From f7f987912ecc4798249717f9658e1b177f1375fd Mon Sep 17 00:00:00 2001
From: yinyongkang <yinyongkang@kylinos.cn>
Date: Fri, 2 Aug 2024 09:50:00 +0800
Subject: [PATCH] fix CVE-2024-41957

---
 backport-CVE-2024-41957.patch |  62 ++++++++++++++++++++++++++++++++++
 double_free                   | Bin 0 -> 561 bytes
 vim.spec                      |  12 ++++++-
 3 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-41957.patch
 create mode 100644 double_free

diff --git a/backport-CVE-2024-41957.patch b/backport-CVE-2024-41957.patch
new file mode 100644
index 0000000..4093f5b
--- /dev/null
+++ b/backport-CVE-2024-41957.patch
@@ -0,0 +1,62 @@
+From 8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Thu, 1 Aug 2024 20:16:51 +0200
+Subject: [PATCH] patch 9.1.0647: [security] use-after-free in
+ tagstack_clear_entry
+
+Problem:  [security] use-after-free in tagstack_clear_entry
+          (Suyue Guo )
+Solution: Instead of manually calling vim_free() on each of the tagstack
+          entries, let's use tagstack_clear_entry(), which will
+          also free the stack, but using the VIM_CLEAR macro,
+          which prevents a use-after-free by setting those pointers
+          to NULL
+
+This addresses CVE-2024-41957
+
+Github advisory:
+https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/testdir/test_crash.vim    |   6 ++++++
+ src/window.c                  |   5 +----
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+ create mode 100644 src/testdir/crash/double_free
+
+diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
+index 5cd07e2a3f0b53a0ec5b766a6f86b1f29fab18e7..6e701dcfad090c8f723f38f4d65327e2b5f2eaed 100644
+--- a/src/testdir/test_crash.vim
++++ b/src/testdir/test_crash.vim
+@@ -86,6 +86,12 @@ func Test_crash1()
+   call delete('Xerr')
+   call delete('@')
+ 
++  let file = 'crash/double_free'
++  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
++  let args = printf(cmn_args, vim, file)
++  call term_sendkeys(buf, args)
++  call TermWait(buf, 50)
++
+   " clean up
+   exe buf .. "bw!"
+ 
+diff --git a/src/window.c b/src/window.c
+index 55ce31c8864373303f333d46959354243b85e025..2afa28d66ffb2ed811dfcc32f654562beccc64bc 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -5661,10 +5661,7 @@ win_free(
+     win_free_lsize(wp);
+ 
+     for (i = 0; i < wp->w_tagstacklen; ++i)
+-    {
+-	vim_free(wp->w_tagstack[i].tagname);
+-	vim_free(wp->w_tagstack[i].user_data);
+-    }
++	tagstack_clear_entry(&wp->w_tagstack[i]);
+     vim_free(wp->w_localdir);
+     vim_free(wp->w_prevdir);
+ 
+-- 
+2.41.0
+
diff --git a/double_free b/double_free
new file mode 100644
index 0000000000000000000000000000000000000000..895c4a04b6ab1c2eabc80a486e52cabd7a99a5ea
GIT binary patch
literal 561
zcmY+BL2DC16vtm$FL@r)OM?`VNi5idX;=tFTegZ#(3FA_g$iA9XET#zWiz{-+3kcR
z+8h)-c<|7hpT_Uv_ZVMH6#QM@@PBXKoA)1nT!N}!;A@rCk*nK{qi~J@P`Y><JR?x0
zAV|1&|FSA+^(FFrgz2ezF`;5iu43ohexuRo5_JaC>8t4q{~#Di*6H;w(jtG~j{r!x
z#3aqYpoj+pgIo_KYyg;mrs*+t$*`Q-X0v(1u%E^Ti}j5W!>AYtFB0B)5P^C!=IhEP
z!)mp9s)zTK=uG0=i|@l@%s<Sw#dpkiFtYeivUf;Wt9iDdzH+a;E5nfHv39U$u+p`-
zy`X8qU9<7m3w*P+TyH$oGUGzb%*<mqBQ2Svvu4cyALoFdE!Q~b$sLclJbYQ^$ED35
zlxbTnLw|+^nXM$Le-y@;3h4_-ZT)Jk(9SOc!S(YbHsXk0xOUdTE%H10Np3G$lvvxI
zeCz1RRo+w5qD5FNyOP$cgZc_*xNoxLTA;~f?ZGGHMU9!I<@34hvoFKX(ax4FHgB9$
b@#Ju~e()5!l?r~Wt$4JK6w)H|eN?{zo!qIG

literal 0
HcmV?d00001

diff --git a/vim.spec b/vim.spec
index 0938016..bcbf62c 100644
--- a/vim.spec
+++ b/vim.spec
@@ -14,13 +14,15 @@
 Name:           vim
 Epoch:          2
 Version:        %{baseversion}.%{patchlevel}
-Release:        6
+Release:        7
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
 Source0:        https://github.com/vim/vim/archive/v%{baseversion}.%{patchlevel}.tar.gz#/vim-%{baseversion}.%{patchlevel}.tar.gz
 Source1:        virc
 Source2:        vimrc
+# CVE-2024-41957
+Source3:        double_free
 
 Patch0000:      vim-7.0-fixkeys.patch
 Patch0001:      vim-7.4-specsyntax.patch
@@ -42,6 +44,7 @@ Patch6008:      backport-patch-9.0.2123-Problem-with-initializing-the-length-of-
 Patch6009:      backport-vim-7.0-rclocation.patch
 Patch6010:      backport-CVE-2024-22667.patch
 Patch6011:      backport-CVE-2023-48232.patch
+Patch6012:      backport-CVE-2024-41957.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -128,6 +131,7 @@ This X11 package serves you the ability to use vim with graphics and mouse.
 
 %prep
 %autosetup -b 0 -n %{name}-%{baseversion}.%{patchlevel} -p1
+cp %{SOURCE3} ./src/testdir/crash/double_free
 
 #ipv6 test fail in CI, it should be related to the ipv6 configuration on jenkins, which is successful on openEuler obs
 rm -rf src/testdir/test_channel.*
@@ -449,6 +453,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
 %{_mandir}/man1/evim.*
 
 %changelog
+* Fri Aug 02 2024 yinyongkang <yinyongkang@kylinos.cn> - 2:9.0.2092-7
+- Type:CVE
+- ID:CVE-2024-41957
+- SUG:NA
+- DESC:fix CVE-2024-41957
+
 * Fri Jul 12 2024 wangjiang <wangjiang37@h-partners.com> - 2:9.0.2092-6
 - Type:CVE
 - ID:CVE-2023-48232
-- 
Gitee