diff --git a/backport-CVE-2022-3491.patch b/backport-CVE-2022-3491.patch new file mode 100644 index 0000000000000000000000000000000000000000..dc7552b296bbc3f478d301e08ba62d3a81a89ac2 Binary files /dev/null and b/backport-CVE-2022-3491.patch differ diff --git a/backport-CVE-2022-3520.patch b/backport-CVE-2022-3520.patch new file mode 100644 index 0000000000000000000000000000000000000000..09ebe559aa5eb3f3134c8cbb07d2e701c2be9948 --- /dev/null +++ b/backport-CVE-2022-3520.patch @@ -0,0 +1,52 @@ +From 36343ae0fb7247e060abfd35fb8e4337b33abb4b Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 15 Oct 2022 19:04:05 +0100 +Subject: [PATCH] patch 9.0.0765: with a Visual block a put command column may + go negative + +Problem: With a Visual block a put command column may go negative. +Solution: Check that the column does not become negative. +--- + src/register.c | 2 ++ + src/testdir/test_visual.vim | 12 ++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/src/register.c b/src/register.c +index 30e2001..41089a0 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -1945,6 +1945,8 @@ do_put( + // adjust '] mark + curbuf->b_op_end.lnum = curwin->w_cursor.lnum - 1; + curbuf->b_op_end.col = bd.textcol + totlen - 1; ++ if (curbuf->b_op_end.col < 0) ++ curbuf->b_op_end.col = 0; + curbuf->b_op_end.coladd = 0; + if (flags & PUT_CURSEND) + { +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index e965266..956a3d7 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -483,6 +483,18 @@ func Test_visual_block_put() + bw! + endfunc + ++func Test_visual_block_put_invalid() ++ enew! ++ behave mswin ++ norm yy ++ norm v)Ps/^/ ++ " this was causing the column to become negative ++ silent norm ggv)P ++ ++ bwipe! ++ behave xterm ++endfunc ++ + " Visual modes (v V CTRL-V) followed by an operator; count; repeating + func Test_visual_mode_op() + new +-- +2.27.0 + diff --git a/backport-CVE-2022-3591.patch b/backport-CVE-2022-3591.patch new file mode 100644 index 0000000000000000000000000000000000000000..a4d776ccddfa6dcbad621c4b52695e2d3d9b438c --- /dev/null +++ b/backport-CVE-2022-3591.patch @@ -0,0 +1,62 @@ +From 8f3c3c6cd044e3b5bf08dbfa3b3f04bb3f711bad Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 18 Oct 2022 17:05:54 +0100 +Subject: [PATCH] patch 9.0.0789: dummy buffer ends up in a window + +Problem: Dummy buffer ends up in a window. +Solution: Disallow navigating to a dummy buffer. +--- + src/buffer.c | 7 +++++++ + src/testdir/test_autocmd.vim | 20 ++++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index 0849b7099..5a4825feb 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -1332,6 +1332,13 @@ do_buffer_ext( + ) + return OK; + #endif ++ if ((action == DOBUF_GOTO || action == DOBUF_SPLIT) ++ && (buf->b_flags & BF_DUMMY)) ++ { ++ // disallow navigating to the dummy buffer ++ semsg(_(e_buffer_nr_does_not_exist), count); ++ return FAIL; ++ } + + #ifdef FEAT_GUI + need_mouse_correct = TRUE; +diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim +index 0706e7307..6ba1b02df 100644 +--- a/src/testdir/test_autocmd.vim ++++ b/src/testdir/test_autocmd.vim +@@ -3857,4 +3857,24 @@ func Test_autocmd_delete() + call assert_true(autocmd_delete([test_null_dict()])) + endfunc + ++func Test_autocmd_split_dummy() ++ " Autocommand trying to split a window containing a dummy buffer. ++ auto BufReadPre * exe "sbuf " .. expand("") ++ " Avoid the "W11" prompt ++ au FileChangedShell * let v:fcs_choice = 'reload' ++ func Xautocmd_changelist() ++ cal writefile(['Xtestfile2:4:4'], 'Xerr') ++ edit Xerr ++ lex 'Xtestfile2:4:4' ++ endfunc ++ call Xautocmd_changelist() ++ call assert_fails('call Xautocmd_changelist()', 'E86:') ++ ++ au! BufReadPre ++ au! FileChangedShell ++ delfunc Xautocmd_changelist ++ bwipe! Xerr ++ call delete('Xerr') ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.27.0 + diff --git a/backport-patch-9.0.0790-test-for-dummy-buffer-does-not-always.patch b/backport-patch-9.0.0790-test-for-dummy-buffer-does-not-always.patch new file mode 100644 index 0000000000000000000000000000000000000000..db97778fd6159b2f58897e85c8f013fe93682d2e --- /dev/null +++ b/backport-patch-9.0.0790-test-for-dummy-buffer-does-not-always.patch @@ -0,0 +1,29 @@ +From 53c5c9f50ca68d3ed559eebb2c5f7d23f39a768c Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 18 Oct 2022 17:25:03 +0100 +Subject: [PATCH] patch 9.0.0790: test for dummy buffer does not always produce + the E86 error + +Problem: Test for dummy buffer does not always produce the E86 error. +Solution: Do not check if the error is produced. +--- + src/testdir/test_autocmd.vim | 3 ++- + 1 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim +index 6ba1b02df..04f3e1431 100644 +--- a/src/testdir/test_autocmd.vim ++++ b/src/testdir/test_autocmd.vim +@@ -3868,7 +3868,8 @@ func Test_autocmd_split_dummy() + lex 'Xtestfile2:4:4' + endfunc + call Xautocmd_changelist() +- call assert_fails('call Xautocmd_changelist()', 'E86:') ++ " Should get E86, but it doesn't always happen (timing?) ++ silent! call Xautocmd_changelist() + + au! BufReadPre + au! FileChangedShell +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 144d513113f22148d992a940a50e6dc188863aa5..58ccc4ed045526da5020da0c37e30610031af8f5 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 3 +Release: 4 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -74,6 +74,10 @@ Patch6044: backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end- Patch6045: backport-CVE-2022-3324.patch Patch6046: backport-CVE-2022-3705.patch Patch6047: backport-CVE-2022-4141.patch +Patch6048: backport-CVE-2022-3491.patch +Patch6049: backport-CVE-2022-3520.patch +Patch6050: backport-CVE-2022-3591.patch +Patch6051: backport-patch-9.0.0790-test-for-dummy-buffer-does-not-always.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: vim-Add-sw64-architecture.patch @@ -474,6 +478,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Tue Dec 06 2022 wangjiang - 2:9.0-4 +- Type:CVE +- ID:CVE-2022-3491 CVE-2022-3520 CVE-2022-3591 +- SUG:NA +- DESC:fix CVE-2022-3491 CVE-2022-3520 CVE-2022-3591 + * Mon Nov 28 2022 wangjiang - 2:9.0-3 - Type:CVE - ID:CVE-2022-4141