From c9ded5fb74aecf1e1fd6b84c3a7c002145db86b0 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Tue, 20 Sep 2022 16:42:15 +0800 Subject: [PATCH] fix CVE-2022-3234,CVE-2022-3235 --- backport-CVE-2022-3234.patch | 78 ++++++++++++++++++++++++++++++++++++ backport-CVE-2022-3235.patch | 73 +++++++++++++++++++++++++++++++++ vim.spec | 10 ++++- 3 files changed, 160 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-3234.patch create mode 100644 backport-CVE-2022-3235.patch diff --git a/backport-CVE-2022-3234.patch b/backport-CVE-2022-3234.patch new file mode 100644 index 0000000..9dc9dc0 --- /dev/null +++ b/backport-CVE-2022-3234.patch @@ -0,0 +1,78 @@ +From c249913edc35c0e666d783bfc21595cf9f7d9e0d Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 16 Sep 2022 22:16:59 +0100 +Subject: [PATCH] patch 9.0.0483: illegal memory access when replacing in + virtualedit mode + +Problem: Illegal memory access when replacing in virtualedit mode. +Solution: Check for replacing NUL after Tab. +--- + src/ops.c | 12 ++++++++++-- + src/testdir/test_virtualedit.vim | 14 ++++++++++++++ + 2 files changed, 24 insertions(+), 2 deletions(-) + +diff --git a/src/ops.c b/src/ops.c +index 9926c00..b4185c7 100644 +--- a/src/ops.c ++++ b/src/ops.c +@@ -1183,6 +1183,8 @@ op_replace(oparg_T *oap, int c) + + while (LTOREQ_POS(curwin->w_cursor, oap->end)) + { ++ int done = FALSE; ++ + n = gchar_cursor(); + if (n != NUL) + { +@@ -1193,6 +1195,7 @@ op_replace(oparg_T *oap, int c) + if (curwin->w_cursor.lnum == oap->end.lnum) + oap->end.col += (*mb_char2len)(c) - (*mb_char2len)(n); + replace_character(c); ++ done = TRUE; + } + else + { +@@ -1211,10 +1214,15 @@ op_replace(oparg_T *oap, int c) + if (curwin->w_cursor.lnum == oap->end.lnum) + getvpos(&oap->end, end_vcol); + } +- PBYTE(curwin->w_cursor, c); ++ // with "coladd" set may move to just after a TAB ++ if (gchar_cursor() != NUL) ++ { ++ PBYTE(curwin->w_cursor, c); ++ done = TRUE; ++ } + } + } +- else if (virtual_op && curwin->w_cursor.lnum == oap->end.lnum) ++ if (!done && virtual_op && curwin->w_cursor.lnum == oap->end.lnum) + { + int virtcols = oap->end.coladd; + +diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim +index 25ca33f..451a996 100644 +--- a/src/testdir/test_virtualedit.vim ++++ b/src/testdir/test_virtualedit.vim +@@ -343,4 +343,18 @@ func Test_yank_paste_small_del_reg() + set virtualedit= + endfunc + ++" this was replacing the NUL at the end of the line ++func Test_virtualedit_replace_after_tab() ++ new ++ s/\v/ 0 ++ set ve=all ++ let @" = '' ++ sil! norm vPvr0 ++ ++ call assert_equal("\t0", getline(1)) ++ set ve& ++ bwipe! ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.27.0 + diff --git a/backport-CVE-2022-3235.patch b/backport-CVE-2022-3235.patch new file mode 100644 index 0000000..79995ae --- /dev/null +++ b/backport-CVE-2022-3235.patch @@ -0,0 +1,73 @@ +From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 17 Sep 2022 19:43:23 +0100 +Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter + autocmd + +Problem: Using freed memory with cmdwin and BufEnter autocmd. +Solution: Make sure pointer to b_p_iminsert is still valid. +--- + src/ex_getln.c | 6 +++++- + src/testdir/test_cmdline.vim | 10 ++++++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/src/ex_getln.c b/src/ex_getln.c +index 8383eee..b299bd0 100644 +--- a/src/ex_getln.c ++++ b/src/ex_getln.c +@@ -817,6 +817,7 @@ getcmdline_int( + #endif + expand_T xpc; + long *b_im_ptr = NULL; ++ buf_T *b_im_ptr_buf = NULL; // buffer where b_im_ptr is valid + cmdline_info_T save_ccline; + int did_save_ccline = FALSE; + int cmdline_type; +@@ -938,6 +939,7 @@ getcmdline_int( + b_im_ptr = &curbuf->b_p_iminsert; + else + b_im_ptr = &curbuf->b_p_imsearch; ++ b_im_ptr_buf = curbuf; + if (*b_im_ptr == B_IMODE_LMAP) + State |= LANGMAP; + #ifdef HAVE_INPUT_METHOD +@@ -1666,6 +1668,7 @@ getcmdline_int( + goto cmdline_not_changed; + + case Ctrl_HAT: ++ b_im_ptr = buf_valid(b_im_ptr_buf) ? b_im_ptr : NULL; + if (map_to_exists_mode((char_u *)"", LANGMAP, FALSE)) + { + // ":lmap" mappings exists, toggle use of mappings. +@@ -2430,7 +2433,8 @@ returncmd: + + State = save_State; + #ifdef HAVE_INPUT_METHOD +- if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP) ++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf) ++ && *b_im_ptr != B_IMODE_LMAP) + im_save_status(b_im_ptr); + im_set_active(FALSE); + #endif +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index 33808d7..aceaba7 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -943,4 +943,14 @@ func Test_cmdwin_virtual_edit() + set ve= cpo-=$ + endfunc + ++" This was using a pointer to a freed buffer ++func Test_cmdwin_freed_buffer_ptr() ++ au BufEnter * next 0| file ++ edit 0 ++ silent! norm q/ ++ ++ au! BufEnter ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.33.0 + diff --git a/vim.spec b/vim.spec index 7a5c320..8703e91 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 56 +Release: 57 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -159,6 +159,8 @@ Patch6125: backport-patch-8.2.1677-memory-access-errors-when-calling-set.pa Patch6126: backport-CVE-2022-3016.patch Patch6127: backport-CVE-2022-3099.patch Patch6128: backport-CVE-2022-3134.patch +Patch6129: backport-CVE-2022-3234.patch +Patch6130: backport-CVE-2022-3235.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: remove-failed-tests-due-to-patch.patch @@ -561,6 +563,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Tue Sep 20 2022 dongyuzhen - 2:8.2-57 +- Type:CVE +- ID:CVE-2022-3234 CVE-2022-3235 +- SUG:NA +- DESC:fix CVE-2022-3234 CVE-2022-3235 + * Wed Sep 14 2022 wangjiang - 2:8.2-56 - Type:CVE - ID:CVE-2022-3134 -- Gitee