From 7d618cd559b766fe123c6cc9194399ec266d8caa Mon Sep 17 00:00:00 2001
From: wjiang <app@cameyan.com>
Date: Wed, 27 Aug 2025 15:53:45 +0800
Subject: [PATCH] fix CVE-2025-9389

---
 backport-CVE-2025-9389.patch | 104 +++++++++++++++++++++++++++++++++++
 vim.spec                     |   6 +-
 2 files changed, 109 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-9389.patch

diff --git a/backport-CVE-2025-9389.patch b/backport-CVE-2025-9389.patch
new file mode 100644
index 0000000..949bbf5
--- /dev/null
+++ b/backport-CVE-2025-9389.patch
@@ -0,0 +1,104 @@
+From b922b30cfe4c044c83bac3cc908084ed20a83598 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Joakim=20Nohlg=C3=A5rd?= <joakim@nohlgard.se>
+Date: Sun, 24 Aug 2025 12:36:44 +0200
+Subject: [PATCH] patch 9.1.1683: xxd: Avoid null dereference in autoskip
+ colorless
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Problem:  xxd: Avoid null dereference in autoskip colorless
+Solution: Verify that colors is not null (Joakim Nohlgård)
+
+Fixes bug introduced in 6897f18ee6e5bb78b32c97616e484030fd514750
+(v9.1.1459) which does a memcpy from NULL when color=never and the
+autoskip option is used.
+
+Before:
+
+dd if=/dev/zero bs=100 count=1 status=none | xxd -a -R never
+00000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
+Segmentation fault (core dumped)
+
+After:
+
+dd if=/dev/zero bs=100 count=1 status=none | ./xxd/xxd -a -R never
+00000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
+*
+00000060: 0000 0000                                ....
+
+closes: #18008
+
+Signed-off-by: Joakim Nohlgård <joakim@nohlgard.se>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/testdir/test_xxd.vim | 24 ++++++++++++++++++++++++
+ src/xxd/xxd.c            |  8 ++++++--
+ 2 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/src/testdir/test_xxd.vim b/src/testdir/test_xxd.vim
+index 477af7a540fc30..b98988157b08ac 100644
+--- a/src/testdir/test_xxd.vim
++++ b/src/testdir/test_xxd.vim
+@@ -701,4 +701,28 @@ func Test_xxd_overflow()
+   call assert_equal(expected, getline(1, 5))
+   bw!
+ endfunc
++
++" this caused a NULL derefence
++func Test_xxd_null_dereference()
++  CheckUnix
++  CheckExecutable /bin/true
++  new
++  " we are only checking, that there are addresses in the first 5 lines
++  let expected = [
++        \ '00000000: ',
++        \ '00000010: ',
++        \ '00000020: ',
++        \ '00000030: ',
++        \ '00000040: ']
++  exe "0r! " s:xxd_cmd "-a -R never /bin/true 2>&1"
++  " there should be more than 6 lines
++  call assert_true(line('$') > 5)
++  " there should not be an ASAN error message
++  call getline(1, '$')->join('\n')->assert_notmatch('runtime error')
++  6,$d
++  %s/^\x\+: \zs.*//g
++  call assert_equal(expected, getline(1, 5))
++  bw!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/xxd/xxd.c b/src/xxd/xxd.c
+index 0c70b5a95d7506..b46cee41f0be35 100644
+--- a/src/xxd/xxd.c
++++ b/src/xxd/xxd.c
+@@ -70,6 +70,7 @@
+  * 15.06.2025  improve color code logic
+  * 08.08.2025  fix overflow with bitwise output
+  * 20.08.2025  remove external library call for autoconversion on z/OS (MVS)
++ * 24.08.2025  avoid NULL dereference with autoskip colorless
+  *
+  * (c) 1990-1998 by Juergen Weigert (jnweiger@gmail.com)
+  *
+@@ -150,7 +151,7 @@ extern void perror __P((char *));
+ # endif
+ #endif
+ 
+-char version[] = "xxd 2025-08-20 by Juergen Weigert et al.";
++char version[] = "xxd 2025-08-24 by Juergen Weigert et al.";
+ #ifdef WIN32
+ char osver[] = " (Win32)";
+ #else
+@@ -599,7 +600,10 @@ xxdline(FILE *fp, char *l, char *colors, int nz)
+   if (!nz && zero_seen == 1)
+     {
+       strcpy(z, l);
+-      memcpy(z_colors, colors, strlen(z));
++      if (colors)
++	{
++	  memcpy(z_colors, colors, strlen(z));
++	}
+     }
+ 
+   if (nz || !zero_seen++)
diff --git a/vim.spec b/vim.spec
index 8950255..bf76af3 100644
--- a/vim.spec
+++ b/vim.spec
@@ -10,7 +10,7 @@
 Name:           vim
 Epoch:          2
 Version:        %{baseversion}.%{patchlevel}
-Release:        1
+Release:        2
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim AND LGPL-2.1-or-later AND MIT AND GPL-1.0-only AND (GPL-2.0-only OR Vim) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND GPL-2.0-or-later AND GPL-3.0-or-later AND OPUBL-1.0 AND Apache-2.0 WITH Swift-exception
 URL:            https://www.vim.org
@@ -24,6 +24,7 @@ Patch0002:      vim-8.0-copy-paste.patch
 Patch0003:      vim-python3-tests.patch
 Patch0005:      bugfix-rm-modify-info-version.patch
 Patch0006:      vim-Add-sw64-architecture-debcontrol.patch
+Patch0007:      backport-CVE-2025-9389.patch
 
 BuildRequires:  autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
 BuildRequires:  perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
@@ -429,6 +430,9 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
 %{_mandir}/man1/evim.*
 
 %changelog
+* Wed Aug 27 2025 wangjiang <app@cameyan.com> - 2:9.1.1663-2
+- fix CVE-2025-9389
+
 * Thu Aug 21 2025 Funda Wang <fundawang@yeah.net> - 2:9.1.1663-1
 - update to 9.1 patchlevel 1663
 - disable wayland support for now
-- 
Gitee