!561 [sync] PR-557: fix CVE-2023-5441 CVE-2023-5535

From: @openeuler-sync-bot Reviewed-by: @gaoruoshu Signed-off-by: @gaoruoshu
2023-10-17 02:23:23 +00:00 · 2023-10-17 02:23:23 +00:00 · c8498996d1
commit c8498996d1
parent a3d309b44e 884812a89b
3 changed files with 81 additions and 1 deletions
--- a/backport-CVE-2023-5441.patch
+++ b/backport-CVE-2023-5441.patch
@ -0,0 +1,35 @@
+From 20d161ace307e28690229b68584f2d84556f8960 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Thu, 5 Oct 2023 22:08:30 +0200
+Subject: [PATCH] patch 9.0.1992: [security] segfault in exmode
+
+Problem:  segfault in exmode when redrawing
+Solution: skip gui_scroll when exmode_active
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/gui.c                         | 4 ++++
+ 1 files changed, 4 insertions(+)
+
+diff --git a/src/gui.c b/src/gui.c
+index 1f546b2a75b57..9c9aa3cbecdcf 100644
+--- a/src/gui.c
+++ b/src/gui.c
+@@ -4436,6 +4436,7 @@ gui_do_scrollbar(
+  * Scroll a window according to the values set in the globals current_scrollbar
+  * and scrollbar_value.  Return TRUE if the cursor in the current window moved
+  * or FALSE otherwise.
+ * may eventually cause a redraw using updateWindow
+  */
+     int
+ gui_do_scroll(void)
+@@ -4455,6 +4456,9 @@ gui_do_scroll(void)
+     if (wp == NULL)
+ 	// Couldn't find window
+ 	return FALSE;
+    // don't redraw, LineOffset and similar are not valid!
+    if (exmode_active)
+	return FALSE;
+ 
+     /*
+      * Compute number of lines to scroll.  If zero, nothing to do.
--- a/backport-CVE-2023-5535.patch
+++ b/backport-CVE-2023-5535.patch
@ -0,0 +1,37 @@
+From 41e6f7d6ba67b61d911f9b1d76325cd79224753d Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Wed, 11 Oct 2023 21:08:13 +0200
+Subject: [PATCH] patch 9.0.2010: [security] use-after-free from
+ buf_contents_changed()
+
+Problem:  [security] use-after-free from buf_contents_changed()
+Solution: block autocommands
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/buffer.c                            |   5 +++++
+ 1 files changed, 5 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 93f9245f27f9d..9ee74f54dd6fd 100644
+--- a/src/buffer.c
+++ b/src/buffer.c
+@@ -5902,6 +5902,9 @@ buf_contents_changed(buf_T *buf)
+     // set curwin/curbuf to buf and save a few things
+     aucmd_prepbuf(&aco, newbuf);
+ 
+    // We don't want to trigger autocommands now, they may have nasty
+    // side-effects like wiping buffers
+    block_autocmds();
+     if (ml_open(curbuf) == OK
+ 	    && readfile(buf->b_ffname, buf->b_fname,
+ 				  (linenr_T)0, (linenr_T)0, (linenr_T)MAXLNUM,
+@@ -5927,6 +5930,8 @@ buf_contents_changed(buf_T *buf)
+     if (curbuf != newbuf)	// safety check
+ 	wipe_buffer(newbuf, FALSE);
+ 
+    unblock_autocmds();
+
+     return differ;
+ }
+ 
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        18
+Release:        19
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -107,6 +107,8 @@ Patch6077:      backport-CVE-2023-4750.patch
 Patch6078:      backport-CVE-2023-4752.patch
 Patch6079:      backport-CVE-2023-4781.patch
 Patch6080:      backport-CVE-2023-5344.patch
+Patch6081:      backport-CVE-2023-5441.patch
+Patch6082:      backport-CVE-2023-5535.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      vim-Add-sw64-architecture.patch
@ -517,6 +519,12 @@ LANG=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Mon Oct 16 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-19
+- Type:CVE
+- ID:CVE-2023-5441 CVE-2023-5535
+- SUG:NA
+- DESC:fix CVE-2023-5441 CVE-2023-5535
+
 * Sun Oct 08 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-18
 - Type:CVE
 - ID:CVE-2023-5344