diff --git a/backport-CVE-2023-1264.patch b/backport-CVE-2023-1264.patch new file mode 100644 index 0000000000000000000000000000000000000000..824383a9fd9cf69613da635d5df5790222de1081 --- /dev/null +++ b/backport-CVE-2023-1264.patch @@ -0,0 +1,137 @@ +From 7ac5023a5f1a37baafbe1043645f97ba3443d9f6 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 7 Mar 2023 21:05:04 +0000 +Subject: [PATCH] patch 9.0.1392: using NULL pointer with nested :open command + +Problem: Using NULL pointer with nested :open command. +Solution: Check that ccline.cmdbuff is not NULL. +--- + src/getchar.c | 17 ++++++++++------- + src/testdir/term_util.vim | 5 +++++ + src/testdir/test_ex_mode.vim | 22 ++++++++++++++++++++++ + 3 files changed, 37 insertions(+), 7 deletions(-) + +diff --git a/src/getchar.c b/src/getchar.c +index 6645be8a0ebd..dac57eb26c61 100644 +--- a/src/getchar.c ++++ b/src/getchar.c +@@ -3019,7 +3019,7 @@ check_end_reg_executing(int advance) + static int + vgetorpeek(int advance) + { +- int c, c1; ++ int c; + int timedout = FALSE; // waited for more than 1 second + // for mapping to complete + int mapdepth = 0; // check for recursive mapping +@@ -3386,7 +3386,7 @@ vgetorpeek(int advance) + #ifdef FEAT_CMDL_INFO + showcmd_idx = 0; + #endif +- c1 = 0; ++ int showing_partial = FALSE; + if (typebuf.tb_len > 0 && advance && !exmode_active) + { + if (((State & (MODE_NORMAL | MODE_INSERT)) +@@ -3401,7 +3401,7 @@ vgetorpeek(int advance) + edit_putchar(typebuf.tb_buf[typebuf.tb_off + + typebuf.tb_len - 1], FALSE); + setcursor(); // put cursor back where it belongs +- c1 = 1; ++ showing_partial = TRUE; + } + #ifdef FEAT_CMDL_INFO + // need to use the col and row from above here +@@ -3420,8 +3420,10 @@ vgetorpeek(int advance) + #endif + } + +- // this looks nice when typing a dead character map ++ // This looks nice when typing a dead character map. ++ // There is no actual command line for get_number(). + if ((State & MODE_CMDLINE) ++ && get_cmdline_info()->cmdbuff != NULL + #if defined(FEAT_CRYPT) || defined(FEAT_EVAL) + && cmdline_star == 0 + #endif +@@ -3430,7 +3432,7 @@ vgetorpeek(int advance) + { + putcmdline(typebuf.tb_buf[typebuf.tb_off + + typebuf.tb_len - 1], FALSE); +- c1 = 1; ++ showing_partial = TRUE; + } + } + +@@ -3466,11 +3468,12 @@ vgetorpeek(int advance) + if (showcmd_idx != 0) + pop_showcmd(); + #endif +- if (c1 == 1) ++ if (showing_partial) + { + if (State & MODE_INSERT) + edit_unputchar(); +- if (State & MODE_CMDLINE) ++ if ((State & MODE_CMDLINE) ++ && get_cmdline_info()->cmdbuff != NULL) + unputcmdline(); + else + setcursor(); // put cursor back where it belongs +diff --git a/src/testdir/term_util.vim b/src/testdir/term_util.vim +index 0f0373184505..88e2b33d083b 100644 +--- a/src/testdir/term_util.vim ++++ b/src/testdir/term_util.vim +@@ -55,6 +55,7 @@ endfunc + " "cols" - width of the terminal window (max. 78) + " "statusoff" - number of lines the status is offset from default + " "wait_for_ruler" - if zero then don't wait for ruler to show ++" "no_clean" - if non-zero then remove "--clean" from the command + func RunVimInTerminal(arguments, options) + " If Vim doesn't exit a swap file remains, causing other tests to fail. + " Remove it here. +@@ -91,6 +92,10 @@ func RunVimInTerminal(arguments, options) + + let cmd = GetVimCommandCleanTerm() .. reset_u7 .. a:arguments + ++ if get(a:options, 'no_clean', 0) ++ let cmd = substitute(cmd, '--clean', '', '') ++ endif ++ + let options = #{curwin: 1} + if &termwinsize == '' + let options.term_rows = rows +diff --git a/src/testdir/test_ex_mode.vim b/src/testdir/test_ex_mode.vim +index a6602227638a..d03ec8f2d81d 100644 +--- a/src/testdir/test_ex_mode.vim ++++ b/src/testdir/test_ex_mode.vim +@@ -134,6 +134,28 @@ func Test_open_command_flush_line() + bwipe! + endfunc + ++" FIXME: this doesn't fail without the fix but hangs ++func Skip_Test_open_command_state() ++ " Tricky script that failed because State was not set properly ++ let lines =<< trim END ++ !ls ƒ ++ 0scìi ++ so! Xsourced ++ set t_û0=0 ++ v/-/o ++ END ++ call writefile(lines, 'XopenScript', '') ++ ++ let sourced = ["!f\u0083\x02\z=0"] ++ call writefile(sourced, 'Xsourced', 'b') ++ ++ CheckRunVimInTerminal ++ let buf = RunVimInTerminal('-u NONE -i NONE -n -m -X -Z -e -s -S XopenScript -c qa!', #{rows: 6, wait_for_ruler: 0, no_clean: 1}) ++ sleep 3 ++ ++ call StopVimInTerminal(buf) ++endfunc ++ + " Test for :g/pat/visual to run vi commands in Ex mode + " This used to hang Vim before 8.2.0274. + func Test_Ex_global() + diff --git a/vim.spec b/vim.spec index ccc9179771b74ea7954795d4f3b5c04cb2347694..2f684229c3d414ae534e7de1e07f6ab3bcbd5560 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 29 +Release: 30 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -92,6 +92,7 @@ Patch6061: backport-patch-9.0.0024-may-access-part-of-typeahead-buf-that-is Patch6062: backport-patch-9.0.1331-illegal-memory-access-when-using-ball-in-Visual-mode.patch Patch6063: backport-CVE-2023-1170.patch Patch6064: backport-CVE-2023-1175.patch +Patch6065: backport-CVE-2023-1264.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -499,6 +500,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Fri Mar 17 2023 wangjiang - 2:9.0-30 +- Type:CVE +- ID:CVE-2023-1264 +- SUG:NA +- DESC:CVE-2023-1264 + * Wed Mar 08 2023 wangjiang - 2:9.0-29 - Type:CVE - ID:CVE-2023-1170 CVE-2023-1175