From 93172196d0c34b33dbc474eae493e83991dc1c86 Mon Sep 17 00:00:00 2001 From: wangjiang Date: Wed, 14 Sep 2022 17:31:31 +0800 Subject: [PATCH] fix CVE-2022-3134 --- backport-CVE-2022-2946.patch | 2 +- backport-CVE-2022-3134.patch | 70 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 ++++- 3 files changed, 79 insertions(+), 2 deletions(-) create mode 100644 backport-CVE-2022-3134.patch diff --git a/backport-CVE-2022-2946.patch b/backport-CVE-2022-2946.patch index 9d3f8f9..0811388 100644 --- a/backport-CVE-2022-2946.patch +++ b/backport-CVE-2022-2946.patch @@ -59,7 +59,7 @@ index 242aa3a..74ad3d1 100644 + endfunc + set tagfunc=g:Tag0unc0 + new -+ cal assert_fails('tag 0', 'E426:') ++ cal assert_fails('tag 0', 'E1299:') + + delfunc g:Tag0unc0 + set tagfunc= diff --git a/backport-CVE-2022-3134.patch b/backport-CVE-2022-3134.patch new file mode 100644 index 0000000..6ba9b63 --- /dev/null +++ b/backport-CVE-2022-3134.patch @@ -0,0 +1,70 @@ +From ccfde4d028e891a41e3548323c3d47b06fb0b83e Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Mon, 5 Sep 2022 19:51:13 +0100 +Subject: [PATCH] patch 9.0.0389: crash when 'tagfunc' closes the window + +Problem: Crash when 'tagfunc' closes the window. +Solution: Bail out when the window was closed. + +--- + src/globals.h | 3 +++ + src/tag.c | 10 ++++++++++ + src/testdir/test_tagfunc.vim | 12 ++++++++++++ + 3 files changed, 25 insertions(+) + +diff --git a/src/globals.h b/src/globals.h +index 4d40de4..f8eabcf 100644 +--- a/src/globals.h ++++ b/src/globals.h +@@ -1761,3 +1761,6 @@ EXTERN char e_illegal_character_in_word[] + + EXTERN char e_command_too_recursive[] + INIT(= N_("E169: Command too recursive")); ++ ++EXTERN char e_window_unexpectedly_close_while_searching_for_tags[] ++ INIT(= N_("E1299: Window unexpectedly closed while searching for tags")); +diff --git a/src/tag.c b/src/tag.c +index aceb6e4..e49a4d4 100644 +--- a/src/tag.c ++++ b/src/tag.c +@@ -570,6 +570,16 @@ do_tag( + max_num_matches = MAXCOL; // If less than max_num_matches + // found: all matches found. + ++ // A tag function may do anything, which may cause various ++ // information to become invalid. At least check for the tagstack ++ // to still be the same. ++ if (tagstack != curwin->w_tagstack) ++ { ++ emsg(_(e_window_unexpectedly_close_while_searching_for_tags)); ++ FreeWild(new_num_matches, new_matches); ++ break; ++ } ++ + // If there already were some matches for the same name, move them + // to the start. Avoids that the order changes when using + // ":tnext" and jumping to another file. +diff --git a/src/testdir/test_tagfunc.vim b/src/testdir/test_tagfunc.vim +index 68f2a50..cd60afe 100644 +--- a/src/testdir/test_tagfunc.vim ++++ b/src/testdir/test_tagfunc.vim +@@ -93,4 +93,16 @@ func Test_tagfunc_wipes_buffer() + set tagfunc= + endfunc + ++func Test_tagfunc_closes_window() ++ split any ++ func MytagfuncClose(pat, flags, info) ++ close ++ return [{'name' : 'mytag', 'filename' : 'Xtest', 'cmd' : '1'}] ++ endfunc ++ set tagfunc=MytagfuncClose ++ call assert_fails('tag xyz', 'E1299:') ++ ++ set tagfunc= ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.33.0 + diff --git a/vim.spec b/vim.spec index 39c0e72..7a5c320 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 55 +Release: 56 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -158,6 +158,7 @@ Patch6124: backport-CVE-2022-2980.patch Patch6125: backport-patch-8.2.1677-memory-access-errors-when-calling-set.patch Patch6126: backport-CVE-2022-3016.patch Patch6127: backport-CVE-2022-3099.patch +Patch6128: backport-CVE-2022-3134.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: remove-failed-tests-due-to-patch.patch @@ -560,6 +561,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Wed Sep 14 2022 wangjiang - 2:8.2-56 +- Type:CVE +- ID:CVE-2022-3134 +- SUG:NA +- DESC:fix CVE-2022-3134 + * Thu Sep 08 2022 renhongxun - 2:8.2-55 - Type:CVE - ID:CVE-2022-3099 -- Gitee