diff --git a/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch b/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch new file mode 100644 index 0000000000000000000000000000000000000000..a2eb48be6de2530148a2b551061e64eb222f542c --- /dev/null +++ b/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch @@ -0,0 +1,22 @@ +diff -up vim80/src/regexp.c.cve1154 vim80/src/regexp.c +--- vim80/src/regexp.c.cve1154 2022-04-09 12:01:30.054452927 +0200 ++++ vim80/src/regexp.c 2022-04-09 12:02:48.987999877 +0200 +@@ -4415,8 +4415,17 @@ regmatch( + int mark = OPERAND(scan)[0]; + int cmp = OPERAND(scan)[1]; + pos_T *pos; ++ size_t col = REG_MULTI ? reginput - regline : 0; + + pos = getmark_buf(rex.reg_buf, mark, FALSE); ++ ++ // Line may have been freed, get it again. ++ if (REG_MULTI) ++ { ++ regline = reg_getline(reglnum); ++ reginput = regline + col; ++ } ++ + if (pos == NULL /* mark doesn't exist */ + || pos->lnum <= 0 /* mark isn't set in reg_buf */ + || (pos->lnum == reglnum + rex.reg_firstlnum +diff -up vim80/src/testdir/test_regexp_latin.vim.cve1154 vim80/src/testdir/test_regexp_latin.vim diff --git a/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch b/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch new file mode 100644 index 0000000000000000000000000000000000000000..e9985244c84456a7d45143fd7ed40c4439626db7 --- /dev/null +++ b/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch @@ -0,0 +1,54 @@ +diff -up vim80/src/globals.h.cve1621 vim80/src/globals.h +--- vim80/src/globals.h.cve1621 2022-05-24 12:46:44.883952323 +0200 ++++ vim80/src/globals.h 2022-05-24 12:47:30.534183523 +0200 +@@ -1657,6 +1657,11 @@ EXTERN int *eval_lavars_used INIT(= NULL + EXTERN int ctrl_break_was_pressed INIT(= FALSE); + #endif + ++#ifdef FEAT_SPELL ++EXTERN char e_illegal_character_in_word[] ++ INIT(= N_("E1280: Illegal character in word")); ++#endif ++ + /* + * Optional Farsi support. Include it here, so EXTERN and INIT are defined. + */ +diff -up vim80/src/mbyte.c.cve1621 vim80/src/mbyte.c +--- vim80/src/mbyte.c.cve1621 2018-04-09 14:55:56.000000000 +0200 ++++ vim80/src/mbyte.c 2022-05-24 12:22:13.166893098 +0200 +@@ -4034,7 +4034,7 @@ theend: + convert_setup(&vimconv, NULL, NULL); + } + +-#if defined(FEAT_GUI_GTK) || defined(PROTO) ++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO) + /* + * Return TRUE if string "s" is a valid utf-8 string. + * When "end" is NULL stop at the first NUL. +diff -up vim80/src/spellfile.c.cve1621 vim80/src/spellfile.c +--- vim80/src/spellfile.c.cve1621 2022-05-24 12:22:13.167893104 +0200 ++++ vim80/src/spellfile.c 2022-05-24 12:49:55.816919350 +0200 +@@ -4441,6 +4441,10 @@ store_word( + int res = OK; + char_u *p; + ++ // Avoid adding illegal bytes to the word tree. ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ return FAIL; ++ + (void)spell_casefold(word, len, foldword, MAXWLEN); + for (p = pfxlist; res == OK; ++p) + { +@@ -6251,6 +6255,12 @@ spell_add_word( + int i; + char_u *spf; + ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ { ++ emsg(_(e_illegal_character_in_word)); ++ return; ++ } ++ + if (idx == 0) /* use internal wordlist */ + { + if (int_wordlist == NULL) diff --git a/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch b/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ce497fe4ae01efcb6ea81506e1c39874a8aa3ab --- /dev/null +++ b/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch @@ -0,0 +1,15 @@ +diff -up vim80/src/search.c.cve1629 vim80/src/search.c +--- vim80/src/search.c.cve1629 2022-05-24 13:55:06.789859865 +0200 ++++ vim80/src/search.c 2022-05-24 13:56:31.889218958 +0200 +@@ -4349,7 +4349,11 @@ find_next_quote( + if (c == NUL) + return -1; + else if (escape != NULL && vim_strchr(escape, c)) ++ { + ++col; ++ if (line[col] == NUL) ++ return -1; ++ } + else if (c == quotechar) + break; + #ifdef FEAT_MBYTE diff --git a/spec-template b/spec-template old mode 100644 new mode 100755 diff --git a/vim.spec b/vim.spec index 95ee3f9c5683c088ccf2c6a63db9bb2624184423..5adf3ff3f3b7757683753f2618637f89f6dd5c36 100644 --- a/vim.spec +++ b/vim.spec @@ -25,7 +25,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 16%{anolis_release}%{?dist}.12 +Release: 19%{anolis_release}%{?dist}.2 License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -76,9 +76,9 @@ Patch3019: 0001-patch-8.1.1365-source-command-doesn-t-check-for-the-.patch Patch3020: vim-crypto-warning.patch # 1842755 - CVE-2019-20807 Patch3021: 0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch -# 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0] +# 2004975 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.6.0] Patch3022: vim-cve3796.patch -# 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0] +# 2004892 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.6.0] Patch3023: vim-cve3778-fix.patch Patch3024: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch # 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0] @@ -101,6 +101,12 @@ Patch3032: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch # CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch +# CVE-2022-1154 vim: use after free in utf_ptr2char +Patch3035: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch +# CVE-2022-1621 vim: heap buffer overflow +Patch3036: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch +# CVE-2022-1629 vim: buffer over-read +Patch3037: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch # Add by Anolis # backport patch to fix build error with ruby @@ -317,6 +323,9 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3032 -p1 -b .cve0392 %patch3033 -p1 -b .cve0413 %patch3034 -p1 -b .cve0361 +%patch3035 -p1 -b .cve1154 +%patch3036 -p1 -b .cve1621 +%patch3037 -p1 -b .cve1629 %patch10000 -p1 @@ -837,58 +846,46 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog -* Mon Mar 21 2022 Mahailiang - 2:8.0.1763-16.0.1.12 +* Wed Jul 06 2022 Mahailiang - 2:8.0.1763-19.0.1.2 - Rebrand to Anolis(Xiaoxuan Yang) - Fix build issue with ruby(Liwei Ge) -* Tue Feb 08 2022 Zdenek Dohnal - 2:8.0.1763-16.12 -- CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository - -* Fri Feb 04 2022 Tomas Korbar - 2:8.0.1763-16.11 -- CVE-2022-0413 vim: use after free in src/ex_cmds.c -- Fix specfile problems -- Resolves: rhbz#2048525 +* Wed May 25 2022 Zdenek Dohnal - 2:8.0.1763-19.2 +- CVE-2022-1621 vim: heap buffer overflow +- CVE-2022-1629 vim: buffer over-read -* Thu Feb 03 2022 Tomas Korbar - 2:8.0.1763-16.10 -- CVE-2022-0413 vim: use after free in src/ex_cmds.c -- Resolves: rhbz#2048525 +* Sat Apr 09 2022 Zdenek Dohnal - 2:8.0.1763-19.1 +- CVE-2022-1154 vim: use after free in utf_ptr2char -* Wed Feb 02 2022 Tomas Korbar - 2:8.0.1763-16.9 -- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c -- Improve fix -- Resolves: rhbz#2049403 +* Tue Feb 08 2022 Zdenek Dohnal - 2:8.0.1763-19 +- CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository -* Wed Feb 02 2022 Tomas Korbar - 2:8.0.1763-16.8 +* Mon Feb 07 2022 Zdenek Dohnal - 2:8.0.1763-18 - CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c -- Resolves: rhbz#2049403 - -* Thu Jan 27 2022 Zdenek Dohnal - 2:8.0.1763-16.7 -- CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c +- CVE-2022-0413 vim: use after free in src/ex_cmds.c -* Thu Jan 27 2022 Zdenek Dohnal - 2:8.0.1763-16.6 +* Thu Jan 27 2022 Zdenek Dohnal - 2:8.0.1763-18 - fix test suite after fix for CVE-2022-0318 +- CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c -* Wed Jan 26 2022 Zdenek Dohnal - 2:8.0.1763-16.5 +* Wed Jan 12 2022 Zdenek Dohnal - 2:8.0.1763-18 - CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c - CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c -* Wed Jan 12 2022 Zdenek Dohnal - 2:8.0.1763-16.4 +* Wed Jan 12 2022 Zdenek Dohnal - 2:8.0.1763-18 - CVE-2021-4193 vim: vulnerable to Out-of-bounds Read - CVE-2021-4192 vim: vulnerable to Use After Free -* Fri Dec 03 2021 Zdenek Dohnal - 2:8.0.1763-16.3 +* Fri Dec 03 2021 Zdenek Dohnal - 2:8.0.1763-18 - 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0] - 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0] -* Tue Oct 26 2021 Zdenek Dohnal - 2:8.0.1763-16.2 -- remove the upstream test - uses a feature which is not presented in RHEL 8 - -* Tue Oct 26 2021 Zdenek Dohnal - 2:8.0.1763-16.1 -- CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-8.6.0] +* Tue Oct 26 2021 Zdenek Dohnal - 2:8.0.1763-17 +- 2016201 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-8.6.0] -* Mon Sep 20 2021 Zdenek Dohnal - 2:8.0.1763-16 -- 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0] -- 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0] +* Thu Sep 23 2021 Zdenek Dohnal - 2:8.0.1763-16 +- 2004975 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.6.0] +- 2004892 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.6.0] * Tue Jun 02 2020 Zdenek Dohnal - 2:8.0.1763-15 - 1842755 - CVE-2019-20807 diff --git a/vimrc b/vimrc old mode 100644 new mode 100755 diff --git a/virc b/virc old mode 100644 new mode 100755