From 788819d8f5274defc0c9fa44dbd713d41ff220bd Mon Sep 17 00:00:00 2001 From: wjiang Date: Tue, 18 Feb 2025 17:01:35 +0800 Subject: [PATCH] fix CVE-2025-1215 CVE-2025-26603 (cherry picked from commit 484204d14859f6b0b72275404607364a9c9be5ab) --- backport-CVE-2025-1215.patch | 124 ++++++++++++++++++++++++++++++++++ backport-CVE-2025-26603.patch | 62 +++++++++++++++++ vim.spec | 10 ++- 3 files changed, 195 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-1215.patch create mode 100644 backport-CVE-2025-26603.patch diff --git a/backport-CVE-2025-1215.patch b/backport-CVE-2025-1215.patch new file mode 100644 index 0000000..585473d --- /dev/null +++ b/backport-CVE-2025-1215.patch @@ -0,0 +1,124 @@ +From c5654b84480822817bb7b69ebc97c174c91185e9 Mon Sep 17 00:00:00 2001 +From: Hirohito Higashi +Date: Mon, 10 Feb 2025 20:55:17 +0100 +Subject: [PATCH] patch 9.1.1097: --log with non-existent path causes a crash + +Problem: --log with non-existent path causes a crash + (Ekkosun) +Solution: split initialization phase and init the execution stack + earlier (Hirohito Higashi) + +fixes: #16606 +closes: #16610 + +Signed-off-by: Hirohito Higashi +Signed-off-by: Christian Brabandt +--- + src/main.c | 21 +++++++++++++++++---- + src/message_test.c | 3 ++- + src/proto/main.pro | 3 ++- + src/testdir/test_startup.vim | 7 +++++++ + 4 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/src/main.c b/src/main.c +index ecc61f4d0be886..f603a52a52e09d 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -138,6 +138,11 @@ main + atexit(vim_mem_profile_dump); + #endif + ++ /* ++ * Various initialisations #1 shared with tests. ++ */ ++ common_init_1(); ++ + #if defined(STARTUPTIME) || defined(FEAT_JOB_CHANNEL) + // Need to find "--startuptime" and "--log" before actually parsing + // arguments. +@@ -180,9 +185,9 @@ main + #endif + + /* +- * Various initialisations shared with tests. ++ * Various initialisations #2 shared with tests. + */ +- common_init(¶ms); ++ common_init_2(¶ms); + + #ifdef VIMDLL + // Check if the current executable file is for the GUI subsystem. +@@ -890,10 +895,10 @@ vim_main2(void) + } + + /* +- * Initialisation shared by main() and some tests. ++ * Initialisation #1 shared by main() and some tests. + */ + void +-common_init(mparm_T *paramp) ++common_init_1(void) + { + estack_init(); + cmdline_init(); +@@ -915,7 +920,15 @@ common_init(mparm_T *paramp) + || (NameBuff = alloc(MAXPATHL)) == NULL) + mch_exit(0); + TIME_MSG("Allocated generic buffers"); ++} ++ + ++/* ++ * Initialisation #2 shared by main() and some tests. ++ */ ++ void ++common_init_2(mparm_T *paramp) ++{ + #ifdef NBDEBUG + // Wait a moment for debugging NetBeans. Must be after allocating + // NameBuff. +diff --git a/src/message_test.c b/src/message_test.c +index 62f7772470d0e4..83767ece930899 100644 +--- a/src/message_test.c ++++ b/src/message_test.c +@@ -312,7 +312,8 @@ main(int argc, char **argv) + CLEAR_FIELD(params); + params.argc = argc; + params.argv = argv; +- common_init(¶ms); ++ common_init_1(); ++ common_init_2(¶ms); + + set_option_value_give_err((char_u *)"encoding", 0, (char_u *)"utf-8", 0); + init_chartab(); +diff --git a/src/proto/main.pro b/src/proto/main.pro +index 496fe66be6950d..7e4c50803e8ef2 100644 +--- a/src/proto/main.pro ++++ b/src/proto/main.pro +@@ -1,6 +1,7 @@ + /* main.c */ + int vim_main2(void); +-void common_init(mparm_T *paramp); ++void common_init_1(void); ++void common_init_2(mparm_T *paramp); + int is_not_a_term(void); + char_u *get_gui_dialog_file(void); + int op_pending(void); +diff --git a/src/testdir/test_startup.vim b/src/testdir/test_startup.vim +index 7c703916045e70..c16e4ae27de3b2 100644 +--- a/src/testdir/test_startup.vim ++++ b/src/testdir/test_startup.vim +@@ -747,6 +747,13 @@ func Test_log() + call delete('Xlogfile') + endfunc + ++func Test_log_nonexistent() ++ " this used to crash Vim ++ CheckFeature channel ++ let result = join(systemlist(GetVimCommand() .. ' --log /X/Xlogfile -c qa!')) ++ call assert_match("E484: Can't open file", result) ++endfunc ++ + func Test_read_stdin() + let after =<< trim [CODE] + write Xtestout diff --git a/backport-CVE-2025-26603.patch b/backport-CVE-2025-26603.patch new file mode 100644 index 0000000..f91102f --- /dev/null +++ b/backport-CVE-2025-26603.patch @@ -0,0 +1,62 @@ +From c0f0e2380e5954f4a52a131bf6b8499838ad1dae Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 16 Feb 2025 16:06:38 +0100 +Subject: [PATCH] patch 9.1.1115: [security]: use-after-free in str_to_reg() + +Problem: [security]: use-after-free in str_to_reg() + (fizz-is-on-the-way) +Solution: when redirecting the :display command, check that one + does not output to the register being displayed + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v + +Signed-off-by: Christian Brabandt +--- + src/register.c | 3 ++- + src/testdir/test_registers.vim | 20 ++++++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/src/register.c b/src/register.c +index 0df05054ca7229..a9630f8ef5db93 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -2394,7 +2394,8 @@ ex_display(exarg_T *eap) + + #ifdef FEAT_EVAL + if (name == MB_TOLOWER(redir_reg) +- || (redir_reg == '"' && yb == y_previous)) ++ || (vim_strchr((char_u *)"\"*+", redir_reg) != NULL && ++ (yb == y_previous || yb == &y_regs[0]))) + continue; // do not list register being written to, the + // pointer can be freed + #endif +diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim +index 1177c2395d3f09..13127022666e04 100644 +--- a/src/testdir/test_registers.vim ++++ b/src/testdir/test_registers.vim +@@ -867,4 +867,24 @@ func Test_register_y_append_reset() + bwipe! + endfunc + ++" This caused use-after-free ++func Test_register_redir_display() ++ " don't touch the clipboard, so only perform this, when the clipboard is not working ++ if has("clipboard_working") ++ throw "Skipped: skip touching the clipboard register!" ++ endif ++ let @"='' ++ redir @+> ++ disp +" ++ redir END ++ call assert_equal("\nType Name Content", getreg('+')) ++ let a = [getreg('1'), getregtype('1')] ++ let @1='register 1' ++ redir @+ ++ disp 1 ++ redir END ++ call assert_equal("register 1", getreg('1')) ++ call setreg(1, a[0], a[1]) ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab diff --git a/vim.spec b/vim.spec index 5e5d99d..e9aa1c3 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 31 +Release: 32 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -131,6 +131,8 @@ Patch6101: backport-patch-9.1.0918-tiny-vim-crashes-with-fuzzy-buffer-compl Patch6102: backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch Patch6103: backport-CVE-2025-22134.patch Patch6104: backport-CVE-2025-24014.patch +Patch6105: backport-CVE-2025-1215.patch +Patch6106: backport-CVE-2025-26603.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: vim-Add-sw64-architecture.patch @@ -542,6 +544,12 @@ LANG=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Tue Feb 18 2025 wangjiang - 2:9.0-32 +- Type:CVE +- ID:CVE-2025-1215 CVE-2025-26603 +- SUG:NA +- DESC:fix CVE-2025-1215 CVE-2025-26603 + * Mon Jan 20 2025 wangjiang - 2:9.0-31 - Type:CVE - ID:CVE-2025-22134 CVE-2025-24014 -- Gitee