66eae50ef14820307a592b6360 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 64 +Release: 65 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -184,6 +184,7 @@ Patch6142: backport-patch-8.2.3110-a-pattern-that-matches-the-cursor-pos.pa Patch6143: backport-patch-8.2.4152-block-insert-with-double-wide-charact.patch Patch6144: backport-patch-8.2.0195-some-tests-fail-when-run-in-the-GUI.patch Patch6145: backport-CVE-2022-3099.patch +Patch6146: backport-CVE-2022-3134.patch BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file @@ -572,6 +573,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Tue Sep 13 2022 wangjiang - 2:8.2-65 +- Type:CVE +- ID:CVE-2022-3134 +- SUG:NA +- DESC:fix CVE-2022-3134 + * Thu Sep 08 2022 renhongxun - 2:8.2-64 - Type:CVE - ID:CVE-2022-3099