diff --git a/backport-CVE-2022-3352.patch b/backport-CVE-2022-3352.patch new file mode 100644 index 0000000000000000000000000000000000000000..3203c86021704568e5ffeabf807ec809f0e339b6 --- /dev/null +++ b/backport-CVE-2022-3352.patch @@ -0,0 +1,77 @@ +From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 28 Sep 2022 11:48:30 +0100 +Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer + +Problem: SpellFileMissing autocmd may delete buffer. +Solution: Disallow deleting the current buffer to avoid using freed memory. +--- + src/buffer.c | 6 +++++- + src/spell.c | 6 ++++++ + src/testdir/test_autocmd.vim | 11 +++++++++++ + 3 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/src/buffer.c b/src/buffer.c +index f66c234..b647d82 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -465,8 +465,12 @@ can_unload_buffer(buf_T *buf) + } + } + if (!can_unload) ++ { ++ char_u *fname = buf->b_fname != NULL ? buf->b_fname : buf->b_ffname; ++ + semsg(_("E937: Attempt to delete a buffer that is in use: %s"), +- buf->b_fname); ++ fname != NULL ? fname : (char_u *)"[No Name]"); ++ } + return can_unload; + } + +diff --git a/src/spell.c b/src/spell.c +index 1d7a1ae..e32dbe7 100644 +--- a/src/spell.c ++++ b/src/spell.c +@@ -1539,6 +1539,10 @@ spell_load_lang(char_u *lang) + sl.sl_slang = NULL; + sl.sl_nobreak = FALSE; + ++ // Disallow deleting the current buffer. Autocommands can do weird things ++ // and cause "lang" to be freed. ++ ++curbuf->b_locked; ++ + // We may retry when no spell file is found for the language, an + // autocommand may load it then. + for (round = 1; round <= 2; ++round) +@@ -1592,6 +1596,8 @@ spell_load_lang(char_u *lang) + STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl"); + do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl); + } ++ ++ --curbuf->b_locked; + } + + /* +diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim +index 27ec80d..e7ffc37 100755 +--- a/src/testdir/test_autocmd.vim ++++ b/src/testdir/test_autocmd.vim +@@ -2343,3 +2343,14 @@ func Test_BufWrite_lockmarks() + call delete('Xtest') + call delete('Xtest2') + endfunc ++ ++" this was wiping out the current buffer and using freed memory ++func Test_SpellFileMissing_bwipe() ++ next 0 ++ au SpellFileMissing 0 bwipe ++ call assert_fails('set spell spelllang=0', 'E937:') ++ ++ au! SpellFileMissing ++ bwipe ++endfunc ++ +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index bfa24b58e0906da3884bd1d47ccc923f4c1645cc..355be4c6de0c7cbe91f80ed7d802d240122dbe72 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 67 +Release: 68 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -188,6 +188,7 @@ Patch6146: backport-CVE-2022-3134.patch Patch6147: backport-CVE-2022-3234.patch Patch6148: backport-CVE-2022-3235.patch Patch6149: backport-CVE-2022-3256.patch +Patch6150: backport-CVE-2022-3352.patch BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file @@ -576,6 +577,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Sat Oct 08 2022 dongyuzhen - 2:8.2-68 +- Type:CVE +- ID:CVE-2022-3352 +- SUG:NA +- DESC:fix CVE-2022-3352 + * Fri Sep 23 2022 dongyuzhen - 2:8.2-67 - Type:CVE - ID:CVE-2022-3256