diff --git a/backport-CVE-2023-0049.patch b/backport-CVE-2023-0049.patch new file mode 100644 index 0000000000000000000000000000000000000000..9aa4fc07cd7ffd4d25e2666b4603113f382722c1 --- /dev/null +++ b/backport-CVE-2023-0049.patch @@ -0,0 +1,44 @@ +From 7b17eb4b063a234376c1ec909ee293e42cff290c Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 4 Jan 2023 14:31:49 +0000 +Subject: [PATCH] patch 9.0.1143: invalid memory access with bad 'statusline' + value + +Problem: Invalid memory access with bad 'statusline' value. +Solution: Avoid going over the NUL at the end. +--- + src/buffer.c | 2 ++ + src/testdir/test_statusline.vim | 7 +++++++ + 2 files changed, 9 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index 98568987894e..40168226160c 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -4576,6 +4576,8 @@ build_stl_str_hl( + #endif + if (vim_strchr(STL_ALL, *s) == NULL) + { ++ if (*s == NUL) // can happen with "%0" ++ break; + s++; + continue; + } +diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim +index a829597655bf..23613bfed37b 100644 +--- a/src/testdir/test_statusline.vim ++++ b/src/testdir/test_statusline.vim +@@ -436,6 +436,13 @@ func Test_statusline() + set splitbelow& + endfunc + ++func Test_statusline_trailing_percent_zero() ++ " this was causing illegal memory access ++ set laststatus=2 stl=%!%0 ++ call assert_fails('redraw', 'E15: Invalid expression: "%0"') ++ set laststatus& stl& ++endfunc ++ + func Test_statusline_visual() + func CallWordcount() + call wordcount() diff --git a/backport-CVE-2023-0051.patch b/backport-CVE-2023-0051.patch new file mode 100644 index 0000000000000000000000000000000000000000..42893161c93a6b44251ed6d44a4fd9d27d0984d8 --- /dev/null +++ b/backport-CVE-2023-0051.patch @@ -0,0 +1,98 @@ +From c32949b0779106ed5710ae3bffc5053e49083ab4 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 4 Jan 2023 15:56:51 +0000 +Subject: [PATCH] patch 9.0.1144: reading beyond text + +Problem: Reading beyond text. +Solution: Add strlen_maxlen() and use it. +--- + src/message.c | 3 ++- + src/proto/strings.pro | 1 + + src/strings.c | 15 ++++++++++++++- + src/testdir/test_cmdline.vim | 11 +++++++++++ + 4 files changed, 28 insertions(+), 2 deletions(-) + +diff --git a/src/message.c b/src/message.c +index becb280..c53c44f 100644 +--- a/src/message.c ++++ b/src/message.c +@@ -2806,7 +2806,8 @@ msg_puts_printf(char_u *str, int maxlen) + { + char_u *tofree = NULL; + +- if (maxlen > 0 && STRLEN(p) > (size_t)maxlen) ++ if (maxlen > 0 && vim_strlen_maxlen((char *)p, (size_t)maxlen) ++ >= (size_t)maxlen) + { + tofree = vim_strnsave(p, (size_t)maxlen); + p = tofree; +diff --git a/src/proto/strings.pro b/src/proto/strings.pro +index 778ec90..1bd4dcb 100644 +--- a/src/proto/strings.pro ++++ b/src/proto/strings.pro +@@ -12,6 +12,7 @@ char_u *strlow_save(char_u *orig); + void del_trailing_spaces(char_u *ptr); + void vim_strncpy(char_u *to, char_u *from, size_t len); + void vim_strcat(char_u *to, char_u *from, size_t tosize); ++size_t vim_strlen_maxlen(char *s, size_t maxlen); + int vim_stricmp(char *s1, char *s2); + int vim_strnicmp(char *s1, char *s2, size_t len); + char_u *vim_strchr(char_u *string, int c); +diff --git a/src/strings.c b/src/strings.c +index 0313e74..df06c3f 100644 +--- a/src/strings.c ++++ b/src/strings.c +@@ -525,6 +525,19 @@ vim_strcat(char_u *to, char_u *from, size_t tosize) + mch_memmove(to + tolen, from, fromlen + 1); + } + ++/* ++ * A version of strlen() that has a maximum length. ++ */ ++ size_t ++vim_strlen_maxlen(char *s, size_t maxlen) ++{ ++ size_t i; ++ for (i = 0; i < maxlen; ++i) ++ if (s[i] == NUL) ++ break; ++ return i; ++} ++ + #if (!defined(HAVE_STRCASECMP) && !defined(HAVE_STRICMP)) || defined(PROTO) + /* + * Compare two strings, ignoring case, using current locale. +@@ -582,7 +595,7 @@ vim_strnicmp(char *s1, char *s2, size_t len) + * 128 to 255 correctly. It also doesn't return a pointer to the NUL at the + * end of the string. + */ +- char_u * ++ char_u * + vim_strchr(char_u *string, int c) + { + char_u *p; +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index ab3bfdf..083f63e 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -574,6 +574,17 @@ func Test_getcompletion() + call assert_fails('call getcompletion("abc", [])', 'E475:') + endfunc + ++func Test_multibyte_expression() ++ " This was using uninitialized memory. ++ let lines =<< trim END ++ set verbose=6 ++ norm @=ٷ ++ qall! ++ END ++ call writefile(lines, 'XmultiScript', 'D') ++ call RunVim('', '', '-u NONE -n -e -s -S XmultiScript') ++endfunc ++ + " Test for getcompletion() with "fuzzy" in 'wildoptions' + func Test_getcompletion_wildoptions() + let save_wildoptions = &wildoptions +-- +2.33.0 + diff --git a/backport-CVE-2023-0054.patch b/backport-CVE-2023-0054.patch new file mode 100644 index 0000000000000000000000000000000000000000..55b325db39ebded9dfabf2bd0210a88656794272 --- /dev/null +++ b/backport-CVE-2023-0054.patch @@ -0,0 +1,59 @@ +From 3ac1d97a1d9353490493d30088256360435f7731 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 4 Jan 2023 17:17:54 +0000 +Subject: [PATCH] patch 9.0.1145: invalid memory access with recursive + substitute expression + +Problem: Invalid memory access with recursive substitute expression. +Solution: Check the return value of vim_regsub(). +--- + src/eval.c | 5 +++++ + src/testdir/test_substitute.vim | 16 ++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/src/eval.c b/src/eval.c +index 2fbd867ab..9ca805061 100644 +--- a/src/eval.c ++++ b/src/eval.c +@@ -6969,6 +6969,11 @@ do_string_sub( + * - The text after the match. + */ + sublen = vim_regsub(®match, sub, expr, tail, 0, REGSUB_MAGIC); ++ if (sublen <= 0) ++ { ++ ga_clear(&ga); ++ break; ++ } + if (ga_grow(&ga, (int)((end - tail) + sublen - + (regmatch.endp[0] - regmatch.startp[0]))) == FAIL) + { +diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim +index 251322337..4268aab03 100644 +--- a/src/testdir/test_substitute.vim ++++ b/src/testdir/test_substitute.vim +@@ -1095,6 +1095,22 @@ func Test_sub_expr_goto_other_file() + bwipe! + endfunc + ++func Test_recursive_expr_substitute() ++ " this was reading invalid memory ++ let lines =<< trim END ++ func Repl(g, n) ++ s ++ r%:s000 ++ endfunc ++ next 0 ++ let caught = 0 ++ s/\%')/\=Repl(0, 0) ++ qall! ++ END ++ call writefile(lines, 'XexprSubst', 'D') ++ call RunVim([], [], '--clean -S XexprSubst') ++endfunc ++ + " Test for the 2-letter and 3-letter :substitute commands + func Test_substitute_short_cmd() + new +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 98d27a2f5213cb7e5e0e336dc63331b91c6e8863..5f10f2c494808d85e3ea7a25146eaa1036d1b921 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 5 +Release: 6 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -81,6 +81,9 @@ Patch6051: backport-patch-9.0.0790-test-for-dummy-buffer-does-not-always.pa Patch6052: backport-CVE-2022-4292.patch Patch6053: backport-patch-9.0.0712-wrong-column-when-calling-setcursorch-with-zero-lnum.patch Patch6054: backport-CVE-2022-4293.patch +Patch6055: backport-CVE-2023-0049.patch +Patch6056: backport-CVE-2023-0051.patch +Patch6057: backport-CVE-2023-0054.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -488,6 +491,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Mon Jan 09 2023 wangjiang - 2:9.0-6 +- Type:CVE +- ID:CVE-2023-0049 CVE-2023-0051 CVE-2023-0054 +- SUG:NA +- DESC:CVE-2023-0049 CVE-2023-0051 CVE-2023-0054 + * Mon Dec 12 2022 wangjiang - 2:9.0-5 - Type:bugfix - ID:NA