diff --git a/backport-CVE-2025-26603.patch b/backport-CVE-2025-26603.patch new file mode 100644 index 0000000000000000000000000000000000000000..e608548c546d88e3ab13def26277714986c459d8 --- /dev/null +++ b/backport-CVE-2025-26603.patch @@ -0,0 +1,79 @@ +From c0f0e2380e5954f4a52a131bf6b8499838ad1dae Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 16 Feb 2025 16:06:38 +0100 +Subject: [PATCH] patch 9.1.1115: [security]: use-after-free in str_to_reg() + +Problem: [security]: use-after-free in str_to_reg() + (fizz-is-on-the-way) +Solution: when redirecting the :display command, check that one + does not output to the register being displayed + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v + +Signed-off-by: Christian Brabandt +--- + src/register.c | 3 ++- + src/testdir/test_registers.vim | 20 ++++++++++++++++++++ + src/version.c | 2 ++ + 3 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/src/register.c b/src/register.c +index 9a23be8..c774836 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -2405,7 +2405,8 @@ ex_display(exarg_T *eap) + + #ifdef FEAT_EVAL + if (name == MB_TOLOWER(redir_reg) +- || (redir_reg == '"' && yb == y_previous)) ++ || (vim_strchr((char_u *)"\"*+", redir_reg) != NULL && ++ (yb == y_previous || yb == &y_regs[0]))) + continue; // do not list register being written to, the + // pointer can be freed + #endif +diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim +index e8bee99..3c57055 100644 +--- a/src/testdir/test_registers.vim ++++ b/src/testdir/test_registers.vim +@@ -929,4 +929,24 @@ func Test_register_y_append_reset() + bwipe! + endfunc + ++" This caused use-after-free ++func Test_register_redir_display() ++ " don't touch the clipboard, so only perform this, when the clipboard is not working ++ if has("clipboard_working") ++ throw "Skipped: skip touching the clipboard register!" ++ endif ++ let @"='' ++ redir @+> ++ disp +" ++ redir END ++ call assert_equal("\nType Name Content", getreg('+')) ++ let a = [getreg('1'), getregtype('1')] ++ let @1='register 1' ++ redir @+ ++ disp 1 ++ redir END ++ call assert_equal("register 1", getreg('1')) ++ call setreg(1, a[0], a[1]) ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/version.c b/src/version.c +index 286a45f..0e02317 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -704,6 +704,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 680, + /**/ + 679, + /**/ +-- +2.46.0 + diff --git a/vim.spec b/vim.spec index 0bfd5f7f05d82dc8763a049ef5eabff19ff464bf..7557ea03cb73281b0498274c7b2633a0bcf8cbe2 100644 --- a/vim.spec +++ b/vim.spec @@ -14,7 +14,7 @@ Name: vim Epoch: 2 Version: %{baseversion}.%{patchlevel} -Release: 16 +Release: 17 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -59,6 +59,7 @@ Patch6024: backport-CVE-2025-24014.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: fix-CVE-2024-47814.patch +Patch9002: backport-CVE-2025-26603.patch BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file @@ -464,6 +465,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests." %{_mandir}/man1/evim.* %changelog +* Thu Feb 20 2025 changtao - 2:9.0.2092-17 +- Type:CVE +- ID:CVE-2025-26603 +- SUG:NA +- DESC:CVE-2025-26603 + * Mon Jan 20 2025 wangjiang - 2:9.0.2092-16 - Type:CVE - ID:CVE-2025-22134 CVE-2025-24014