packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!137 [sync] PR-136: fix CVE-2022-0443 CVE-2022-0392 CVE-2022-0417

Browse Source 
Merge pull request !137 from openeuler-sync-bot/sync-pr136-openEuler-22.03-LTS-to-openEuler-22.03-LTS-Next
This commit is contained in:
openeuler-ci-bot 2022-02-09 06:15:50 +00:00 committed by Gitee
commit 9e89989c8b
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
5 changed files with 296 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
backport-CVE-2022-0392.patch Normal file
View File

@ -0,0 +1,50 @@
From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 25 Jan 2022 20:45:16 +0000
Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in
Ex mode
Problem: Illegal memory access with bracketed paste in Ex mode.
Solution: Reserve space for the trailing NUL.
---
src/edit.c | 3 ++-
src/testdir/test_paste.vim | 11 +++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/edit.c b/src/edit.c
index c67f67c..3767769 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -4984,7 +4984,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
break;
case PASTE_EX:
- if (gap != NULL && ga_grow(gap, idx) == OK)
+ // add one for the NUL that is going to be appended
+ if (gap != NULL && ga_grow(gap, idx + 1) == OK)
{
mch_memmove((char *)gap->ga_data + gap->ga_len,
buf, (size_t)idx);
diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim
index c30140f..263f084 100644
--- a/src/testdir/test_paste.vim
+++ b/src/testdir/test_paste.vim
@@ -134,3 +134,14 @@ func Test_xrestore()
bwipe!
endfunc
+
+" bracketed paste in Ex-mode
+func Test_paste_ex_mode()
+ unlet! foo
+ call feedkeys("Qlet foo=\"\<Esc>[200~foo\<CR>bar\<Esc>[201~\"\<CR>vi\<CR>", 'xt')
+ call assert_equal("foo\rbar", foo)
+
+
+ " pasting more than 40 bytes
+ exe "norm Q\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\<C-C>"
+endfunc
--
2.27.0

117
backport-CVE-2022-0417.patch Normal file
View File

@ -0,0 +1,117 @@
From 652dee448618589de5528a9e9a36995803f5557a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 28 Jan 2022 20:47:49 +0000
Subject: [PATCH] patch 8.2.4245: ":retab 0" may cause illegal memory access
Problem: ":retab 0" may cause illegal memory access.
Solution: Limit the value of 'tabstop' to 10000.
---
src/indent.c | 4 ++--
src/option.c | 16 +++++++++-------
src/testdir/test_options.vim | 2 ++
src/vim.h | 2 ++
4 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/src/indent.c b/src/indent.c
index 7d04373..e8e93b9 100644
--- a/src/indent.c
+++ b/src/indent.c
@@ -71,7 +71,7 @@ tabstop_set(char_u *var, int **array)
int n = atoi((char *)cp);
// Catch negative values, overflow and ridiculous big values.
- if (n < 0 || n > 9999)
+ if (n < 0 || n > TABSTOP_MAX)
{
semsg(_(e_invarg2), cp);
vim_free(*array);
@@ -1590,7 +1590,7 @@ ex_retab(exarg_T *eap)
emsg(_(e_positive));
return;
}
- if (new_ts < 0 || new_ts > 9999)
+ if (new_ts < 0 || new_ts > TABSTOP_MAX)
{
semsg(_(e_invarg2), eap->arg);
return;
diff --git a/src/option.c b/src/option.c
index e9598d6..382b01b 100644
--- a/src/option.c
+++ b/src/option.c
@@ -3557,6 +3557,11 @@ set_num_option(
errmsg = e_positive;
curbuf->b_p_ts = 8;
}
+ else if (curbuf->b_p_ts > TABSTOP_MAX)
+ {
+ errmsg = e_invalid_argument;
+ curbuf->b_p_ts = 8;
+ }
if (p_tm < 0)
{
errmsg = e_positive;
@@ -5758,7 +5763,7 @@ buf_copy_options(buf_T *buf, int flags)
if (p_vsts && p_vsts != empty_option)
(void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
else
- buf->b_p_vsts_array = 0;
+ buf->b_p_vsts_array = NULL;
buf->b_p_vsts_nopaste = p_vsts_nopaste
? vim_strsave(p_vsts_nopaste) : NULL;
#endif
@@ -6583,9 +6588,7 @@ paste_option_changed(void)
if (buf->b_p_vsts)
free_string_option(buf->b_p_vsts);
buf->b_p_vsts = empty_option;
- if (buf->b_p_vsts_array)
- vim_free(buf->b_p_vsts_array);
- buf->b_p_vsts_array = 0;
+ VIM_CLEAR(buf->b_p_vsts_array);
#endif
}
@@ -6631,12 +6634,11 @@ paste_option_changed(void)
free_string_option(buf->b_p_vsts);
buf->b_p_vsts = buf->b_p_vsts_nopaste
? vim_strsave(buf->b_p_vsts_nopaste) : empty_option;
- if (buf->b_p_vsts_array)
- vim_free(buf->b_p_vsts_array);
+ vim_free(buf->b_p_vsts_array);
if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
(void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
else
- buf->b_p_vsts_array = 0;
+ buf->b_p_vsts_array = NULL;
#endif
}
diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim
index 65600ee..d4213c1 100644
--- a/src/testdir/test_options.vim
+++ b/src/testdir/test_options.vim
@@ -263,6 +263,8 @@ func Test_set_errors()
call assert_fails('set shiftwidth=-1', 'E487:')
call assert_fails('set sidescroll=-1', 'E487:')
call assert_fails('set tabstop=-1', 'E487:')
+ call assert_fails('set tabstop=10000', 'E474:')
+ call assert_fails('set tabstop=5500000000', 'E474:')
call assert_fails('set textwidth=-1', 'E487:')
call assert_fails('set timeoutlen=-1', 'E487:')
call assert_fails('set updatecount=-1', 'E487:')
diff --git a/src/vim.h b/src/vim.h
index 68e2de1..cd917a3 100644
--- a/src/vim.h
+++ b/src/vim.h
@@ -2031,6 +2031,8 @@ typedef int sock_T;
#define DICT_MAXNEST 100 // maximum nesting of lists and dicts
+#define TABSTOP_MAX 9999
+
#ifdef FEAT_CLIPBOARD
// VIM_ATOM_NAME is the older Vim-specific selection type for X11. Still
--
2.27.0

91
backport-CVE-2022-0443.patch Normal file
View File

@ -0,0 +1,91 @@
From 9b4a80a66544f2782040b641498754bcb5b8d461 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 1 Feb 2022 13:54:17 +0000
Subject: [PATCH] patch 8.2.4281: using freed memory with :lopen and :bwipe
Problem: Using freed memory with :lopen and :bwipe.
Solution: Do not use a wiped out buffer.
---
src/buffer.c | 14 ++++++++++----
src/testdir/test_quickfix.vim | 16 ++++++++++++++++
2 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/src/buffer.c b/src/buffer.c
index b4992dd..0f4957d 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -1666,6 +1666,7 @@ set_curbuf(buf_T *buf, int action)
#endif
bufref_T newbufref;
bufref_T prevbufref;
+ int valid;
setpcmark();
if (!cmdmod.keepalt)
@@ -1717,13 +1718,19 @@ set_curbuf(buf_T *buf, int action)
// An autocommand may have deleted "buf", already entered it (e.g., when
// it did ":bunload") or aborted the script processing.
// If curwin->w_buffer is null, enter_buffer() will make it valid again
- if ((buf_valid(buf) && buf != curbuf
+ valid = buf_valid(buf);
+ if ((valid && buf != curbuf
#ifdef FEAT_EVAL
&& !aborting()
#endif
) || curwin->w_buffer == NULL)
{
- enter_buffer(buf);
+ // If the buffer is not valid but curwin->w_buffer is NULL we must
+ // enter some buffer. Using the last one is hopefully OK.
+ if (!valid)
+ enter_buffer(lastbuf);
+ else
+ enter_buffer(buf);
#ifdef FEAT_SYN_HL
if (old_tw != curbuf->b_p_tw)
check_colorcolumn(curwin);
@@ -2236,8 +2243,7 @@ free_buf_options(
clear_string_option(&buf->b_p_vsts);
vim_free(buf->b_p_vsts_nopaste);
buf->b_p_vsts_nopaste = NULL;
- vim_free(buf->b_p_vsts_array);
- buf->b_p_vsts_array = NULL;
+ VIM_CLEAR(buf->b_p_vsts_array);
clear_string_option(&buf->b_p_vts);
VIM_CLEAR(buf->b_p_vts_array);
#endif
diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
index f7c73f4..38a5236 100644
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
@@ -876,6 +876,7 @@ func Test_locationlist_curwin_was_closed()
call assert_fails('lrewind', 'E924:')
augroup! testgroup
+ delfunc R
endfunc
func Test_locationlist_cross_tab_jump()
@@ -4674,4 +4675,19 @@ func Test_search_in_dirstack()
call delete('Xtestdir', 'rf')
endfunc
+" Weird sequence of commands that caused entering a wiped-out buffer
+func Test_lopen_bwipe()
+ func R()
+ silent! tab lopen
+ e x
+ silent! lfile
+ endfunc
+
+ cal R()
+ cal R()
+ cal R()
+ bw!
+ delfunc R
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.27.0

27
backport-invalid-argument-errmsg.patch Normal file
View File

@ -0,0 +1,27 @@
From 436b5adc9770a2568209dd5ab1f98bd1afc91898 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 31 Dec 2021 22:49:24 +0000
Subject: [PATCH] patch 8.2.3961: error messages are spread out
Problem: Error messages are spread out.
Solution: Move more errors to errors.h.
---
src/globals.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/globals.h b/src/globals.h
index 75092b7..45d9111 100644
--- a/src/globals.h
+++ b/src/globals.h
@@ -1453,6 +1453,7 @@ EXTERN char e_abort[] INIT(= N_("E470: Command aborted"));
EXTERN char e_argreq[] INIT(= N_("E471: Argument required"));
EXTERN char e_cannot_change_arglist_recursively[] INIT(= N_("E1156: Cannot change the argument list recursively"));
EXTERN char e_backslash[] INIT(= N_("E10: \\ should be followed by /, ? or &"));
+EXTERN char e_invalid_argument[] INIT(= N_("E474: Invalid argument"));
#ifdef FEAT_CMDWIN
EXTERN char e_cmdwin[] INIT(= N_("E11: Invalid in command-line window; <CR> executes, CTRL-C quits"));
#endif
--
2.27.0

12
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim
Epoch: 2
Version: 8.2
Release: 22
Release: 23
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT
URL: http://www.vim.org
@ -79,6 +79,10 @@ Patch6042: backport-CVE-2022-0361.patch
Patch6043: backport-CVE-2022-0359.patch
Patch6044: backport-CVE-2022-0413.patch
Patch6045: backport-CVE-2022-0368.patch
Patch6046: backport-CVE-2022-0443.patch
Patch6047: backport-CVE-2022-0392.patch
Patch6048: backport-invalid-argument-errmsg.patch
Patch6049: backport-CVE-2022-0417.patch
Patch9000: bugfix-rm-modify-info-version.patch
@ -467,6 +471,12 @@ popd
%{_mandir}/man1/evim.*
%changelog
* Wed Feb 09 2022 tianwei <tianwei12@h-partners.com> - 2:8.2-23
- Type:CVE
- ID:CVE-2022-0443 CVE-2022-0392 CVE-2022-0417
- SUG:NA
- DESC:fix CVE-2022-0443 CVE-2022-0392 CVE-2022-0417
* Mon Feb 07 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-22
- Type:CVE
- ID:CVE-2022-0351 CVE-2022-0361 CVE-2022-0408 CVE-2022-0359 CVE-2022-0368 CVE-2022-0413