From 40b4a7c430056b8af62907c35417e9ee2706d16d Mon Sep 17 00:00:00 2001 From: wangjiang Date: Tue, 12 Sep 2023 12:40:56 +0000 Subject: [PATCH] fix CVE-2023-4738 CVE-2023-4750 CVE-2023-4752 CVE-2023-4781 --- backport-CVE-2023-4738.patch | 43 ++++++++++++++++++++++++++++++++++ backport-CVE-2023-4750.patch | 41 ++++++++++++++++++++++++++++++++ backport-CVE-2023-4752.patch | 28 ++++++++++++++++++++++ backport-CVE-2023-4781.patch | 45 ++++++++++++++++++++++++++++++++++++ vim.spec | 14 +++++++++-- 5 files changed, 169 insertions(+), 2 deletions(-) create mode 100644 backport-CVE-2023-4738.patch create mode 100644 backport-CVE-2023-4750.patch create mode 100644 backport-CVE-2023-4752.patch create mode 100644 backport-CVE-2023-4781.patch diff --git a/backport-CVE-2023-4738.patch b/backport-CVE-2023-4738.patch new file mode 100644 index 0000000..e88bb1e --- /dev/null +++ b/backport-CVE-2023-4738.patch @@ -0,0 +1,43 @@ +From ced2c7394aafdc90fb7845e09b3a3fee23d48cb1 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sat, 2 Sep 2023 21:15:52 +0200 +Subject: [PATCH 23/52] patch 9.0.1848: [security] buffer-overflow in + vim_regsub_both() + +Problem: buffer-overflow in vim_regsub_both() +Solution: Check remaining space + +Signed-off-by: Christian Brabandt +--- + src/ex_cmds.c | 3 +++ + src/regexp.c | 3 ++- + 2 files changed, 5 insertions(+), 1 deletions(-) + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index c30b6fddf..53c7bb5a3 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -4542,6 +4542,9 @@ ex_substitute(exarg_T *eap) + mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len); + new_end += copy_len; + ++ if (new_start_len - copy_len < sublen) ++ sublen = new_start_len - copy_len - 1; ++ + #ifdef FEAT_EVAL + ++textlock; + #endif +diff --git a/src/regexp.c b/src/regexp.c +index 9c576c689..edd1293a5 100644 +--- a/src/regexp.c ++++ b/src/regexp.c +@@ -2007,7 +2007,8 @@ vim_regsub_both( + // "flags & REGSUB_COPY" != 0. + if (copy) + { +- if (eval_result[nested] != NULL) ++ if (eval_result[nested] != NULL && ++ STRLEN(eval_result[nested]) < destlen) + { + STRCPY(dest, eval_result[nested]); + dst += STRLEN(eval_result[nested]); diff --git a/backport-CVE-2023-4750.patch b/backport-CVE-2023-4750.patch new file mode 100644 index 0000000..5afeb73 --- /dev/null +++ b/backport-CVE-2023-4750.patch @@ -0,0 +1,41 @@ +From fc68299d436cf87453e432daa77b6d545df4d7ed Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 3 Sep 2023 20:20:52 +0200 +Subject: [PATCH 32/52] patch 9.0.1857: [security] heap-use-after-free in + is_qf_win() + +Problem: heap-use-after-free in is_qf_win() +Solution: Check buffer is valid before accessing it + +Signed-off-by: Christian Brabandt +--- + src/main.c | 2 +- + src/quickfix.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/main.c b/src/main.c +index cca53fe25..a40c3a666 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -1606,7 +1606,7 @@ getout(int exitval) + next_tp = tp->tp_next; + FOR_ALL_WINDOWS_IN_TAB(tp, wp) + { +- if (wp->w_buffer == NULL) ++ if (wp->w_buffer == NULL || !buf_valid(wp->w_buffer)) + // Autocmd must have close the buffer already, skip. + continue; + buf = wp->w_buffer; +diff --git a/src/quickfix.c b/src/quickfix.c +index aa431ea10..a3d3e8fb7 100644 +--- a/src/quickfix.c ++++ b/src/quickfix.c +@@ -4426,7 +4426,7 @@ is_qf_win(win_T *win, qf_info_T *qi) + // set to NULL. + // A window displaying a location list buffer will have the w_llist_ref + // pointing to the location list. +- if (bt_quickfix(win->w_buffer)) ++ if (buf_valid(win->w_buffer) && bt_quickfix(win->w_buffer)) + if ((IS_QF_STACK(qi) && win->w_llist_ref == NULL) + || (IS_LL_STACK(qi) && win->w_llist_ref == qi)) + return TRUE; diff --git a/backport-CVE-2023-4752.patch b/backport-CVE-2023-4752.patch new file mode 100644 index 0000000..11e9b7b --- /dev/null +++ b/backport-CVE-2023-4752.patch @@ -0,0 +1,28 @@ +From ee9166eb3b41846661a39b662dc7ebe8b5e15139 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 3 Sep 2023 21:24:33 +0200 +Subject: [PATCH 33/52] patch 9.0.1858: [security] heap use after free in + ins_compl_get_exp() + +Problem: heap use after free in ins_compl_get_exp() +Solution: validate buffer before accessing it + +Signed-off-by: Christian Brabandt +--- + src/insexpand.c | 2 +- + 2 files changed, 1 insertions(+), 1 deletions(-) + create mode 100644 src/testdir/crash/poc_tagfunc.vim + +diff --git a/src/insexpand.c b/src/insexpand.c +index 3cfdface4..b767b4efd 100644 +--- a/src/insexpand.c ++++ b/src/insexpand.c +@@ -3840,7 +3840,7 @@ ins_compl_get_exp(pos_T *ini) + else + { + // Mark a buffer scanned when it has been scanned completely +- if (type == 0 || type == CTRL_X_PATH_PATTERNS) ++ if (buf_valid(st.ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS)) + st.ins_buf->b_scanned = TRUE; + + compl_started = FALSE; diff --git a/backport-CVE-2023-4781.patch b/backport-CVE-2023-4781.patch new file mode 100644 index 0000000..7c1db53 --- /dev/null +++ b/backport-CVE-2023-4781.patch @@ -0,0 +1,45 @@ +From f6d28fe2c95c678cc3202cc5dc825a3fcc709e93 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Tue, 5 Sep 2023 20:18:06 +0200 +Subject: [PATCH 53/58] patch 9.0.1873: [security] heap-buffer-overflow in + vim_regsub_both + +Problem: heap-buffer-overflow in vim_regsub_both +Solution: Disallow exchanging windows when textlock is active + +Signed-off-by: Christian Brabandt +--- + src/ex_cmds.c | 3 +++ + src/window.c | 5 +++++ + 2 files changed, 8 insertions(+) + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index 4f1d93244..566ed7dad 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -4461,6 +4461,9 @@ ex_substitute(exarg_T *eap) + { + nmatch = curbuf->b_ml.ml_line_count - sub_firstlnum + 1; + skip_match = TRUE; ++ // safety check ++ if (nmatch < 0) ++ goto skip; + } + + // Need room for: +diff --git a/src/window.c b/src/window.c +index 1af2395df..f77ede330 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -1738,6 +1738,11 @@ win_exchange(long Prenum) + beep_flush(); + return; + } ++ if (text_or_buf_locked()) ++ { ++ beep_flush(); ++ return; ++ } + + #ifdef FEAT_GUI + need_mouse_correct = TRUE; diff --git a/vim.spec b/vim.spec index 626a736..b219151 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 16 +Release: 17 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -102,6 +102,10 @@ Patch6072: backport-patch-9.0.0473-fullcommand-only-works-for-the-current-s Patch6073: backport-patch-9.0.0474-fullcommand-testfailure.patch Patch6074: backport-CVE-2023-4734.patch Patch6075: backport-CVE-2023-4735.patch +Patch6076: backport-CVE-2023-4738.patch +Patch6077: backport-CVE-2023-4750.patch +Patch6078: backport-CVE-2023-4752.patch +Patch6079: backport-CVE-2023-4781.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: vim-Add-sw64-architecture.patch @@ -408,7 +412,7 @@ popd %check export TERM=xterm -LC_ALL=en_US.UTF-8 make -j1 test +LANG=en_US.UTF-8 make -j1 test %files common %exclude %{_datadir}/vim/%{vimdir}/macros/maze/maze*.c @@ -510,6 +514,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Tue Sep 12 2023 wangjiang - 2:9.0-17 +- Type:CVE +- ID:CVE-2023-4738 CVE-2023-4750 CVE-2023-4752 CVE-2023-4781 +- SUG:NA +- DESC:fix CVE-2023-4738 CVE-2023-4750 CVE-2023-4752 CVE-2023-4781 + * Thu Sep 07 2023 wangjiang - 2:9.0-16 - Type:CVE - ID:CVE-2023-4736 CVE-2023-4733 CVE-2023-4734 CVE-2023-4735 -- Gitee