fix CVE-2023-46246
(cherry picked from commit fe504eaf29d551f5da63399ae8cfe0368970c25a)
This commit is contained in:
wangjiang
openeuler-sync-bot
parent
c8498996d1
commit
d0c5dace3d
102
backport-CVE-2023-46246.patch
Normal file
102
backport-CVE-2023-46246.patch
Normal file
@ -0,0 +1,102 @@
|
||||
From 9198c1f2b1ddecde22af918541e0de2a32f0f45a Mon Sep 17 00:00:00 2001
|
||||
From: Christian Brabandt <cb@256bit.org>
|
||||
Date: Thu, 26 Oct 2023 21:29:32 +0200
|
||||
Subject: [PATCH] patch 9.0.2068: [security] overflow in :history
|
||||
|
||||
Problem: [security] overflow in :history
|
||||
Solution: Check that value fits into int
|
||||
|
||||
The get_list_range() function, used to parse numbers for the :history
|
||||
and :clist command internally uses long variables to store the numbers.
|
||||
However function arguments are integer pointers, which can then
|
||||
overflow.
|
||||
|
||||
Check that the return value from the vim_str2nr() function is not larger
|
||||
than INT_MAX and if yes, bail out with an error. I guess nobody uses a
|
||||
cmdline/clist history that needs so many entries... (famous last words).
|
||||
|
||||
It is only a moderate vulnerability, so impact should be low.
|
||||
|
||||
Github Advisory:
|
||||
https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm
|
||||
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
---
|
||||
src/cmdhist.c | 5 ++++-
|
||||
src/errors.h | 2 ++
|
||||
src/ex_getln.c | 10 +++++++++-
|
||||
src/testdir/test_history.vim | 8 ++++++++
|
||||
4 files changed, 23 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/cmdhist.c b/src/cmdhist.c
|
||||
index d398ca7a687b5..96a9b3e95b86f 100644
|
||||
--- a/src/cmdhist.c
|
||||
+++ b/src/cmdhist.c
|
||||
@@ -740,7 +740,10 @@ ex_history(exarg_T *eap)
|
||||
end = arg;
|
||||
if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL)
|
||||
{
|
||||
- semsg(_(e_trailing_characters_str), end);
|
||||
+ if (*end != NUL)
|
||||
+ semsg(_(e_trailing_characters_str), end);
|
||||
+ else
|
||||
+ semsg(_(e_val_too_large), arg);
|
||||
return;
|
||||
}
|
||||
|
||||
diff --git a/src/errors.h b/src/errors.h
|
||||
index 79a785e1e2953..72957d8b93bdc 100644
|
||||
--- a/src/errors.h
|
||||
+++ b/src/errors.h
|
||||
@@ -3306,3 +3306,5 @@ EXTERN char e_substitute_nesting_too_deep[]
|
||||
#endif
|
||||
EXTERN char e_window_unexpectedly_close_while_searching_for_tags[]
|
||||
INIT(= N_("E1299: Window unexpectedly closed while searching for tags"));
|
||||
+EXTERN char e_val_too_large[]
|
||||
+ INIT(= N_("E1510: Value too large: %s"));
|
||||
diff --git a/src/ex_getln.c b/src/ex_getln.c
|
||||
index 9683e2ebd5af5..8f0be520886be 100644
|
||||
--- a/src/ex_getln.c
|
||||
+++ b/src/ex_getln.c
|
||||
@@ -4326,6 +4326,10 @@ get_list_range(char_u **str, int *num1, int *num2)
|
||||
{
|
||||
vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
|
||||
*str += len;
|
||||
+ // overflow
|
||||
+ if (num > INT_MAX)
|
||||
+ return FAIL;
|
||||
+
|
||||
*num1 = (int)num;
|
||||
first = TRUE;
|
||||
}
|
||||
@@ -4336,8 +4340,12 @@ get_list_range(char_u **str, int *num1, int *num2)
|
||||
vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
|
||||
if (len > 0)
|
||||
{
|
||||
- *num2 = (int)num;
|
||||
*str = skipwhite(*str + len);
|
||||
+ // overflow
|
||||
+ if (num > INT_MAX)
|
||||
+ return FAIL;
|
||||
+
|
||||
+ *num2 = (int)num;
|
||||
}
|
||||
else if (!first) // no number given at all
|
||||
return FAIL;
|
||||
diff --git a/src/testdir/test_history.vim b/src/testdir/test_history.vim
|
||||
index bb6d67172585e..482328ab4aaef 100644
|
||||
--- a/src/testdir/test_history.vim
|
||||
+++ b/src/testdir/test_history.vim
|
||||
@@ -249,4 +249,12 @@ func Test_history_crypt_key()
|
||||
set key& bs& ts&
|
||||
endfunc
|
||||
|
||||
+" The following used to overflow and causing an use-after-free
|
||||
+func Test_history_max_val()
|
||||
+
|
||||
+ set history=10
|
||||
+ call assert_fails(':history 2147483648', 'E1510:')
|
||||
+ set history&
|
||||
+endfunc
|
||||
+
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
||||
9
vim.spec
9
vim.spec
@ -12,7 +12,7 @@
|
||||
Name: vim
|
||||
Epoch: 2
|
||||
Version: 9.0
|
||||
Release: 19
|
||||
Release: 20
|
||||
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
|
||||
License: Vim and MIT
|
||||
URL: http://www.vim.org
|
||||
@ -109,6 +109,7 @@ Patch6079: backport-CVE-2023-4781.patch
|
||||
Patch6080: backport-CVE-2023-5344.patch
|
||||
Patch6081: backport-CVE-2023-5441.patch
|
||||
Patch6082: backport-CVE-2023-5535.patch
|
||||
Patch6083: backport-CVE-2023-46246.patch
|
||||
|
||||
Patch9000: bugfix-rm-modify-info-version.patch
|
||||
Patch9001: vim-Add-sw64-architecture.patch
|
||||
@ -519,6 +520,12 @@ LANG=en_US.UTF-8 make -j1 test
|
||||
%{_mandir}/man1/evim.*
|
||||
|
||||
%changelog
|
||||
* Wed Nov 01 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-20
|
||||
- Type:CVE
|
||||
- ID:CVE-2023-46246
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2023-46246
|
||||
|
||||
* Mon Oct 16 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-19
|
||||
- Type:CVE
|
||||
- ID:CVE-2023-5441 CVE-2023-5535
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user