diff --git a/fix-CVE-2024-47814.patch b/fix-CVE-2024-47814.patch new file mode 100644 index 0000000000000000000000000000000000000000..2eeecbe1cd0d022c62e6bf0b4ecc44e867e2cc99 --- /dev/null +++ b/fix-CVE-2024-47814.patch @@ -0,0 +1,100 @@ +From 51b62387be93c65fa56bbabe1c3c1ea5df187641 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Tue, 8 Oct 2024 08:44:54 +0800 +Subject: [PATCH] fix CVE-2024-47814 + +Problem: [security]: use-after-free when closing a buffer +Solution: When splitting the window and editing a new buffer, + check whether the newly to be edited buffer has been marked + for deletion and abort in this case + +--- + src/buffer.c | 5 +++++ + src/ex_cmds.c | 12 ++++++++++++ + src/testdir/test_autocmd.vim | 19 +++++++++++++++++++ + src/version.c | 2 ++ + 4 files changed, 38 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index 34500e4..7f76c66 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -497,6 +497,11 @@ can_unload_buffer(buf_T *buf) + return can_unload; + } + ++ int ++buf_locked(buf_T *buf) ++{ ++ return buf->b_locked || buf->b_locked_split; ++} + /* + * Close the link to a buffer. + * "action" is used when there is no longer a window for the buffer. +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index acddd9c..b990de4 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -2743,6 +2743,18 @@ do_ecmd( + } + if (buf == NULL) + goto theend; ++ // autocommands try to edit a file that is goind to be removed, ++ // abort ++ if (buf_locked(buf)) ++ { ++ // window was split, but not editing the new buffer, ++ // reset b_nwindows again ++ if (oldwin == NULL ++ && curwin->w_buffer != NULL ++ && curwin->w_buffer->b_nwindows > 1) ++ --curwin->w_buffer->b_nwindows; ++ goto theend; ++ } + if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0) + // reusing the buffer, keep the old alternate file + curwin->w_alt_fnum = prev_alt_fnum; +diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim +index a863a23..7718788 100644 +--- a/src/testdir/test_autocmd.vim ++++ b/src/testdir/test_autocmd.vim +@@ -4883,4 +4883,23 @@ func Test_GuiEnter_Turkish_locale() + endtry + endfunc + ++" This was using freed memory ++func Test_autocmd_BufWinLeave_with_vsp() ++ new ++ let fname = 'XXXBufWinLeaveUAF.txt' ++ let dummy = 'XXXDummy.txt' ++ call writefile([], fname) ++ call writefile([], dummy) ++ defer delete(fname) ++ defer delete(dummy) ++ exe "e " fname ++ vsp ++ augroup testing ++ exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname ++ augroup END ++ bw ++ call CleanUpTestAuGroup() ++ exe "bw! " .. dummy ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/version.c b/src/version.c +index d19fc01..39b0c85 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -704,6 +704,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 710, + /**/ + 709, + /**/ +-- +2.43.0 + diff --git a/vim.spec b/vim.spec index 68c0490b125bb56e66efaa41e2ca0ae104d3ade3..753d58645f7b08c184f422d55ed1e3b6be78071c 100644 --- a/vim.spec +++ b/vim.spec @@ -10,7 +10,7 @@ Name: vim Epoch: 2 Version: %{baseversion}.%{patchlevel} -Release: 1 +Release: 2 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim AND LGPL-2.1-or-later AND MIT AND GPL-1.0-only AND (GPL-2.0-only OR Vim) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND GPL-2.0-or-later AND GPL-3.0-or-later AND OPUBL-1.0 AND Apache-2.0 WITH Swift-exception URL: https://www.vim.org @@ -24,6 +24,7 @@ Patch0002: vim-8.0-copy-paste.patch Patch0003: vim-python3-tests.patch Patch0004: vim-9.0-spec-recognize-epoch.patch Patch0005: bugfix-rm-modify-info-version.patch +Patch0006: fix-CVE-2024-47814.patch BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file @@ -429,6 +430,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests." %{_mandir}/man1/evim.* %changelog +* Tue Oct 08 2024 changtao - 2:9.1.0709-2 +- Type:CVE +- ID:CVE-2024-47814 +- SUG:NA +- DESC:fix CVE-2024-47814 + * Mon Sep 02 2024 Funda Wang - 2:9.1.0709-1 - update to 9.1 patchlevel 0709