diff --git a/backport-CVE-2024-41957.patch b/backport-CVE-2024-41957.patch new file mode 100644 index 0000000000000000000000000000000000000000..4093f5b313ae40475ff7fc9f25aecc73a00965d7 --- /dev/null +++ b/backport-CVE-2024-41957.patch @@ -0,0 +1,62 @@ +From 8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Thu, 1 Aug 2024 20:16:51 +0200 +Subject: [PATCH] patch 9.1.0647: [security] use-after-free in + tagstack_clear_entry + +Problem: [security] use-after-free in tagstack_clear_entry + (Suyue Guo ) +Solution: Instead of manually calling vim_free() on each of the tagstack + entries, let's use tagstack_clear_entry(), which will + also free the stack, but using the VIM_CLEAR macro, + which prevents a use-after-free by setting those pointers + to NULL + +This addresses CVE-2024-41957 + +Github advisory: +https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4 + +Signed-off-by: Christian Brabandt +--- + src/testdir/test_crash.vim | 6 ++++++ + src/window.c | 5 +---- + 2 files changed, 7 insertions(+), 4 deletions(-) + create mode 100644 src/testdir/crash/double_free + +diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim +index 5cd07e2a3f0b53a0ec5b766a6f86b1f29fab18e7..6e701dcfad090c8f723f38f4d65327e2b5f2eaed 100644 +--- a/src/testdir/test_crash.vim ++++ b/src/testdir/test_crash.vim +@@ -86,6 +86,12 @@ func Test_crash1() + call delete('Xerr') + call delete('@') + ++ let file = 'crash/double_free' ++ let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\" ++ let args = printf(cmn_args, vim, file) ++ call term_sendkeys(buf, args) ++ call TermWait(buf, 50) ++ + " clean up + exe buf .. "bw!" + +diff --git a/src/window.c b/src/window.c +index 55ce31c8864373303f333d46959354243b85e025..2afa28d66ffb2ed811dfcc32f654562beccc64bc 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -5661,10 +5661,7 @@ win_free( + win_free_lsize(wp); + + for (i = 0; i < wp->w_tagstacklen; ++i) +- { +- vim_free(wp->w_tagstack[i].tagname); +- vim_free(wp->w_tagstack[i].user_data); +- } ++ tagstack_clear_entry(&wp->w_tagstack[i]); + vim_free(wp->w_localdir); + vim_free(wp->w_prevdir); + +-- +2.41.0 + diff --git a/double_free b/double_free new file mode 100644 index 0000000000000000000000000000000000000000..895c4a04b6ab1c2eabc80a486e52cabd7a99a5ea Binary files /dev/null and b/double_free differ diff --git a/vim.spec b/vim.spec index 093801675694eacc37af76c29d28ab867fadf690..bcbf62c805890fd2aadf1b1114cbfc631e77d9f5 100644 --- a/vim.spec +++ b/vim.spec @@ -14,13 +14,15 @@ Name: vim Epoch: 2 Version: %{baseversion}.%{patchlevel} -Release: 6 +Release: 7 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org Source0: https://github.com/vim/vim/archive/v%{baseversion}.%{patchlevel}.tar.gz#/vim-%{baseversion}.%{patchlevel}.tar.gz Source1: virc Source2: vimrc +# CVE-2024-41957 +Source3: double_free Patch0000: vim-7.0-fixkeys.patch Patch0001: vim-7.4-specsyntax.patch @@ -42,6 +44,7 @@ Patch6008: backport-patch-9.0.2123-Problem-with-initializing-the-length-of- Patch6009: backport-vim-7.0-rclocation.patch Patch6010: backport-CVE-2024-22667.patch Patch6011: backport-CVE-2023-48232.patch +Patch6012: backport-CVE-2024-41957.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -128,6 +131,7 @@ This X11 package serves you the ability to use vim with graphics and mouse. %prep %autosetup -b 0 -n %{name}-%{baseversion}.%{patchlevel} -p1 +cp %{SOURCE3} ./src/testdir/crash/double_free #ipv6 test fail in CI, it should be related to the ipv6 configuration on jenkins, which is successful on openEuler obs rm -rf src/testdir/test_channel.* @@ -449,6 +453,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests." %{_mandir}/man1/evim.* %changelog +* Fri Aug 02 2024 yinyongkang - 2:9.0.2092-7 +- Type:CVE +- ID:CVE-2024-41957 +- SUG:NA +- DESC:fix CVE-2024-41957 + * Fri Jul 12 2024 wangjiang - 2:9.0.2092-6 - Type:CVE - ID:CVE-2023-48232