diff --git a/backport-CVE-2025-1215.patch b/backport-CVE-2025-1215.patch new file mode 100644 index 0000000000000000000000000000000000000000..9b61d09979f26d82be573689db6d51234e5f893f --- /dev/null +++ b/backport-CVE-2025-1215.patch @@ -0,0 +1,124 @@ +From c5654b84480822817bb7b69ebc97c174c91185e9 Mon Sep 17 00:00:00 2001 +From: Hirohito Higashi +Date: Mon, 10 Feb 2025 20:55:17 +0100 +Subject: [PATCH] patch 9.1.1097: --log with non-existent path causes a crash + +Problem: --log with non-existent path causes a crash + (Ekkosun) +Solution: split initialization phase and init the execution stack + earlier (Hirohito Higashi) + +fixes: #16606 +closes: #16610 + +Signed-off-by: Hirohito Higashi +Signed-off-by: Christian Brabandt +--- + src/main.c | 21 +++++++++++++++++---- + src/message_test.c | 3 ++- + src/proto/main.pro | 3 ++- + src/testdir/test_startup.vim | 7 +++++++ + 4 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/src/main.c b/src/main.c +index ecc61f4d0be886..f603a52a52e09d 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -144,6 +144,11 @@ main + atexit(vim_mem_profile_dump); + #endif + ++ /* ++ * Various initialisations #1 shared with tests. ++ */ ++ common_init_1(); ++ + #if defined(STARTUPTIME) || defined(FEAT_JOB_CHANNEL) + // Need to find "--startuptime" and "--log" before actually parsing + // arguments. +@@ -185,9 +190,9 @@ main + #endif + + /* +- * Various initialisations shared with tests. ++ * Various initialisations #2 shared with tests. + */ +- common_init(¶ms); ++ common_init_2(¶ms); + + #ifdef VIMDLL + // Check if the current executable file is for the GUI subsystem. +@@ -900,10 +905,10 @@ vim_main2(void) + } + + /* +- * Initialisation shared by main() and some tests. ++ * Initialisation #1 shared by main() and some tests. + */ + void +-common_init(mparm_T *paramp) ++common_init_1(void) + { + estack_init(); + cmdline_init(); +@@ -925,7 +930,15 @@ common_init(mparm_T *paramp) + || (NameBuff = alloc(MAXPATHL)) == NULL) + mch_exit(0); + TIME_MSG("Allocated generic buffers"); ++} ++ + ++/* ++ * Initialisation #2 shared by main() and some tests. ++ */ ++ void ++common_init_2(mparm_T *paramp) ++{ + #ifdef NBDEBUG + // Wait a moment for debugging NetBeans. Must be after allocating + // NameBuff. +diff --git a/src/message_test.c b/src/message_test.c +index 62f7772470d0e4..83767ece930899 100644 +--- a/src/message_test.c ++++ b/src/message_test.c +@@ -508,7 +508,8 @@ main(int argc, char **argv) + CLEAR_FIELD(params); + params.argc = argc; + params.argv = argv; +- common_init(¶ms); ++ common_init_1(); ++ common_init_2(¶ms); + + set_option_value_give_err((char_u *)"encoding", 0, (char_u *)"utf-8", 0); + init_chartab(); +diff --git a/src/proto/main.pro b/src/proto/main.pro +index 496fe66be6950d..7e4c50803e8ef2 100644 +--- a/src/proto/main.pro ++++ b/src/proto/main.pro +@@ -1,6 +1,7 @@ + /* main.c */ + int vim_main2(void); +-void common_init(mparm_T *paramp); ++void common_init_1(void); ++void common_init_2(mparm_T *paramp); + int is_not_a_term(void); + int is_not_a_term_or_gui(void); + void free_vbuf(void); +diff --git a/src/testdir/test_startup.vim b/src/testdir/test_startup.vim +index 7c703916045e70..c16e4ae27de3b2 100644 +--- a/src/testdir/test_startup.vim ++++ b/src/testdir/test_startup.vim +@@ -734,6 +734,13 @@ func Test_log() + call delete('Xlogfile') + endfunc + ++func Test_log_nonexistent() ++ " this used to crash Vim ++ CheckFeature channel ++ let result = join(systemlist(GetVimCommand() .. ' --log /X/Xlogfile -c qa!')) ++ call assert_match("E484: Can't open file", result) ++endfunc ++ + func Test_read_stdin() + let after =<< trim [CODE] + write Xtestout diff --git a/backport-CVE-2025-26603.patch b/backport-CVE-2025-26603.patch new file mode 100644 index 0000000000000000000000000000000000000000..c161b669187e8fc7dfd3dc6ec22160bc788921ff --- /dev/null +++ b/backport-CVE-2025-26603.patch @@ -0,0 +1,62 @@ +From c0f0e2380e5954f4a52a131bf6b8499838ad1dae Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 16 Feb 2025 16:06:38 +0100 +Subject: [PATCH] patch 9.1.1115: [security]: use-after-free in str_to_reg() + +Problem: [security]: use-after-free in str_to_reg() + (fizz-is-on-the-way) +Solution: when redirecting the :display command, check that one + does not output to the register being displayed + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v + +Signed-off-by: Christian Brabandt +--- + src/register.c | 3 ++- + src/testdir/test_registers.vim | 20 ++++++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/src/register.c b/src/register.c +index 0df05054ca7229..a9630f8ef5db93 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -2405,7 +2405,8 @@ ex_display(exarg_T *eap) + + #ifdef FEAT_EVAL + if (name == MB_TOLOWER(redir_reg) +- || (redir_reg == '"' && yb == y_previous)) ++ || (vim_strchr((char_u *)"\"*+", redir_reg) != NULL && ++ (yb == y_previous || yb == &y_regs[0]))) + continue; // do not list register being written to, the + // pointer can be freed + #endif +diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim +index 1177c2395d3f09..13127022666e04 100644 +--- a/src/testdir/test_registers.vim ++++ b/src/testdir/test_registers.vim +@@ -929,4 +929,24 @@ func Test_register_y_append_reset() + bwipe! + endfunc + ++" This caused use-after-free ++func Test_register_redir_display() ++ " don't touch the clipboard, so only perform this, when the clipboard is not working ++ if has("clipboard_working") ++ throw "Skipped: skip touching the clipboard register!" ++ endif ++ let @"='' ++ redir @+> ++ disp +" ++ redir END ++ call assert_equal("\nType Name Content", getreg('+')) ++ let a = [getreg('1'), getregtype('1')] ++ let @1='register 1' ++ redir @+ ++ disp 1 ++ redir END ++ call assert_equal("register 1", getreg('1')) ++ call setreg(1, a[0], a[1]) ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/vim.spec b/vim.spec index 0bfd5f7f05d82dc8763a049ef5eabff19ff464bf..f0d472d527a7bb124babd0da4ce553cd1c9cfea8 100644 --- a/vim.spec +++ b/vim.spec @@ -14,7 +14,7 @@ Name: vim Epoch: 2 Version: %{baseversion}.%{patchlevel} -Release: 16 +Release: 17 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -56,6 +56,8 @@ Patch6021: backport-patch-9.1.0918-tiny-vim-crashes-with-fuzzy-buffer-compl Patch6022: backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch Patch6023: backport-CVE-2025-22134.patch Patch6024: backport-CVE-2025-24014.patch +Patch6025: backport-CVE-2025-1215.patch +Patch6026: backport-CVE-2025-26603.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: fix-CVE-2024-47814.patch @@ -464,6 +466,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests." %{_mandir}/man1/evim.* %changelog +* Tue Feb 18 2025 wangjiang - 2:9.0.2092-17 +- Type:CVE +- ID:CVE-2025-1215 CVE-2025-26603 +- SUG:NA +- DESC:fix CVE-2025-1215 CVE-2025-26603 + * Mon Jan 20 2025 wangjiang - 2:9.0.2092-16 - Type:CVE - ID:CVE-2025-22134 CVE-2025-24014