From 52f51303fde1edecad2f0ec07936283fa887ecd4 Mon Sep 17 00:00:00 2001 From: qz_cx Date: Tue, 6 Dec 2022 09:12:52 +0800 Subject: [PATCH] fix CVE-2022-3520 --- backport-CVE-2022-3520.patch | 53 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 +++++- 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-3520.patch diff --git a/backport-CVE-2022-3520.patch b/backport-CVE-2022-3520.patch new file mode 100644 index 0000000..8d4fae3 --- /dev/null +++ b/backport-CVE-2022-3520.patch @@ -0,0 +1,53 @@ +From 0c0eb2ded47ffc2dc1f369065558bc74f8a6f50e Mon Sep 17 00:00:00 2001 +From: qz_cx +Date: Mon, 5 Dec 2022 15:50:53 +0800 +Subject: [PATCH] patch 9.0.0765: with a Visual block a put command column may + go negative + +Problem: With a Visual block a put command column may go negative. +Solution: Check that the column does not become negative. +brammool committed on Oct 16 +--- + src/register.c | 2 ++ + src/testdir/test_visual.vim | 12 ++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/src/register.c b/src/register.c +index 30e2001..41089a0 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -1945,6 +1945,8 @@ do_put( + // adjust '] mark + curbuf->b_op_end.lnum = curwin->w_cursor.lnum - 1; + curbuf->b_op_end.col = bd.textcol + totlen - 1; ++ if (curbuf->b_op_end.col < 0) ++ curbuf->b_op_end.col = 0; + curbuf->b_op_end.coladd = 0; + if (flags & PUT_CURSEND) + { +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index e965266..9c209f0 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -483,6 +483,18 @@ func Test_visual_block_put() + bw! + endfunc + ++func Test_visual_block_put_invalid() ++ enew! ++ behave mswin ++ norm yy ++ norm v)Ps/^/ ++ " this was causing the column to become negative ++ silent norm ggv)P ++ ++ bwipe! ++ behave xterm ++endfunc ++ + " Visual modes (v V CTRL-V) followed by an operator; count; repeating + func Test_visual_mode_op() + new +-- +2.33.0 + diff --git a/vim.spec b/vim.spec index f5abbfb..e54a5eb 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 21 +Release: 22 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -75,6 +75,7 @@ Patch6044: backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end- Patch6045: backport-CVE-2022-3324.patch Patch6046: backport-CVE-2022-3705.patch Patch6047: backport-CVE-2022-4141.patch +Patch6048: backport-CVE-2022-3520.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -474,6 +475,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Mon Dec 05 2022 qz_cx - 2:9.0-22 +- Type:CVE +- ID:NA +- SUG:NA +- DESC: fix CVE-2022-3520 + * Tue Nov 29 2022 wangjiang - 2:9.0-21 - Type:CVE - ID:CVE-2022-4141 -- Gitee