From f1b917718b2465e1e21a3780b7aa14dad54bb219 Mon Sep 17 00:00:00 2001 From: BruceGW Date: Wed, 11 Oct 2023 14:50:51 +0800 Subject: [PATCH] fix CVE-2023-5441 Signed-off-by: BruceGW --- backport-CVE-2023-5441.patch | 88 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 +++- 2 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-5441.patch diff --git a/backport-CVE-2023-5441.patch b/backport-CVE-2023-5441.patch new file mode 100644 index 0000000..2096065 --- /dev/null +++ b/backport-CVE-2023-5441.patch @@ -0,0 +1,88 @@ +From 20d161ace307e28690229b68584f2d84556f8960 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Thu, 5 Oct 2023 22:08:30 +0200 +Subject: [PATCH] patch 9.0.1992: [security] segfault in exmode + +Problem: segfault in exmode when redrawing +Solution: skip gui_scroll when exmode_active + +Signed-off-by: Christian Brabandt +--- + src/gui.c | 4 ++++ + src/testdir/crash/crash_scrollbar | 2 ++ + src/testdir/test_crash.vim | 7 +++++++ + src/version.c | 2 ++ + 4 files changed, 15 insertions(+) + create mode 100644 src/testdir/crash/crash_scrollbar + +diff --git a/src/gui.c b/src/gui.c +index 1f546b2a7..9c9aa3cbe 100644 +--- a/src/gui.c ++++ b/src/gui.c +@@ -4397,6 +4397,7 @@ gui_do_scrollbar( + * Scroll a window according to the values set in the globals + * "current_scrollbar" and "scrollbar_value". + * Return TRUE if the cursor in the current window moved or FALSE otherwise. ++ * may eventually cause a redraw using updateWindow + */ + int + gui_do_scroll(void) +@@ -4416,6 +4417,9 @@ gui_do_scroll(void) + if (wp == NULL) + // Couldn't find window + return FALSE; ++ // don't redraw, LineOffset and similar are not valid! ++ if (exmode_active) ++ return FALSE; + + /* + * Compute number of lines to scroll. If zero, nothing to do. +diff --git a/src/testdir/crash/crash_scrollbar b/src/testdir/crash/crash_scrollbar +new file mode 100644 +index 000000000..1de590522 +--- /dev/null ++++ b/src/testdir/crash/crash_scrollbar +@@ -0,0 +1,2 @@ ++" this goes to insert mode and presses key k_VerScrollbar which may cause a redraw in exmode, which used ot crash Vim ++norm o€ùX +diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim +index 5c83e3a2f..9a80340c2 100644 +--- a/src/testdir/test_crash.vim ++++ b/src/testdir/test_crash.vim +@@ -72,6 +72,12 @@ func Test_crash1() + \ ' || echo "crash 8: [OK]" >> X_crash1_result.txt' .. "\") + call TermWait(buf, 3000) + ++ let file = 'crash/crash_scrollbar' ++ let args = printf(cmn_args, vim, file) ++ call term_sendkeys(buf, args .. ++ \ ' && echo "crash 9: [OK]" >> X_crash1_result.txt' .. "\") ++ call TermWait(buf, 1000) ++ + " clean up + exe buf .. "bw!" + +@@ -86,6 +92,7 @@ func Test_crash1() + \ 'crash 6: [OK]', + \ 'crash 7: [OK]', + \ 'crash 8: [OK]', ++ \ 'crash 9: [OK]', + \ ] + + call assert_equal(expected, getline(1, '$')) +diff --git a/src/version.c b/src/version.c +index 9b1c0b4e9..2bb134a3b 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -704,6 +704,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 1992, + /**/ + 1991, + /**/ +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index fa47b8c..f74998c 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 37 +Release: 38 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -109,6 +109,7 @@ Patch6078: backport-CVE-2023-4750.patch Patch6079: backport-CVE-2023-4752.patch Patch6080: backport-CVE-2023-4781.patch Patch6081: backport-CVE-2023-5344.patch +Patch6082: backport-CVE-2023-5441.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -516,6 +517,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Wed Oct 11 2023 BruceGW - 2:9.0-38 +- Type:CVE +- ID:CVE-2023-5441 +- SUG:NA +- DESC:fix CVE-2023-5441 + * Tue Oct 10 2023 wangjiang - 2:9.0-37 - Type:CVE - ID:CVE-2023-5344 -- Gitee