packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!417 [sync] PR-411: fix CVE-2022-3352

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @lvying6 
Signed-off-by: @lvying6
This commit is contained in:
openeuler-ci-bot 2022-10-12 08:12:00 +00:00 committed by Gitee
commit 45a7d6e1fb
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 86 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
backport-CVE-2022-3352.patch Normal file
View File

@ -0,0 +1,77 @@
From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 28 Sep 2022 11:48:30 +0100
Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer
Problem: SpellFileMissing autocmd may delete buffer.
Solution: Disallow deleting the current buffer to avoid using freed memory.
---
src/buffer.c | 6 +++++-
src/spell.c | 6 ++++++
src/testdir/test_autocmd.vim | 11 +++++++++++
3 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/buffer.c b/src/buffer.c
index f66c234..b647d82 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -465,8 +465,12 @@ can_unload_buffer(buf_T *buf)
}
}
if (!can_unload)
+ {
+ char_u *fname = buf->b_fname != NULL ? buf->b_fname : buf->b_ffname;
+
semsg(_("E937: Attempt to delete a buffer that is in use: %s"),
- buf->b_fname);
+ fname != NULL ? fname : (char_u *)"[No Name]");
+ }
return can_unload;
}
diff --git a/src/spell.c b/src/spell.c
index 1d7a1ae..e32dbe7 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -1539,6 +1539,10 @@ spell_load_lang(char_u *lang)
sl.sl_slang = NULL;
sl.sl_nobreak = FALSE;
+ // Disallow deleting the current buffer. Autocommands can do weird things
+ // and cause "lang" to be freed.
+ ++curbuf->b_locked;
+
// We may retry when no spell file is found for the language, an
// autocommand may load it then.
for (round = 1; round <= 2; ++round)
@@ -1592,6 +1596,8 @@ spell_load_lang(char_u *lang)
STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl");
do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl);
}
+
+ --curbuf->b_locked;
}
/*
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
index 27ec80d..e7ffc37 100755
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
@@ -2343,3 +2343,14 @@ func Test_BufWrite_lockmarks()
call delete('Xtest')
call delete('Xtest2')
endfunc
+
+" this was wiping out the current buffer and using freed memory
+func Test_SpellFileMissing_bwipe()
+ next 0
+ au SpellFileMissing 0 bwipe
+ call assert_fails('set spell spelllang=0', 'E937:')
+
+ au! SpellFileMissing
+ bwipe
+endfunc
+
--
2.27.0

10
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim
Epoch: 2
Version: 8.2
Release: 67
Release: 68
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT
URL: http://www.vim.org
@ -188,6 +188,7 @@ Patch6146: backport-CVE-2022-3134.patch
Patch6147: backport-CVE-2022-3234.patch
Patch6148: backport-CVE-2022-3235.patch
Patch6149: backport-CVE-2022-3256.patch
Patch6150: backport-CVE-2022-3352.patch
BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
@ -481,6 +482,7 @@ popd
%{_bindir}/vim -c ":helptags %{_datadir}/%{name}/vimfiles/doc" -c :q &> /dev/null || :
%check
export TERM=linux
LC_ALL=en_US.UTF-8 make -j1 test
%files common
@ -576,6 +578,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
%{_mandir}/man1/evim.*
%changelog
* Mon Oct 10 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-68
- Type:CVE
- ID:CVE-2022-3352
- SUG:NA
- DESC:fix CVE-2022-3352
* Fri Sep 23 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-67
- Type:CVE
- ID:CVE-2022-3256