packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-46246

Browse Source 
(cherry picked from commit fe504eaf29d551f5da63399ae8cfe0368970c25a)
This commit is contained in:
wangjiang 2023-11-01 10:20:49 +08:00 committed by openeuler-sync-bot
parent c8498996d1
commit d0c5dace3d
2 changed files with 110 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
backport-CVE-2023-46246.patch Normal file
View File

@ -0,0 +1,102 @@
From 9198c1f2b1ddecde22af918541e0de2a32f0f45a Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Thu, 26 Oct 2023 21:29:32 +0200
Subject: [PATCH] patch 9.0.2068: [security] overflow in :history
Problem: [security] overflow in :history
Solution: Check that value fits into int
The get_list_range() function, used to parse numbers for the :history
and :clist command internally uses long variables to store the numbers.
However function arguments are integer pointers, which can then
overflow.
Check that the return value from the vim_str2nr() function is not larger
than INT_MAX and if yes, bail out with an error. I guess nobody uses a
cmdline/clist history that needs so many entries... (famous last words).
It is only a moderate vulnerability, so impact should be low.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
src/cmdhist.c | 5 ++++-
src/errors.h | 2 ++
src/ex_getln.c | 10 +++++++++-
src/testdir/test_history.vim | 8 ++++++++
4 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/cmdhist.c b/src/cmdhist.c
index d398ca7a687b5..96a9b3e95b86f 100644
--- a/src/cmdhist.c
+++ b/src/cmdhist.c
@@ -740,7 +740,10 @@ ex_history(exarg_T *eap)
end = arg;
if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL)
{
- semsg(_(e_trailing_characters_str), end);
+ if (*end != NUL)
+ semsg(_(e_trailing_characters_str), end);
+ else
+ semsg(_(e_val_too_large), arg);
return;
}
diff --git a/src/errors.h b/src/errors.h
index 79a785e1e2953..72957d8b93bdc 100644
--- a/src/errors.h
+++ b/src/errors.h
@@ -3306,3 +3306,5 @@ EXTERN char e_substitute_nesting_too_deep[]
#endif
EXTERN char e_window_unexpectedly_close_while_searching_for_tags[]
INIT(= N_("E1299: Window unexpectedly closed while searching for tags"));
+EXTERN char e_val_too_large[]
+ INIT(= N_("E1510: Value too large: %s"));
diff --git a/src/ex_getln.c b/src/ex_getln.c
index 9683e2ebd5af5..8f0be520886be 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -4326,6 +4326,10 @@ get_list_range(char_u **str, int *num1, int *num2)
{
vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
*str += len;
+ // overflow
+ if (num > INT_MAX)
+ return FAIL;
+
*num1 = (int)num;
first = TRUE;
}
@@ -4336,8 +4340,12 @@ get_list_range(char_u **str, int *num1, int *num2)
vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
if (len > 0)
{
- *num2 = (int)num;
*str = skipwhite(*str + len);
+ // overflow
+ if (num > INT_MAX)
+ return FAIL;
+
+ *num2 = (int)num;
}
else if (!first) // no number given at all
return FAIL;
diff --git a/src/testdir/test_history.vim b/src/testdir/test_history.vim
index bb6d67172585e..482328ab4aaef 100644
--- a/src/testdir/test_history.vim
+++ b/src/testdir/test_history.vim
@@ -249,4 +249,12 @@ func Test_history_crypt_key()
set key& bs& ts&
endfunc
+" The following used to overflow and causing an use-after-free
+func Test_history_max_val()
+
+ set history=10
+ call assert_fails(':history 2147483648', 'E1510:')
+ set history&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab

9
vim.spec
View File

@ -12,7 +12,7 @@
Name: vim Name: vim
Epoch: 2 Epoch: 2
Version: 9.0 Version: 9.0
Release: 19 Release: 20
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT License: Vim and MIT
URL: http://www.vim.org URL: http://www.vim.org
@ -109,6 +109,7 @@ Patch6079: backport-CVE-2023-4781.patch
Patch6080: backport-CVE-2023-5344.patch Patch6080: backport-CVE-2023-5344.patch
Patch6081: backport-CVE-2023-5441.patch Patch6081: backport-CVE-2023-5441.patch
Patch6082: backport-CVE-2023-5535.patch Patch6082: backport-CVE-2023-5535.patch
Patch6083: backport-CVE-2023-46246.patch
Patch9000: bugfix-rm-modify-info-version.patch Patch9000: bugfix-rm-modify-info-version.patch
Patch9001: vim-Add-sw64-architecture.patch Patch9001: vim-Add-sw64-architecture.patch
@ -519,6 +520,12 @@ LANG=en_US.UTF-8 make -j1 test
%{_mandir}/man1/evim.* %{_mandir}/man1/evim.*
%changelog %changelog
* Wed Nov 01 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-20
- Type:CVE
- ID:CVE-2023-46246
- SUG:NA
- DESC:fix CVE-2023-46246
* Mon Oct 16 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-19 * Mon Oct 16 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-19
- Type:CVE - Type:CVE
- ID:CVE-2023-5441 CVE-2023-5535 - ID:CVE-2023-5441 CVE-2023-5535