diff --git a/backport-CVE-2023-2609.patch b/backport-CVE-2023-2609.patch new file mode 100644 index 0000000000000000000000000000000000000000..9a04b56eb6ee4f6adf701045dca9a1dd529a21eb --- /dev/null +++ b/backport-CVE-2023-2609.patch @@ -0,0 +1,54 @@ +From d1ae8366aff286d41e7f5bc513cc0a1af5130aad Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 9 May 2023 17:09:30 +0100 +Subject: [PATCH] patch 9.0.1531: crash when register contents ends up being + invalid + +Problem: Crash when register contents ends up being invalid. +Solution: Check "y_array" is not NULL. +--- + src/register.c | 2 +- + src/testdir/test_registers.vim | 17 +++++++++++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/src/register.c b/src/register.c +index f3df79cfd642..e481d843c249 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -300,7 +300,7 @@ get_register( + if (copy) + { + // If we run out of memory some or all of the lines are empty. +- if (reg->y_size == 0) ++ if (reg->y_size == 0 || y_current->y_array == NULL) + reg->y_array = NULL; + else + reg->y_array = ALLOC_MULT(char_u *, reg->y_size); +diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim +index e966932478d8..33ea0f4bd3e6 100644 +--- a/src/testdir/test_registers.vim ++++ b/src/testdir/test_registers.vim +@@ -798,6 +798,23 @@ func Test_end_reg_executing() + bwipe! + endfunc + ++" This was causing a crash because y_append was ending up being NULL ++func Test_zero_y_append() ++ " Run in a separate Vim instance because changing 'encoding' may cause ++ " trouble for later tests. ++ let lines =<< trim END ++ d ++ silent ?n ++ next ++ so ++ sil! norm 0V€PSP ++ set enc=latin1 ++   ++ END ++ call writefile(lines, 'XTest_zero_y_append', 'D') ++ call RunVim([], [], '-u NONE -i NONE -e -s -S XTest_zero_y_append -c qa\!') ++endfunc ++ + " Make sure that y_append is correctly reset + " and the previous register is working as expected + func Test_register_y_append_reset() diff --git a/backport-CVE-2023-2610.patch b/backport-CVE-2023-2610.patch new file mode 100644 index 0000000000000000000000000000000000000000..b7e4e1cb52b16834fd502988ed8feef9c79e0131 --- /dev/null +++ b/backport-CVE-2023-2610.patch @@ -0,0 +1,97 @@ +From ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 9 May 2023 21:15:30 +0100 +Subject: [PATCH] patch 9.0.1532: crash when expanding "~" in substitute causes + very long text + +Problem: Crash when expanding "~" in substitute causes very long text. +Solution: Limit the text length to MAXCOL. +--- + src/regexp.c | 30 +++++++++++++++++++----------- + src/testdir/test_substitute.vim | 14 ++++++++++++++ + 2 files changed, 33 insertions(+), 11 deletions(-) + +diff --git a/src/regexp.c b/src/regexp.c +index 33b36d11a8be..0e6c746df819 100644 +--- a/src/regexp.c ++++ b/src/regexp.c +@@ -1723,10 +1723,7 @@ do_Lower(int *d, int c) + regtilde(char_u *source, int magic) + { + char_u *newsub = source; +- char_u *tmpsub; + char_u *p; +- int len; +- int prevlen; + + for (p = newsub; *p; ++p) + { +@@ -1735,24 +1732,35 @@ regtilde(char_u *source, int magic) + if (reg_prev_sub != NULL) + { + // length = len(newsub) - 1 + len(prev_sub) + 1 +- prevlen = (int)STRLEN(reg_prev_sub); +- tmpsub = alloc(STRLEN(newsub) + prevlen); ++ // Avoid making the text longer than MAXCOL, it will cause ++ // trouble at some point. ++ size_t prevsublen = STRLEN(reg_prev_sub); ++ size_t newsublen = STRLEN(newsub); ++ if (prevsublen > MAXCOL || newsublen > MAXCOL ++ || newsublen + prevsublen > MAXCOL) ++ { ++ emsg(_(e_resulting_text_too_long)); ++ break; ++ } ++ ++ char_u *tmpsub = alloc(newsublen + prevsublen); + if (tmpsub != NULL) + { + // copy prefix +- len = (int)(p - newsub); // not including ~ +- mch_memmove(tmpsub, newsub, (size_t)len); ++ size_t prefixlen = p - newsub; // not including ~ ++ mch_memmove(tmpsub, newsub, prefixlen); + // interpret tilde +- mch_memmove(tmpsub + len, reg_prev_sub, (size_t)prevlen); ++ mch_memmove(tmpsub + prefixlen, reg_prev_sub, ++ prevsublen); + // copy postfix + if (!magic) + ++p; // back off backslash +- STRCPY(tmpsub + len + prevlen, p + 1); ++ STRCPY(tmpsub + prefixlen + prevsublen, p + 1); + +- if (newsub != source) // already allocated newsub ++ if (newsub != source) // allocated newsub before + vim_free(newsub); + newsub = tmpsub; +- p = newsub + len + prevlen; ++ p = newsub + prefixlen + prevsublen; + } + } + else if (magic) +diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim +index 7491b6163dc8..32e2f2785479 100644 +--- a/src/testdir/test_substitute.vim ++++ b/src/testdir/test_substitute.vim +@@ -1394,6 +1394,20 @@ func Test_substitute_short_cmd() + bw! + endfunc + ++" Check handling expanding "~" resulting in extremely long text. ++func Test_substitute_tilde_too_long() ++ enew! ++ ++ s/.*/ixxx ++ s//~~~~~~~~~AAAAAAA@( ++ ++ " Either fails with "out of memory" or "text too long". ++ " This can take a long time. ++ call assert_fails('sil! norm &&&&&&&&&', ['E1240:\|E342:']) ++ ++ bwipe! ++endfunc ++ + " This should be done last to reveal a memory leak when vim_regsub_both() is + " called to evaluate an expression but it is not used in a second call. + func Test_z_substitute_expr_leak() diff --git a/vim.spec b/vim.spec index 9f4ae678300a9a0a0cc440504a06471b27909b4c..8aab4c7346bf0aa3f0c40130bb7cbc2b283771c1 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 14 +Release: 15 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -94,6 +94,8 @@ Patch6064: backport-CVE-2023-1175.patch Patch6065: backport-CVE-2023-1264.patch Patch6066: backport-vim-7.0-rclocation.patch Patch6067: backport-CVE-2023-2426.patch +Patch6068: backport-CVE-2023-2609.patch +Patch6069: backport-CVE-2023-2610.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: vim-Add-sw64-architecture.patch @@ -502,6 +504,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Sat May 13 2023 wangjiang - 2:9.0-15 +- Type:CVE +- ID:CVE-2023-2609 CVE-2023-2610 +- SUG:NA +- DESC:CVE-2023-2609 CVE-2023-2610 + * Thu May 04 2023 wangjiang - 2:9.0-14 - Type:CVE - ID:CVE-2023-2426