packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!299 [sync] PR-296: fix CVE-2022-2264 CVE-2022-2257 CVE-2022-2286 CVE-2022-2287

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @lvying6 
Signed-off-by: @lvying6
This commit is contained in:
openeuler-ci-bot 2022-07-13 07:28:41 +00:00 committed by Gitee
commit 33c7858584
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
8 changed files with 562 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
backport-CVE-2022-2257.patch Normal file
View File

@ -0,0 +1,53 @@
From 083692d598139228e101b8c521aaef7bcf256e9a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 29 Jun 2022 21:16:58 +0100
Subject: [PATCH] patch 9.0.0009: going past the end of a menu item with only
modifier
Problem: Going past the end of a menu item with only modifier.
Solution: Check for NUL.
---
src/message.c | 4 ++--
src/testdir/test_menu.vim | 14 ++++++++++++++
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/message.c b/src/message.c
index 363dbe1..679a992 100644
--- a/src/message.c
+++ b/src/message.c
@@ -1735,8 +1735,8 @@ str2special(
*sp = str + 1;
}
else
- // single-byte character or illegal byte
- *sp = str + 1;
+ // single-byte character, NUL or illegal byte
+ *sp = str + (*str == NUL ? 0 : 1);
/* Make special keys and C0 control characters in <> form, also <M-Space>.
* Use <Space> only for lhs of a mapping. */
diff --git a/src/testdir/test_menu.vim b/src/testdir/test_menu.vim
index 0d6b78e..7e411cf 100644
--- a/src/testdir/test_menu.vim
+++ b/src/testdir/test_menu.vim
@@ -84,3 +84,17 @@ func Test_menu_commands()
unlet g:did_menu
endfun
+
+func Test_only_modifier()
+ exe "tmenu a.b \x80\xfc0"
+ let exp =<< trim [TEXT]
+ --- Menus ---
+ 500 a
+ 500 b
+ t - <T-2-^@>
+ [TEXT]
+ call assert_equal(exp, split(execute('tmenu'), "\n"))
+
+ tunmenu a.b
+endfunc
+
--
1.8.3.1

49
backport-CVE-2022-2264.patch Normal file
View File

@ -0,0 +1,49 @@
From d25f003342aca9889067f2e839963dfeccf1fe05 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 30 Jun 2022 12:30:19 +0100
Subject: [PATCH] patch 9.0.0011: reading beyond the end of the line with put
command
Problem: Reading beyond the end of the line with put command.
Solution: Adjust the end mark position.
---
src/register.c | 2 ++
src/testdir/test_put.vim | 12 ++++++++++++
2 files changed, 14 insertions(+)
diff --git a/src/register.c b/src/register.c
index 87689f7..51c14b8 100644
--- a/src/register.c
+++ b/src/register.c
@@ -1819,6 +1819,8 @@ do_put(
vim_memset(ptr, ' ', (size_t)spaces);
ptr += spaces;
}
+ else
+ totlen -= spaces; // didn't use these spaces
}
// may insert some spaces after the new text
vim_memset(ptr, ' ', (size_t)bd.endspaces);
diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim
index 6df04cf..c8d306a 100644
--- a/src/testdir/test_put.vim
+++ b/src/testdir/test_put.vim
@@ -152,3 +152,15 @@ func Test_put_empty_register()
bwipe!
endfunc
+" this was putting the end mark after the end of the line
+func Test_put_visual_mode()
+ edit! SomeNewBuffer
+ set selection=exclusive
+ exe "norm o\t"
+ m0
+ sil! norm  p p
+
+ bwipe!
+ set selection&
+endfunc
+
--
1.8.3.1

59
backport-CVE-2022-2286.patch Normal file
View File

@ -0,0 +1,59 @@
From f12129f1714f7d2301935bb21d896609bdac221c Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 1 Jul 2022 19:58:30 +0100
Subject: [PATCH] patch 9.0.0020: with some completion reading past end of
string
Problem: With some completion reading past end of string.
Solution: Check the length of the string.
---
src/insexpand.c | 14 ++++++++++++--
src/testdir/test_ins_complete.vim | 7 +++++++
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/src/insexpand.c b/src/insexpand.c
index 50e0579..66a836e 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -2038,11 +2038,21 @@ ins_compl_prep(int c)
// but only do this, if the Popup is still visible
if (c == Ctrl_E)
{
+ char_u *p = NULL;
+
ins_compl_delete();
if (compl_leader != NULL)
- ins_bytes(compl_leader + ins_compl_len());
+ p = compl_leader;
else if (compl_first_match != NULL)
- ins_bytes(compl_orig_text + ins_compl_len());
+ p = compl_orig_text;
+ if (p != NULL)
+ {
+ int compl_len = ins_compl_len();
+ int len = (int)STRLEN(p);
+
+ if (len > compl_len)
+ ins_bytes_len(p + compl_len, len - compl_len);
+ }
retval = TRUE;
}
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 8f584d3..b7cfd29 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -390,3 +390,10 @@ func Test_ins_complete_add()
bwipe!
endfunc
+func Test_complete_overrun()
+ " this was going past the end of the copied text
+ new
+ sil norm si”0s0 
+ bwipe!
+endfunc
+
--
1.8.3.1

90
backport-CVE-2022-2287.patch Normal file
View File

@ -0,0 +1,90 @@
From 5e59ea54c0c37c2f84770f068d95280069828774 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 1 Jul 2022 22:26:20 +0100
Subject: [PATCH] patch 9.0.0021: invalid memory access when adding word to
spell word list
Problem: Invalid memory access when adding word with a control character to
the internal spell word list.
Solution: Disallow adding a word with control characters or a trailing
slash.
---
src/spellfile.c | 21 +++++++++++++++++++--
src/testdir/test_spell.vim | 15 +++++++++++++++
2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/src/spellfile.c b/src/spellfile.c
index 5171572..aeeb6ad 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -4343,6 +4343,23 @@ wordtree_alloc(spellinfo_T *spin)
}
/*
+ * Return TRUE if "word" contains valid word characters.
+ * Control characters and trailing '/' are invalid. Space is OK.
+ */
+ static int
+valid_spell_word(char_u *word)
+{
+ char_u *p;
+
+ if (enc_utf8 && !utf_valid_string(word, NULL))
+ return FALSE;
+ for (p = word; *p != NUL; p += mb_ptr2len(p))
+ if (*p < ' ' || (p[0] == '/' && p[1] == NUL))
+ return FALSE;
+ return TRUE;
+}
+
+/*
* Store a word in the tree(s).
* Always store it in the case-folded tree. For a keep-case word this is
* useful when the word can also be used with all caps (no WF_FIXCAP flag) and
@@ -4367,7 +4384,7 @@ store_word(
char_u *p;
// Avoid adding illegal bytes to the word tree.
- if (enc_utf8 && !utf_valid_string(word, NULL))
+ if (!valid_spell_word(word))
return FAIL;
(void)spell_casefold(word, len, foldword, MAXWLEN);
@@ -6171,7 +6188,7 @@ spell_add_word(
int i;
char_u *spf;
- if (enc_utf8 && !utf_valid_string(word, NULL))
+ if (!valid_spell_word(word))
{
emsg(_(e_illegal_character_in_word));
return;
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index 1f79907..bc4f41d 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -574,6 +574,21 @@ func Test_spell_screendump()
call delete('XtestSpell')
endfunc
+func Test_spell_good_word_invalid()
+ " This was adding a word with a 0x02 byte, which causes havoc.
+ enew
+ norm o0
+ sil! norm rzzWs00/
+ 2
+ sil! norm VzGprzzW
+ sil! norm z=
+
+ bwipe!
+ " clear the internal word list
+ set enc=latin1
+ set enc=utf-8
+endfunc
+
let g:test_data_aff1 = [
\"SET ISO8859-1",
\"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",
--
1.8.3.1

112
backport-patch-8.2.4867-listing-of-mapping-with-K_SPECIAL-is-.patch Normal file
View File

@ -0,0 +1,112 @@
From ac402f4d64bec6b6efd809fef52f5b34627bf947 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Wed, 4 May 2022 18:51:43 +0100
Subject: [PATCH] patch 8.2.4867: listing of mapping with K_SPECIAL is wrong
Problem: Listing of mapping with K_SPECIAL is wrong.
Solution: Adjust escaping of special characters. (closes #10351)
---
src/map.c | 12 +-----------
src/message.c | 26 ++++++++++++++++++--------
src/testdir/test_mapping.vim | 20 ++++++++++++++++++++
3 files changed, 39 insertions(+), 19 deletions(-)
diff --git a/src/map.c b/src/map.c
index 645cd10..98573b5 100644
--- a/src/map.c
+++ b/src/map.c
@@ -186,17 +186,7 @@ showmap(
if (*mp->m_str == NUL)
msg_puts_attr("<Nop>", HL_ATTR(HLF_8));
else
- {
- // Remove escaping of CSI, because "m_str" is in a format to be used
- // as typeahead.
- char_u *s = vim_strsave(mp->m_str);
- if (s != NULL)
- {
- vim_unescape_csi(s);
- msg_outtrans_special(s, FALSE, 0);
- vim_free(s);
- }
- }
+ msg_outtrans_special(mp->m_str, FALSE, 0);
#ifdef FEAT_EVAL
if (p_verbose > 0)
last_set_msg(mp->m_script_ctx);
diff --git a/src/message.c b/src/message.c
index eae6e61..0898d90 100644
--- a/src/message.c
+++ b/src/message.c
@@ -1716,19 +1716,29 @@ str2special(
if (has_mbyte && !IS_SPECIAL(c))
{
- int len = (*mb_ptr2len)(str);
+ char_u *p;
- /* For multi-byte characters check for an illegal byte. */
- if (has_mbyte && MB_BYTE2LEN(*str) > len)
+ *sp = str;
+ // Try to un-escape a multi-byte character after modifiers.
+ p = mb_unescape(sp);
+
+ if (p == NULL)
{
- transchar_nonprint(buf, c);
- *sp = str + 1;
- return buf;
+ int len = (*mb_ptr2len)(str);
+
+ // Check for an illegal byte.
+ if (MB_BYTE2LEN(*str) > len)
+ {
+ transchar_nonprint(curbuf, buf, c);
+ *sp = str + 1;
+ return buf;
+ }
+ *sp = str + len;
+ p = str;
}
/* Since 'special' is TRUE the multi-byte character 'c' will be
* processed by get_special_key_name() */
- c = (*mb_ptr2char)(str);
- *sp = str + len;
+ c = (*mb_ptr2char)(p);
}
else
*sp = str + 1;
diff --git a/src/testdir/test_mapping.vim b/src/testdir/test_mapping.vim
index 55e6af0..58c284d 100644
--- a/src/testdir/test_mapping.vim
+++ b/src/testdir/test_mapping.vim
@@ -461,6 +461,26 @@ func Test_list_mappings()
call assert_equal(['i <S-/> * ShiftSlash'], execute('imap')->trim()->split("\n"))
iunmap <S-/>
call assert_equal(['No mapping found'], execute('imap')->trim()->split("\n"))
+
+ nmap foo …
+ call assert_equal(['n foo …'],
+ \ execute('nmap foo')->trim()->split("\n"))
+
+ " modified character with K_SPECIAL byte in rhs
+ nmap foo <M-…>
+ call assert_equal(['n foo <M-…>'],
+ \ execute('nmap foo')->trim()->split("\n"))
+
+ " character with K_SPECIAL byte in lhs
+ nmap … foo
+ call assert_equal(['n … foo'],
+ \ execute('nmap …')->trim()->split("\n"))
+
+ " modified character with K_SPECIAL byte in lhs
+ nmap <M-…> foo
+ call assert_equal(['n <M-…> foo'],
+ \ execute('nmap <M-…>')->trim()->split("\n"))
+
endfunc
func Test_expr_map_restore_cursor()
--
1.8.3.1

153
backport-patch-8.2.4924-maparg-may-return-a-string-that-canno.patch Normal file
View File

@ -0,0 +1,153 @@
From 0519ce00394474055bd58c089ea90a19986443eb Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Mon, 9 May 2022 12:16:19 +0100
Subject: [PATCH] patch 8.2.4924: maparg() may return a string that cannot be
reused
Problem: maparg() may return a string that cannot be reused.
Solution: use msg_outtrans_special() instead of str2special().
(closes #10384)
---
src/message.c | 35 +++++++++++++++--------------------
src/option.c | 2 ++
src/testdir/test_mapping.vim | 7 +++++++
src/testdir/test_options.vim | 20 ++++++++++++++++++++
4 files changed, 44 insertions(+), 20 deletions(-)
diff --git a/src/message.c b/src/message.c
index 0898d90..363dbe1 100644
--- a/src/message.c
+++ b/src/message.c
@@ -1637,6 +1637,9 @@ msg_outtrans_special(
}
else
text = (char *)str2special(&str, from);
+ if (text[0] != NUL && text[1] == NUL)
+ // single-byte character or illegal byte
+ text = (char *)transchar_byte((char_u)text[0]);
len = vim_strsize((char_u *)text);
if (maxlen > 0 && retval + len >= maxlen)
break;
@@ -1671,6 +1674,7 @@ str2special_save(
/*
* Return the printable string for the key codes at "*sp".
+ * On illegal byte return a string with only that byte.
* Used for translating the lhs or rhs of a mapping to printable chars.
* Advances "sp" to the next code.
*/
@@ -1714,7 +1718,7 @@ str2special(
special = TRUE;
}
- if (has_mbyte && !IS_SPECIAL(c))
+ if (has_mbyte && !IS_SPECIAL(c) && MB_BYTE2LEN(c) > 1)
{
char_u *p;
@@ -1722,30 +1726,21 @@ str2special(
// Try to un-escape a multi-byte character after modifiers.
p = mb_unescape(sp);
- if (p == NULL)
- {
- int len = (*mb_ptr2len)(str);
-
- // Check for an illegal byte.
- if (MB_BYTE2LEN(*str) > len)
- {
- transchar_nonprint(curbuf, buf, c);
- *sp = str + 1;
- return buf;
- }
- *sp = str + len;
- p = str;
- }
- /* Since 'special' is TRUE the multi-byte character 'c' will be
- * processed by get_special_key_name() */
- c = (*mb_ptr2char)(p);
+ if (p != NULL)
+ // Since 'special' is TRUE the multi-byte character 'c' will be
+ // processed by get_special_key_name()
+ c = (*mb_ptr2char)(p);
+ else
+ // illegal byte
+ *sp = str + 1;
}
else
+ // single-byte character or illegal byte
*sp = str + 1;
- /* Make unprintable characters in <> form, also <M-Space> and <Tab>.
+ /* Make special keys and C0 control characters in <> form, also <M-Space>.
* Use <Space> only for lhs of a mapping. */
- if (special || char2cells(c) > 1 || (from && c == ' '))
+ if (special || c < ' ' || (from && c == ' '))
return get_special_key_name(c, modifiers);
buf[0] = c;
buf[1] = NUL;
diff --git a/src/option.c b/src/option.c
index eb610dd..6a93a7b 100644
--- a/src/option.c
+++ b/src/option.c
@@ -3878,6 +3878,8 @@ get_option_value(
if ((char_u **)varp == &curbuf->b_p_key
&& **(char_u **)(varp) != NUL)
*stringval = vim_strsave((char_u *)"*****");
+ else if ((char_u **)varp == &p_pt) // 'pastetoggle'
+ *stringval = str2special_save(*(char_u **)(varp), FALSE);
else
#endif
*stringval = vim_strsave(*(char_u **)(varp));
diff --git a/src/testdir/test_mapping.vim b/src/testdir/test_mapping.vim
index 58c284d..9e32b38 100644
--- a/src/testdir/test_mapping.vim
+++ b/src/testdir/test_mapping.vim
@@ -480,6 +480,13 @@ func Test_list_mappings()
nmap <M-…> foo
call assert_equal(['n <M-…> foo'],
\ execute('nmap <M-…>')->trim()->split("\n"))
+
+ " illegal bytes
+ let str = ":\x7f:\x80:\x90:\xd0:"
+ exe 'nmap foo ' .. str
+ call assert_equal(['n foo ' .. strtrans(str)],
+ \ execute('nmap foo')->trim()->split("\n"))
+ unlet str
endfunc
diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim
index 7584465..e494cd9 100644
--- a/src/testdir/test_options.vim
+++ b/src/testdir/test_options.vim
@@ -31,6 +31,26 @@ func Test_isfname()
set isfname&
endfunc
+" Test for getting the value of 'pastetoggle'
+func Test_pastetoggle()
+ " character with K_SPECIAL byte
+ let &pastetoggle = '…'
+ call assert_equal('…', &pastetoggle)
+ call assert_equal("\n pastetoggle=…", execute('set pastetoggle?'))
+
+ " modified character with K_SPECIAL byte
+ let &pastetoggle = '<M-…>'
+ call assert_equal('<M-…>', &pastetoggle)
+ call assert_equal("\n pastetoggle=<M-…>", execute('set pastetoggle?'))
+
+ " illegal bytes
+ let str = ":\x7f:\x80:\x90:\xd0:"
+ let &pastetoggle = str
+ call assert_equal(str, &pastetoggle)
+ call assert_equal("\n pastetoggle=" .. strtrans(str), execute('set pastetoggle?'))
+ unlet str
+endfunc
+
func Test_wildchar()
" Empty 'wildchar' used to access invalid memory.
call assert_fails('set wildchar=', 'E521:')
--
1.8.3.1

32
backport-patch-9.0.0022-spell-test-fails.patch Normal file
View File

@ -0,0 +1,32 @@
From 95afae6d1760b2efcc4968dbd3784799d24e9fdf Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 1 Jul 2022 22:44:19 +0100
Subject: [PATCH] patch 9.0.0022: spell test fails
Problem: Spell test fails.
Solution: Expect new error is given.
---
src/testdir/test_spell_utf8.vim | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim
index efdecdc..42288dc 100644
--- a/src/testdir/test_spell_utf8.vim
+++ b/src/testdir/test_spell_utf8.vim
@@ -779,7 +779,12 @@ func Test_no_crash_with_weird_text()
€
END
call setline(1, lines)
- exe "%norm \<C-v>ez=>\<C-v>wzG"
+ try
+ exe "%norm \<C-v>ez=>\<C-v>wzG"
+ catch /E1280:/
+ let caught = 'yes'
+ endtry
+ call assert_equal('yes', caught)
bwipe!
endfunc
--
1.8.3.1

15
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim
Epoch: 2
Version: 8.2
Release: 50
Release: 51
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT
URL: http://www.vim.org
@ -146,6 +146,13 @@ Patch6109: backport-CVE-2022-2285.patch
Patch6110: backport-CVE-2022-2304.patch
Patch6111: backport-CVE-2022-2344.patch
Patch6112: backport-CVE-2022-2345.patch
Patch6113: backport-CVE-2022-2264.patch
Patch6114: backport-patch-8.2.4867-listing-of-mapping-with-K_SPECIAL-is-.patch
Patch6115: backport-patch-8.2.4924-maparg-may-return-a-string-that-canno.patch
Patch6116: backport-CVE-2022-2257.patch
Patch6117: backport-CVE-2022-2286.patch
Patch6118: backport-CVE-2022-2287.patch
Patch6119: backport-patch-9.0.0022-spell-test-fails.patch
Patch9000: bugfix-rm-modify-info-version.patch
@ -534,6 +541,12 @@ popd
%{_mandir}/man1/evim.*
%changelog
* Wed Jul 13 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-51
- Type:CVE
- ID:CVE-2022-2264 CVE-2022-2257 CVE-2022-2286 CVE-2022-2287
- SUG:NA
- DESC:fix CVE-2022-2264 CVE-2022-2257 CVE-2022-2286 CVE-2022-2287
* Mon Jul 11 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-50
- Type:CVE
- ID:CVE-2022-2000 CVE-2022-2042 CVE-2022-2284 CVE-2022-2285 CVE-2022-2304 CVE-2022-2344 CVE-2022-2345