From 04d1a0ec8119661219a43801ff2741061ebfbae9 Mon Sep 17 00:00:00 2001 From: shixuantong Date: Sat, 13 Nov 2021 17:52:18 +0800 Subject: [PATCH] fix CVE-2021-3927 CVE-2021-3928 --- backport-CVE-2021-3927.patch | 44 +++++++++++++++++++++++++++++++++ backport-CVE-2021-3928.patch | 48 ++++++++++++++++++++++++++++++++++++ vim.spec | 10 +++++++- 3 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-3927.patch create mode 100644 backport-CVE-2021-3928.patch diff --git a/backport-CVE-2021-3927.patch b/backport-CVE-2021-3927.patch new file mode 100644 index 0000000..11fc0a9 --- /dev/null +++ b/backport-CVE-2021-3927.patch @@ -0,0 +1,44 @@ +From 0b5b06cb4777d1401fdf83e7d48d287662236e7e Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 4 Nov 2021 15:10:11 +0000 +Subject: [PATCH] patch 8.2.3581: reading character past end of line + +Problem: Reading character past end of line. +Solution: Correct the cursor column. +--- + src/ex_docmd.c | 1 + + src/testdir/test_put.vim | 9 +++++++++ + 2 files changed, 10 insertions(+) + +diff --git a/src/ex_docmd.c b/src/ex_docmd.c +index 12554fa..203174a 100644 +--- a/src/ex_docmd.c ++++ b/src/ex_docmd.c +@@ -6906,6 +6906,7 @@ ex_put(exarg_T *eap) + eap->forceit = TRUE; + } + curwin->w_cursor.lnum = eap->line2; ++ check_cursor_col(); + do_put(eap->regname, eap->forceit ? BACKWARD : FORWARD, 1L, + PUT_LINE|PUT_CURSLINE); + } +diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim +index 225ebd1..f5037dc 100644 +--- a/src/testdir/test_put.vim ++++ b/src/testdir/test_put.vim +@@ -113,3 +113,12 @@ func Test_put_p_indent_visual() + call assert_equal('select that text', getline(2)) + bwipe! + endfunc ++ ++func Test_put_above_first_line() ++ new ++ let @" = 'text' ++ silent! normal 0o00 ++ 0put ++ call assert_equal('text', getline(1)) ++ bwipe! ++endfunc +-- +1.8.3.1 + diff --git a/backport-CVE-2021-3928.patch b/backport-CVE-2021-3928.patch new file mode 100644 index 0000000..5a96fda --- /dev/null +++ b/backport-CVE-2021-3928.patch @@ -0,0 +1,48 @@ +From 15d9890eee53afc61eb0a03b878a19cb5672f732 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 4 Nov 2021 15:46:05 +0000 +Subject: [PATCH] patch 8.2.3582: reading uninitialized memory when giving + spell suggestions + +Problem: Reading uninitialized memory when giving spell suggestions. +Solution: Check that preword is not empty. +--- + src/spellsuggest.c | 2 +- + src/testdir/test_spell.vim | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/spellsuggest.c b/src/spellsuggest.c +index 9d6df79..8615d52 100644 +--- a/src/spellsuggest.c ++++ b/src/spellsuggest.c +@@ -1600,7 +1600,7 @@ suggest_trie_walk( + // char, e.g., "thes," -> "these". + p = fword + sp->ts_fidx; + MB_PTR_BACK(fword, p); +- if (!spell_iswordp(p, curwin)) ++ if (!spell_iswordp(p, curwin) && *preword != NUL) + { + p = preword + STRLEN(preword); + MB_PTR_BACK(preword, p); +diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim +index 79fb892..e435e91 100644 +--- a/src/testdir/test_spell.vim ++++ b/src/testdir/test_spell.vim +@@ -498,6 +498,14 @@ func Test_spell_screendump() + call delete('XtestSpell') + endfunc + ++func Test_spell_single_word() ++ new ++ silent! norm 0R00 ++ spell! ß ++ silent 0norm 0r$ Dvz= ++ bwipe! ++endfunc ++ + let g:test_data_aff1 = [ + \"SET ISO8859-1", + \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ", +-- +1.8.3.1 + diff --git a/vim.spec b/vim.spec index 4753c8b..6476c2e 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 5 +Release: 6 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -38,6 +38,8 @@ Patch6004: backport-CVE-2021-3796.patch Patch6005: backport-CVE-2021-3872.patch Patch6006: backport-CVE-2021-3875.patch Patch6007: backport-CVE-2021-3903.patch +Patch6008: backport-CVE-2021-3927.patch +Patch6009: backport-CVE-2021-3928.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -426,6 +428,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Sat Nov 13 2021 shixuantong - 2:8.2-6 +- Type:CVE +- ID:CVE-2021-3927 CVE-2021-3927 +- SUG:NA +- DESC:fix CVE-2021-3927 CVE-2021-3928 + * Sat Oct 30 2021 shixuantong - 2:8.2-5 - Type:CVE - ID:CVE-2021-3903 -- Gitee