From 03a4221a5c23e8925b5fb07522684e02e05fb71b Mon Sep 17 00:00:00 2001 From: wangjiang Date: Fri, 12 Jul 2024 11:43:51 +0800 Subject: [PATCH] fix CVE-2023-48232 (cherry picked from commit 43fa07e121e8732ab185e1612741b4265ce5e7f9) --- ...ose.patch => backport-CVE-2023-48231.patch | 0 backport-CVE-2023-48232.patch | 63 +++++++++++++++++++ ...and.patch => backport-CVE-2023-48233.patch | 0 ...unt.patch => backport-CVE-2023-48234.patch | 0 ...ing.patch => backport-CVE-2023-48235.patch | 0 ...ber.patch => backport-CVE-2023-48236.patch | 0 ...ine.patch => backport-CVE-2023-48237.patch | 0 ...ute.patch => backport-CVE-2023-48706.patch | 0 vim.spec | 23 ++++--- 9 files changed, 78 insertions(+), 8 deletions(-) rename backport-patch-9.0.2106-Use-after-free-in-win_close.patch => backport-CVE-2023-48231.patch (100%) create mode 100644 backport-CVE-2023-48232.patch rename bugfix-security-overflow-with-count-for-s-command.patch => backport-CVE-2023-48233.patch (100%) rename backport-patch-9.0.2109-overflow-in-nv_z_get_count.patch => backport-CVE-2023-48234.patch (100%) rename backport-patch-9.0.2110-overflow-in-ex-address-parsing.patch => backport-CVE-2023-48235.patch (100%) rename backport-patch-9.0.2111-overflow-in-get_number.patch => backport-CVE-2023-48236.patch (100%) rename backport-patch-9.0.2112-overflow-in-shift_line.patch => backport-CVE-2023-48237.patch (100%) rename backport-patch-9.0.2121-use-after-free-in-ex_substitute.patch => backport-CVE-2023-48706.patch (100%) diff --git a/backport-patch-9.0.2106-Use-after-free-in-win_close.patch b/backport-CVE-2023-48231.patch similarity index 100% rename from backport-patch-9.0.2106-Use-after-free-in-win_close.patch rename to backport-CVE-2023-48231.patch diff --git a/backport-CVE-2023-48232.patch b/backport-CVE-2023-48232.patch new file mode 100644 index 0000000..78eea59 --- /dev/null +++ b/backport-CVE-2023-48232.patch @@ -0,0 +1,63 @@ +From cb0b99f0672d8446585d26e998343dceca17d1ce Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Tue, 14 Nov 2023 20:05:59 +0100 +Subject: [PATCH] patch 9.0.2107: [security]: FPE in adjust_plines_for_skipcol + +Problem: [security]: FPE in adjust_plines_for_skipcol +Solution: don't divide by zero, return zero + +Prevent a floating point exception when calculating w_skipcol (which can +happen with a small window when the number option is set and cpo+=n). + +Add a test to verify + +Signed-off-by: Christian Brabandt +--- + src/move.c | 5 +++-- + src/testdir/test_scroll_opt.vim | 19 +++++++++++++++++++ + 2 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/src/move.c b/src/move.c +index ce06dc3394689..fbb352a32e15a 100644 +--- a/src/move.c ++++ b/src/move.c +@@ -45,8 +45,9 @@ adjust_plines_for_skipcol(win_T *wp) + return 0; + + int width = wp->w_width - win_col_off(wp); +- if (wp->w_skipcol >= width) +- return (wp->w_skipcol - width) / (width + win_col_off2(wp)) + 1; ++ int w2 = width + win_col_off2(wp); ++ if (wp->w_skipcol >= width && w2 > 0) ++ return (wp->w_skipcol - width) / w2 + 1; + + return 0; + } +diff --git a/src/testdir/test_scroll_opt.vim b/src/testdir/test_scroll_opt.vim +index d5d08a24c20d4..342d382c20a5a 100644 +--- a/src/testdir/test_scroll_opt.vim ++++ b/src/testdir/test_scroll_opt.vim +@@ -926,4 +926,23 @@ func Test_smoothscroll_cursor_top() + call StopVimInTerminal(buf) + endfunc + ++" Division by zero, shouldn't crash ++func Test_smoothscroll_crash() ++ CheckScreendump ++ ++ let lines =<< trim END ++ 20 new ++ vsp ++ put =repeat('aaaa', 20) ++ set nu fdc=1 smoothscroll cpo+=n ++ vert resize 0 ++ exe "norm! 0\" ++ END ++ call writefile(lines, 'XSmoothScrollCrash', 'D') ++ let buf = RunVimInTerminal('-u NONE -S XSmoothScrollCrash', #{rows: 12, cols:40}) ++ call term_sendkeys(buf, "2\\") ++ ++ call StopVimInTerminal(buf) ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/bugfix-security-overflow-with-count-for-s-command.patch b/backport-CVE-2023-48233.patch similarity index 100% rename from bugfix-security-overflow-with-count-for-s-command.patch rename to backport-CVE-2023-48233.patch diff --git a/backport-patch-9.0.2109-overflow-in-nv_z_get_count.patch b/backport-CVE-2023-48234.patch similarity index 100% rename from backport-patch-9.0.2109-overflow-in-nv_z_get_count.patch rename to backport-CVE-2023-48234.patch diff --git a/backport-patch-9.0.2110-overflow-in-ex-address-parsing.patch b/backport-CVE-2023-48235.patch similarity index 100% rename from backport-patch-9.0.2110-overflow-in-ex-address-parsing.patch rename to backport-CVE-2023-48235.patch diff --git a/backport-patch-9.0.2111-overflow-in-get_number.patch b/backport-CVE-2023-48236.patch similarity index 100% rename from backport-patch-9.0.2111-overflow-in-get_number.patch rename to backport-CVE-2023-48236.patch diff --git a/backport-patch-9.0.2112-overflow-in-shift_line.patch b/backport-CVE-2023-48237.patch similarity index 100% rename from backport-patch-9.0.2112-overflow-in-shift_line.patch rename to backport-CVE-2023-48237.patch diff --git a/backport-patch-9.0.2121-use-after-free-in-ex_substitute.patch b/backport-CVE-2023-48706.patch similarity index 100% rename from backport-patch-9.0.2121-use-after-free-in-ex_substitute.patch rename to backport-CVE-2023-48706.patch diff --git a/vim.spec b/vim.spec index 5e14f84..0938016 100644 --- a/vim.spec +++ b/vim.spec @@ -14,7 +14,7 @@ Name: vim Epoch: 2 Version: %{baseversion}.%{patchlevel} -Release: 5 +Release: 6 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -30,17 +30,18 @@ Patch0004: vim-8.0-copy-paste.patch Patch0005: vim-python3-tests.patch -Patch6000: bugfix-security-overflow-with-count-for-s-command.patch -Patch6001: backport-patch-9.0.2106-Use-after-free-in-win_close.patch -Patch6002: backport-patch-9.0.2109-overflow-in-nv_z_get_count.patch -Patch6003: backport-patch-9.0.2110-overflow-in-ex-address-parsing.patch -Patch6004: backport-patch-9.0.2111-overflow-in-get_number.patch -Patch6005: backport-patch-9.0.2112-overflow-in-shift_line.patch +Patch6000: backport-CVE-2023-48233.patch +Patch6001: backport-CVE-2023-48231.patch +Patch6002: backport-CVE-2023-48234.patch +Patch6003: backport-CVE-2023-48235.patch +Patch6004: backport-CVE-2023-48236.patch +Patch6005: backport-CVE-2023-48237.patch Patch6006: backport-patch-9.0.2114-overflow-detection-not-accurate-when-adding.patch -Patch6007: backport-patch-9.0.2121-use-after-free-in-ex_substitute.patch +Patch6007: backport-CVE-2023-48706.patch Patch6008: backport-patch-9.0.2123-Problem-with-initializing-the-length-of-range-lists.patch Patch6009: backport-vim-7.0-rclocation.patch Patch6010: backport-CVE-2024-22667.patch +Patch6011: backport-CVE-2023-48232.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -448,6 +449,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests." %{_mandir}/man1/evim.* %changelog +* Fri Jul 12 2024 wangjiang - 2:9.0.2092-6 +- Type:CVE +- ID:CVE-2023-48232 +- SUG:NA +- DESC:fix CVE-2023-48232 + * Mon Jul 08 2024 wangjiang - 2:9.0.2092-5 - Type:CVE - ID:CVE-2024-22667 -- Gitee