From d11576cdba39e3d7a82491520956bcc1e4f83f5e Mon Sep 17 00:00:00 2001 From: wangjiang Date: Mon, 16 Oct 2023 14:21:26 +0800 Subject: [PATCH] fix CVE-2023-5441 CVE-2023-5535 (cherry picked from commit b612372c9dca9d1c2f2478a6ad2cc2e615a100f9) --- backport-CVE-2023-5441.patch | 35 ++++++++++++++++++++++++++++++++++ backport-CVE-2023-5535.patch | 37 ++++++++++++++++++++++++++++++++++++ vim.spec | 10 +++++++++- 3 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-5441.patch create mode 100644 backport-CVE-2023-5535.patch diff --git a/backport-CVE-2023-5441.patch b/backport-CVE-2023-5441.patch new file mode 100644 index 0000000..14d07dd --- /dev/null +++ b/backport-CVE-2023-5441.patch @@ -0,0 +1,35 @@ +From 20d161ace307e28690229b68584f2d84556f8960 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Thu, 5 Oct 2023 22:08:30 +0200 +Subject: [PATCH] patch 9.0.1992: [security] segfault in exmode + +Problem: segfault in exmode when redrawing +Solution: skip gui_scroll when exmode_active + +Signed-off-by: Christian Brabandt +--- + src/gui.c | 4 ++++ + 1 files changed, 4 insertions(+) + +diff --git a/src/gui.c b/src/gui.c +index 1f546b2a75b57..9c9aa3cbecdcf 100644 +--- a/src/gui.c ++++ b/src/gui.c +@@ -4436,6 +4436,7 @@ gui_do_scrollbar( + * Scroll a window according to the values set in the globals current_scrollbar + * and scrollbar_value. Return TRUE if the cursor in the current window moved + * or FALSE otherwise. ++ * may eventually cause a redraw using updateWindow + */ + int + gui_do_scroll(void) +@@ -4455,6 +4456,9 @@ gui_do_scroll(void) + if (wp == NULL) + // Couldn't find window + return FALSE; ++ // don't redraw, LineOffset and similar are not valid! ++ if (exmode_active) ++ return FALSE; + + /* + * Compute number of lines to scroll. If zero, nothing to do. diff --git a/backport-CVE-2023-5535.patch b/backport-CVE-2023-5535.patch new file mode 100644 index 0000000..9db270d --- /dev/null +++ b/backport-CVE-2023-5535.patch @@ -0,0 +1,37 @@ +From 41e6f7d6ba67b61d911f9b1d76325cd79224753d Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Wed, 11 Oct 2023 21:08:13 +0200 +Subject: [PATCH] patch 9.0.2010: [security] use-after-free from + buf_contents_changed() + +Problem: [security] use-after-free from buf_contents_changed() +Solution: block autocommands + +Signed-off-by: Christian Brabandt +--- + src/buffer.c | 5 +++++ + 1 files changed, 5 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index 93f9245f27f9d..9ee74f54dd6fd 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -5902,6 +5902,9 @@ buf_contents_changed(buf_T *buf) + // set curwin/curbuf to buf and save a few things + aucmd_prepbuf(&aco, newbuf); + ++ // We don't want to trigger autocommands now, they may have nasty ++ // side-effects like wiping buffers ++ block_autocmds(); + if (ml_open(curbuf) == OK + && readfile(buf->b_ffname, buf->b_fname, + (linenr_T)0, (linenr_T)0, (linenr_T)MAXLNUM, +@@ -5927,6 +5930,8 @@ buf_contents_changed(buf_T *buf) + if (curbuf != newbuf) // safety check + wipe_buffer(newbuf, FALSE); + ++ unblock_autocmds(); ++ + return differ; + } + diff --git a/vim.spec b/vim.spec index 68776c9..2a65611 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 17 +Release: 18 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -107,6 +107,8 @@ Patch6077: backport-CVE-2023-4750.patch Patch6078: backport-CVE-2023-4752.patch Patch6079: backport-CVE-2023-4781.patch Patch6080: backport-CVE-2023-5344.patch +Patch6081: backport-CVE-2023-5441.patch +Patch6082: backport-CVE-2023-5535.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -516,6 +518,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Mon Oct 16 2023 wangjiang - 2:9.0-18 +- Type:CVE +- ID:CVE-2023-5441 CVE-2023-5535 +- SUG:NA +- DESC:fix CVE-2023-5441 CVE-2023-5535 + * Tue Oct 10 2023 wangjiang - 2:9.0-17 - Type:CVE - ID:CVE-2023-5344 -- Gitee