From 9f3d83aa35990e65d874eca67bc999dca05f2ebd Mon Sep 17 00:00:00 2001
From: wangjiang <wangjiang37@h-partners.com>
Date: Sun, 8 Oct 2023 16:01:17 +0800
Subject: [PATCH] fix CVE-2023-5344

---
 backport-CVE-2023-5344.patch | 47 ++++++++++++++++++++++++++++++++++++
 vim.spec                     |  9 ++++++-
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2023-5344.patch

diff --git a/backport-CVE-2023-5344.patch b/backport-CVE-2023-5344.patch
new file mode 100644
index 0000000..6994b5c
--- /dev/null
+++ b/backport-CVE-2023-5344.patch
@@ -0,0 +1,47 @@
+From 3bd7fa12e146c6051490d048a4acbfba974eeb04 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Mon, 2 Oct 2023 20:59:08 +0200
+Subject: [PATCH 2156/2205] patch 9.0.1969: [security] buffer-overflow in
+ trunc_string()
+
+Problem:  buffer-overflow in trunc_string()
+Solution: Add NULL at end of buffer
+
+Currently trunc_string() assumes that when the string is too long,
+buf[e-1] will always be writeable. But that assumption may not always be
+true. The condition currently looks like this
+
+    else if (e + 3 < buflen)
+    [...]
+    else
+    {
+	// can't fit in the "...", just truncate it
+	buf[e - 1] = NUL;
+    }
+
+but this means, we may run into the last else clause with e still being
+larger than buflen. So a buffer overflow occurs.
+
+So instead of using `buf[e - 1]`, let's just always
+truncate at `buf[buflen - 1]` which should always be writable.
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/message.c              | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletion(-)
+
+diff --git a/src/message.c b/src/message.c
+index 2fc6cefa9..83c8b4f4a 100644
+--- a/src/message.c
++++ b/src/message.c
+@@ -353,7 +353,7 @@ trunc_string(
+     else
+     {
+ 	// can't fit in the "...", just truncate it
+-	buf[e - 1] = NUL;
++	buf[buflen - 1] = NUL;
+     }
+ }
+ 
+-- 
+2.27.0
diff --git a/vim.spec b/vim.spec
index e2c2fd0..4a11f74 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        17
+Release:        18
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -106,6 +106,7 @@ Patch6076:      backport-CVE-2023-4738.patch
 Patch6077:      backport-CVE-2023-4750.patch
 Patch6078:      backport-CVE-2023-4752.patch
 Patch6079:      backport-CVE-2023-4781.patch
+Patch6080:      backport-CVE-2023-5344.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -515,6 +516,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Sun Oct 08 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-18
+- Type:CVE
+- ID:CVE-2023-5344
+- SUG:NA
+- DESC:fix CVE-2023-5344
+
 * Tue Sep 12 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-17
 - Type:CVE
 - ID:CVE-2023-4738 CVE-2023-4750 CVE-2023-4752 CVE-2023-4781
-- 
Gitee