fix CVE-2023-0049 CVE-2023-0051 CVE-2023-0054

2023-01-09 15:02:28 +08:00 · 2023-01-09 15:02:28 +08:00 · 7b917f4dd2
commit 7b917f4dd2
parent 1398bbea4c
4 changed files with 211 additions and 1 deletions
--- a/backport-CVE-2023-0049.patch
+++ b/backport-CVE-2023-0049.patch
@ -0,0 +1,44 @@
+From 7b17eb4b063a234376c1ec909ee293e42cff290c Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 4 Jan 2023 14:31:49 +0000
+Subject: [PATCH] patch 9.0.1143: invalid memory access with bad 'statusline'
+ value
+
+Problem:    Invalid memory access with bad 'statusline' value.
+Solution:   Avoid going over the NUL at the end.
+---
+ src/buffer.c                    | 2 ++
+ src/testdir/test_statusline.vim | 7 +++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 98568987894e..40168226160c 100644
+--- a/src/buffer.c
+++ b/src/buffer.c
+@@ -4576,6 +4576,8 @@ build_stl_str_hl(
+ #endif
+ 	if (vim_strchr(STL_ALL, *s) == NULL)
+ 	{
+	    if (*s == NUL)  // can happen with "%0"
+		break;
+ 	    s++;
+ 	    continue;
+ 	}
+diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
+index a829597655bf..23613bfed37b 100644
+--- a/src/testdir/test_statusline.vim
+++ b/src/testdir/test_statusline.vim
+@@ -436,6 +436,13 @@ func Test_statusline()
+   set splitbelow&
+ endfunc
+ 
+func Test_statusline_trailing_percent_zero()
+  " this was causing illegal memory access
+  set laststatus=2 stl=%!%0
+  call assert_fails('redraw', 'E15: Invalid expression: "%0"')
+  set laststatus& stl&
+endfunc
+
+ func Test_statusline_visual()
+   func CallWordcount()
+     call wordcount()
--- a/backport-CVE-2023-0051.patch
+++ b/backport-CVE-2023-0051.patch
@ -0,0 +1,98 @@
+From c32949b0779106ed5710ae3bffc5053e49083ab4 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 4 Jan 2023 15:56:51 +0000
+Subject: [PATCH] patch 9.0.1144: reading beyond text
+
+Problem:    Reading beyond text.
+Solution:   Add strlen_maxlen() and use it.
+---
+ src/message.c                |  3 ++-
+ src/proto/strings.pro        |  1 +
+ src/strings.c                | 15 ++++++++++++++-
+ src/testdir/test_cmdline.vim | 11 +++++++++++
+ 4 files changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/src/message.c b/src/message.c
+index becb280..c53c44f 100644
+--- a/src/message.c
+++ b/src/message.c
+@@ -2806,7 +2806,8 @@ msg_puts_printf(char_u *str, int maxlen)
+     {
+ 	char_u *tofree = NULL;
+ 
+-	if (maxlen > 0 && STRLEN(p) > (size_t)maxlen)
+	if (maxlen > 0 && vim_strlen_maxlen((char *)p, (size_t)maxlen)
+							     >= (size_t)maxlen)
+ 	{
+ 	    tofree = vim_strnsave(p, (size_t)maxlen);
+ 	    p = tofree;
+diff --git a/src/proto/strings.pro b/src/proto/strings.pro
+index 778ec90..1bd4dcb 100644
+--- a/src/proto/strings.pro
+++ b/src/proto/strings.pro
+@@ -12,6 +12,7 @@ char_u *strlow_save(char_u *orig);
+ void del_trailing_spaces(char_u *ptr);
+ void vim_strncpy(char_u *to, char_u *from, size_t len);
+ void vim_strcat(char_u *to, char_u *from, size_t tosize);
+size_t vim_strlen_maxlen(char *s, size_t maxlen);
+ int vim_stricmp(char *s1, char *s2);
+ int vim_strnicmp(char *s1, char *s2, size_t len);
+ char_u *vim_strchr(char_u *string, int c);
+diff --git a/src/strings.c b/src/strings.c
+index 0313e74..df06c3f 100644
+--- a/src/strings.c
+++ b/src/strings.c
+@@ -525,6 +525,19 @@ vim_strcat(char_u *to, char_u *from, size_t tosize)
+ 	mch_memmove(to + tolen, from, fromlen + 1);
+ }
+ 
+/*
+ * A version of strlen() that has a maximum length.
+ */
+    size_t
+vim_strlen_maxlen(char *s, size_t maxlen)
+{
+    size_t i;
+    for (i = 0; i < maxlen; ++i)
+	if (s[i] == NUL)
+	    break;
+    return i;
+}
+
+ #if (!defined(HAVE_STRCASECMP) && !defined(HAVE_STRICMP)) || defined(PROTO)
+ /*
+  * Compare two strings, ignoring case, using current locale.
+@@ -582,7 +595,7 @@ vim_strnicmp(char *s1, char *s2, size_t len)
+  * 128 to 255 correctly.  It also doesn't return a pointer to the NUL at the
+  * end of the string.
+  */
+-    char_u  *
+    char_u *
+ vim_strchr(char_u *string, int c)
+ {
+     char_u	*p;
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index ab3bfdf..083f63e 100644
+--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
+@@ -574,6 +574,17 @@ func Test_getcompletion()
+   call assert_fails('call getcompletion("abc", [])', 'E475:')
+ endfunc
+ 
+func Test_multibyte_expression()
+  " This was using uninitialized memory.
+  let lines =<< trim END
+      set verbose=6
+      norm @=ٷ
+      qall!
+  END
+  call writefile(lines, 'XmultiScript', 'D')
+  call RunVim('', '', '-u NONE -n -e -s -S XmultiScript')
+endfunc
+
+ " Test for getcompletion() with "fuzzy" in 'wildoptions'
+ func Test_getcompletion_wildoptions()
+   let save_wildoptions = &wildoptions
+-- 
+2.33.0
+
--- a/backport-CVE-2023-0054.patch
+++ b/backport-CVE-2023-0054.patch
@ -0,0 +1,59 @@
+From 3ac1d97a1d9353490493d30088256360435f7731 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 4 Jan 2023 17:17:54 +0000
+Subject: [PATCH] patch 9.0.1145: invalid memory access with recursive
+ substitute expression
+
+Problem:    Invalid memory access with recursive substitute expression.
+Solution:   Check the return value of vim_regsub().
+---
+ src/eval.c                      |  5 +++++
+ src/testdir/test_substitute.vim | 16 ++++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/src/eval.c b/src/eval.c
+index 2fbd867ab..9ca805061 100644
+--- a/src/eval.c
+++ b/src/eval.c
+@@ -6969,6 +6969,11 @@ do_string_sub(
+ 	     * - The text after the match.
+ 	     */
+ 	    sublen = vim_regsub(&regmatch, sub, expr, tail, 0, REGSUB_MAGIC);
+	    if (sublen <= 0)
+	    {
+		ga_clear(&ga);
+		break;
+	    }
+ 	    if (ga_grow(&ga, (int)((end - tail) + sublen -
+ 			    (regmatch.endp[0] - regmatch.startp[0]))) == FAIL)
+ 	    {
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index 251322337..4268aab03 100644
+--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
+@@ -1095,6 +1095,22 @@ func Test_sub_expr_goto_other_file()
+   bwipe!
+ endfunc
+ 
+func Test_recursive_expr_substitute()
+  " this was reading invalid memory
+  let lines =<< trim END
+      func Repl(g, n)
+        s
+        r%:s000
+      endfunc
+      next 0
+      let caught = 0
+      s/\%')/\=Repl(0, 0)
+      qall!
+  END
+  call writefile(lines, 'XexprSubst', 'D')
+  call RunVim([], [], '--clean -S XexprSubst')
+endfunc
+
+ " Test for the 2-letter and 3-letter :substitute commands
+ func Test_substitute_short_cmd()
+   new
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        6
+Release:        7
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -81,6 +81,9 @@ Patch6051:      backport-patch-9.0.0790-test-for-dummy-buffer-does-not-always.pa
 Patch6052:      backport-CVE-2022-4292.patch
 Patch6053:      backport-patch-9.0.0712-wrong-column-when-calling-setcursorch-with-zero-lnum.patch
 Patch6054:      backport-CVE-2022-4293.patch
+Patch6055:      backport-CVE-2023-0049.patch
+Patch6056:      backport-CVE-2023-0051.patch
+Patch6057:      backport-CVE-2023-0054.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      vim-Add-sw64-architecture.patch
@ -489,6 +492,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Mon Jan 09 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-7
+- Type:CVE
+- ID:CVE-2023-0049 CVE-2023-0051 CVE-2023-0054
+- SUG:NA
+- DESC:CVE-2023-0049 CVE-2023-0051 CVE-2023-0054
+
 * Mon Dec 12 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-6
 - Type:bugfix
 - ID:NA