From ee064d150f1d9ec4ee399070777bfa1e28eb7d69 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Mon, 19 Sep 2022 17:16:39 +0800 Subject: [PATCH] fix CVE-2022-3234,CVE-2022-3235 (cherry picked from commit 00c4d86f261df01bf23ac7a3d4e06d619d4058b6) --- backport-CVE-2022-3234.patch | 78 ++++++++++++++++++++++++++++++++++++ backport-CVE-2022-3235.patch | 75 ++++++++++++++++++++++++++++++++++ vim.spec | 10 ++++- 3 files changed, 162 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-3234.patch create mode 100644 backport-CVE-2022-3235.patch diff --git a/backport-CVE-2022-3234.patch b/backport-CVE-2022-3234.patch new file mode 100644 index 0000000..32181f4 --- /dev/null +++ b/backport-CVE-2022-3234.patch @@ -0,0 +1,78 @@ +From c249913edc35c0e666d783bfc21595cf9f7d9e0d Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Fri, 16 Sep 2022 22:16:59 +0100 +Subject: [PATCH] patch 9.0.0483: illegal memory access when replacing in + virtualedit mode + +Problem: Illegal memory access when replacing in virtualedit mode. +Solution: Check for replacing NUL after Tab. +--- + src/ops.c | 12 ++++++++++-- + src/testdir/test_virtualedit.vim | 14 ++++++++++++++ + 2 files changed, 24 insertions(+), 2 deletions(-) + +diff --git a/src/ops.c b/src/ops.c +index b930878..33cbd8e 100644 +--- a/src/ops.c ++++ b/src/ops.c +@@ -1160,6 +1160,8 @@ op_replace(oparg_T *oap, int c) + + while (LTOREQ_POS(curwin->w_cursor, oap->end)) + { ++ int done = FALSE; ++ + n = gchar_cursor(); + if (n != NUL) + { +@@ -1173,6 +1175,7 @@ op_replace(oparg_T *oap, int c) + if (curwin->w_cursor.lnum == oap->end.lnum) + oap->end.col += new_byte_len - old_byte_len; + replace_character(c); ++ done = TRUE; + } + else + { +@@ -1191,10 +1194,15 @@ op_replace(oparg_T *oap, int c) + if (curwin->w_cursor.lnum == oap->end.lnum) + getvpos(&oap->end, end_vcol); + } +- PBYTE(curwin->w_cursor, c); ++ // with "coladd" set may move to just after a TAB ++ if (gchar_cursor() != NUL) ++ { ++ PBYTE(curwin->w_cursor, c); ++ done = TRUE; ++ } + } + } +- else if (virtual_op && curwin->w_cursor.lnum == oap->end.lnum) ++ if (!done && virtual_op && curwin->w_cursor.lnum == oap->end.lnum) + { + int virtcols = oap->end.coladd; + +diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim +index b31f3a2..0031b22 100644 +--- a/src/testdir/test_virtualedit.vim ++++ b/src/testdir/test_virtualedit.vim +@@ -537,4 +537,18 @@ func Test_global_local_virtualedit() + set virtualedit& + endfunc + ++" this was replacing the NUL at the end of the line ++func Test_virtualedit_replace_after_tab() ++ new ++ s/\v/ 0 ++ set ve=all ++ let @" = '' ++ sil! norm vPvr0 ++ ++ call assert_equal("\t0", getline(1)) ++ set ve& ++ bwipe! ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.27.0 + diff --git a/backport-CVE-2022-3235.patch b/backport-CVE-2022-3235.patch new file mode 100644 index 0000000..02870fb --- /dev/null +++ b/backport-CVE-2022-3235.patch @@ -0,0 +1,75 @@ +From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 17 Sep 2022 19:43:23 +0100 +Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter + autocmd + +Problem: Using freed memory with cmdwin and BufEnter autocmd. +Solution: Make sure pointer to b_p_iminsert is still valid. +--- + src/ex_getln.c | 8 ++++++-- + src/testdir/test_cmdline.vim | 10 ++++++++++ + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/src/ex_getln.c b/src/ex_getln.c +index 8dc03dc..535bfb5 100644 +--- a/src/ex_getln.c ++++ b/src/ex_getln.c +@@ -1607,6 +1607,7 @@ getcmdline_int( + #endif + expand_T xpc; + long *b_im_ptr = NULL; ++ buf_T *b_im_ptr_buf = NULL; // buffer where b_im_ptr is valid + cmdline_info_T save_ccline; + int did_save_ccline = FALSE; + int cmdline_type; +@@ -1703,6 +1704,7 @@ getcmdline_int( + b_im_ptr = &curbuf->b_p_iminsert; + else + b_im_ptr = &curbuf->b_p_imsearch; ++ b_im_ptr_buf = curbuf; + if (*b_im_ptr == B_IMODE_LMAP) + State |= MODE_LANGMAP; + #ifdef HAVE_INPUT_METHOD +@@ -2060,7 +2062,8 @@ getcmdline_int( + goto cmdline_not_changed; + + case Ctrl_HAT: +- cmdline_toggle_langmap(b_im_ptr); ++ cmdline_toggle_langmap( ++ buf_valid(b_im_ptr_buf) ? b_im_ptr : NULL); + goto cmdline_not_changed; + + // case '@': only in very old vi +@@ -2573,7 +2576,8 @@ returncmd: + #endif + + #ifdef HAVE_INPUT_METHOD +- if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP) ++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf) ++ && *b_im_ptr != B_IMODE_LMAP) + im_save_status(b_im_ptr); + im_set_active(FALSE); + #endif +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index 08e2de7..440df96 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -3447,4 +3447,14 @@ func Test_cmdwin_virtual_edit() + set ve= cpo-=$ + endfunc + ++" This was using a pointer to a freed buffer ++func Test_cmdwin_freed_buffer_ptr() ++ au BufEnter * next 0| file ++ edit 0 ++ silent! norm q/ ++ ++ au! BufEnter ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 8fa4ea0..06cf082 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 14 +Release: 15 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -63,6 +63,8 @@ Patch6032: backport-CVE-2022-3037.patch Patch6033: backport-CVE-2022-3099.patch Patch6034: backport-CVE-2022-3134.patch Patch6035: backport-CVE-2022-3153.patch +Patch6036: backport-CVE-2022-3234.patch +Patch6037: backport-CVE-2022-3235.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -461,6 +463,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Mon Sep 19 2022 dongyuzhen - 2:9.0-15 +- Type:CVE +- ID:CVE-2022-3234 CVE-2022-3235 +- SUG:NA +- DESC:fix CVE-2022-3234 CVE-2022-3235 + * Fri Sep 16 2022 wangjiang - 2:9.0-14 - Type:enhancement - ID:NA -- Gitee