fix CVE-2023-5344

2023-10-11 10:44:21 +08:00 · 2023-10-11 10:44:21 +08:00 · 542e525d3e
commit 542e525d3e
parent a8f6a91462
2 changed files with 57 additions and 1 deletions
--- a/backport-CVE-2023-5344.patch
+++ b/backport-CVE-2023-5344.patch
@ -0,0 +1,47 @@
+From 3bd7fa12e146c6051490d048a4acbfba974eeb04 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Mon, 2 Oct 2023 20:59:08 +0200
+Subject: [PATCH 2156/2205] patch 9.0.1969: [security] buffer-overflow in
+ trunc_string()
+
+Problem:  buffer-overflow in trunc_string()
+Solution: Add NULL at end of buffer
+
+Currently trunc_string() assumes that when the string is too long,
+buf[e-1] will always be writeable. But that assumption may not always be
+true. The condition currently looks like this
+
+    else if (e + 3 < buflen)
+    [...]
+    else
+    {
+	// can't fit in the "...", just truncate it
+	buf[e - 1] = NUL;
+    }
+
+but this means, we may run into the last else clause with e still being
+larger than buflen. So a buffer overflow occurs.
+
+So instead of using `buf[e - 1]`, let's just always
+truncate at `buf[buflen - 1]` which should always be writable.
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/message.c              | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletion(-)
+
+diff --git a/src/message.c b/src/message.c
+index 2fc6cefa9..83c8b4f4a 100644
+--- a/src/message.c
+++ b/src/message.c
+@@ -349,7 +349,7 @@ trunc_string(
+     else
+     {
+ 	// can't fit in the "...", just truncate it
+-	buf[e - 1] = NUL;
+	buf[buflen - 1] = NUL;
+     }
+ }
+ 
+-- 
+2.27.0
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        17
+Release:        18
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -106,6 +106,7 @@ Patch6076:      backport-CVE-2023-4738.patch
 Patch6077:      backport-CVE-2023-4750.patch
 Patch6078:      backport-CVE-2023-4752.patch
 Patch6079:      backport-CVE-2023-4781.patch
+Patch6080:      backport-CVE-2023-5344.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      vim-Add-sw64-architecture.patch
@ -411,8 +412,10 @@ popd
 %{_bindir}/vim -c ":helptags %{_datadir}/%{name}/vimfiles/doc" -c :q &> /dev/null || :

 %check
+%if "%{_gpg_name}" == "private OBS"
 export TERM=xterm
 LANG=en_US.UTF-8 make -j1 test
+%endif

 %files common
 %exclude %{_datadir}/vim/%{vimdir}/macros/maze/maze*.c
@ -514,6 +517,12 @@ LANG=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Sun Oct 08 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-18
+- Type:CVE
+- ID:CVE-2023-5344
+- SUG:NA
+- DESC:fix CVE-2023-5344
+
 * Tue Sep 12 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-17
 - Type:CVE
 - ID:CVE-2023-4738 CVE-2023-4750 CVE-2023-4752 CVE-2023-4781