From 9e50adea3869fa41438608813ffa2aec414c8d76 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Fri, 23 Sep 2022 15:13:07 +0800 Subject: [PATCH] fix CVE-2022-3256 --- backport-CVE-2022-3256.patch | 66 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 ++++- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-3256.patch diff --git a/backport-CVE-2022-3256.patch b/backport-CVE-2022-3256.patch new file mode 100644 index 0000000..a072973 --- /dev/null +++ b/backport-CVE-2022-3256.patch @@ -0,0 +1,66 @@ +From 8ecfa2c56b4992c7f067b92488aa9acea5a454ad Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 21 Sep 2022 13:07:22 +0100 +Subject: [PATCH] patch 9.0.0530: using freed memory when autocmd changes mark + +Problem: Using freed memory when autocmd changes mark. +Solution: Copy the mark before editing another buffer. +--- + src/mark.c | 12 +++++++----- + src/testdir/test_marks.vim | 13 +++++++++++++ + 2 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/src/mark.c b/src/mark.c +index ba24220..9f817c0 100644 +--- a/src/mark.c ++++ b/src/mark.c +@@ -249,17 +249,19 @@ movemark(int count) + fname2fnum(jmp); + if (jmp->fmark.fnum != curbuf->b_fnum) + { +- // jump to other file +- if (buflist_findnr(jmp->fmark.fnum) == NULL) ++ // Make a copy, an autocommand may make "jmp" invalid. ++ fmark_T fmark = jmp->fmark; ++ ++ // jump to the file with the mark ++ if (buflist_findnr(fmark.fnum) == NULL) + { // Skip this one .. + count += count < 0 ? -1 : 1; + continue; + } +- if (buflist_getfile(jmp->fmark.fnum, jmp->fmark.mark.lnum, +- 0, FALSE) == FAIL) ++ if (buflist_getfile(fmark.fnum, fmark.mark.lnum, 0, FALSE) == FAIL) + return (pos_T *)NULL; + // Set lnum again, autocommands my have changed it +- curwin->w_cursor = jmp->fmark.mark; ++ curwin->w_cursor = fmark.mark; + pos = (pos_T *)-1; + } + else +diff --git a/src/testdir/test_marks.vim b/src/testdir/test_marks.vim +index 96a7766..47cdfb0 100644 +--- a/src/testdir/test_marks.vim ++++ b/src/testdir/test_marks.vim +@@ -190,4 +190,17 @@ func Test_lockmarks_with_put() + bwipe! + endfunc + ++" This was using freed memory ++func Test_jump_mark_autocmd() ++ next 00 ++ edit 0 ++ sargument ++ au BufEnter 0 all ++ sil norm  ++ ++ au! BufEnter ++ bwipe! ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 5de08b2..bfa24b5 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 66 +Release: 67 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -187,6 +187,7 @@ Patch6145: backport-CVE-2022-3099.patch Patch6146: backport-CVE-2022-3134.patch Patch6147: backport-CVE-2022-3234.patch Patch6148: backport-CVE-2022-3235.patch +Patch6149: backport-CVE-2022-3256.patch BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file @@ -575,6 +576,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Fri Sep 23 2022 dongyuzhen - 2:8.2-67 +- Type:CVE +- ID:CVE-2022-3256 +- SUG:NA +- DESC:fix CVE-2022-3256 + * Tue Sep 20 2022 dongyuzhen - 2:8.2-66 - Type:CVE - ID:CVE-2022-3234 CVE-2022-3235 -- Gitee