packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-5344

Browse Source
This commit is contained in:
wangjiang 2023-10-11 10:44:21 +08:00
parent a8f6a91462
commit 542e525d3e
2 changed files with 57 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
backport-CVE-2023-5344.patch Normal file
View File

@ -0,0 +1,47 @@
From 3bd7fa12e146c6051490d048a4acbfba974eeb04 Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Mon, 2 Oct 2023 20:59:08 +0200
Subject: [PATCH 2156/2205] patch 9.0.1969: [security] buffer-overflow in
trunc_string()
Problem: buffer-overflow in trunc_string()
Solution: Add NULL at end of buffer
Currently trunc_string() assumes that when the string is too long,
buf[e-1] will always be writeable. But that assumption may not always be
true. The condition currently looks like this
else if (e + 3 < buflen)
[...]
else
{
// can't fit in the "...", just truncate it
buf[e - 1] = NUL;
}
but this means, we may run into the last else clause with e still being
larger than buflen. So a buffer overflow occurs.
So instead of using `buf[e - 1]`, let's just always
truncate at `buf[buflen - 1]` which should always be writable.
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
src/message.c | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/src/message.c b/src/message.c
index 2fc6cefa9..83c8b4f4a 100644
--- a/src/message.c
+++ b/src/message.c
@@ -349,7 +349,7 @@ trunc_string(
else
{
// can't fit in the "...", just truncate it
- buf[e - 1] = NUL;
+ buf[buflen - 1] = NUL;
}
}
--
2.27.0

11
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim Name: vim
Epoch: 2 Epoch: 2
Version: 9.0 Version: 9.0
Release: 17 Release: 18
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT License: Vim and MIT
URL: http://www.vim.org URL: http://www.vim.org
@ -106,6 +106,7 @@ Patch6076: backport-CVE-2023-4738.patch
Patch6077: backport-CVE-2023-4750.patch Patch6077: backport-CVE-2023-4750.patch
Patch6078: backport-CVE-2023-4752.patch Patch6078: backport-CVE-2023-4752.patch
Patch6079: backport-CVE-2023-4781.patch Patch6079: backport-CVE-2023-4781.patch
Patch6080: backport-CVE-2023-5344.patch
Patch9000: bugfix-rm-modify-info-version.patch Patch9000: bugfix-rm-modify-info-version.patch
Patch9001: vim-Add-sw64-architecture.patch Patch9001: vim-Add-sw64-architecture.patch
@ -411,8 +412,10 @@ popd
%{_bindir}/vim -c ":helptags %{_datadir}/%{name}/vimfiles/doc" -c :q &> /dev/null || : %{_bindir}/vim -c ":helptags %{_datadir}/%{name}/vimfiles/doc" -c :q &> /dev/null || :
%check %check
%if "%{_gpg_name}" == "private OBS"
export TERM=xterm export TERM=xterm
LANG=en_US.UTF-8 make -j1 test LANG=en_US.UTF-8 make -j1 test
%endif
%files common %files common
%exclude %{_datadir}/vim/%{vimdir}/macros/maze/maze*.c %exclude %{_datadir}/vim/%{vimdir}/macros/maze/maze*.c
@ -514,6 +517,12 @@ LANG=en_US.UTF-8 make -j1 test
%{_mandir}/man1/evim.* %{_mandir}/man1/evim.*
%changelog %changelog
* Sun Oct 08 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-18
- Type:CVE
- ID:CVE-2023-5344
- SUG:NA
- DESC:fix CVE-2023-5344
* Tue Sep 12 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-17 * Tue Sep 12 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-17
- Type:CVE - Type:CVE
- ID:CVE-2023-4738 CVE-2023-4750 CVE-2023-4752 CVE-2023-4781 - ID:CVE-2023-4738 CVE-2023-4750 CVE-2023-4752 CVE-2023-4781