diff --git a/0001-fix.patch b/0001-fix.patch new file mode 100644 index 0000000000000000000000000000000000000000..3b7ca6143cbaa99a200d3416014b4bb548d4b66c --- /dev/null +++ b/0001-fix.patch @@ -0,0 +1,92 @@ +From b29f4abcd4b3382fa746edd1d0562b7b48c9de60 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Thu, 1 Aug 2024 22:10:28 +0200 +Subject: [PATCH] patch 9.1.0648: [security] double-free in dialog_changed() + +Problem: [security] double-free in dialog_changed() + (SuyueGuo) +Solution: Only clear pointer b_sfname pointer, if it is different + than the b_ffname pointer. Don't try to free b_fname, + set it to NULL instead. + +fixes: #15403 + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-46pw-v7qw-xc2f + +Signed-off-by: Christian Brabandt +--- + src/ex_cmds2.c | 6 ++++-- + src/testdir/crash/dialog_changed_uaf | Bin 0 -> 552 bytes + src/testdir/test_crash.vim | 6 ++++++ + src/version.c | 2 ++ + 4 files changed, 12 insertions(+), 2 deletions(-) + create mode 100644 src/testdir/crash/dialog_changed_uaf + +diff --git a/src/ex_cmds2.c b/src/ex_cmds2.c +index ce30b8d397c00f..0d76b3b27aa75f 100644 +--- a/src/ex_cmds2.c ++++ b/src/ex_cmds2.c +@@ -197,9 +197,11 @@ dialog_changed( + // restore to empty when write failed + if (empty_bufname) + { +- VIM_CLEAR(buf->b_fname); ++ // prevent double free ++ if (buf->b_sfname != buf->b_ffname) ++ VIM_CLEAR(buf->b_sfname); ++ buf->b_fname = NULL; + VIM_CLEAR(buf->b_ffname); +- VIM_CLEAR(buf->b_sfname); + unchanged(buf, TRUE, FALSE); + } + } +diff --git a/src/testdir/crash/dialog_changed_uaf b/src/testdir/crash/dialog_changed_uaf +new file mode 100644 +index 0000000000000000000000000000000000000000..e37d18d6daca107697bd19934b34054aa09e48a4 +GIT binary patch +literal 552 +zcmaKo!A{gb7=ZsSVA4Nz`lOEb_XQfzXmQI(h +zB_W$|Q|}&p0gqgG09c>IH^2vQY{3M*_}ymyN#^^0FRs_?L|EK)74X^j4ecMS-5Wsu +ztYZDu8)Q5_@S;j%$FkMAXqH#zri;;d{9}C0foYngn`Pg2S(e#t+di{xdkfcJZ#-YW +zy^nlM1x5l22mlTmYpSX&EiuOS8FOlh*A>`w+giMgGs +z&=7u1Afp5YM_QX*rLJq5EF4;aQxkH;9>eHEzKnaxL*tp*h|1+s8TnTJhO{o5uB#zn +zR~QCGL;Dhtc_j}O>_TIY90vtWh~I;mP0>evFr-9~$(aE3+QLF>5@_F0c^amRVL}=2 +z@%a6HJ$CRA;g^(h`U-#!`?(x=;2`@L|8M6}W#`bc?_}9&wo(+n4gHu4-b+ls|0hk= +buhVkxmBKq0EhW_}{Zl))e5nDWDZ=PC8xf-< + +literal 0 +HcmV?d00001 + +diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim +index 29061aa4238fdd..9aef2450267b8a 100644 +--- a/src/testdir/test_crash.vim ++++ b/src/testdir/test_crash.vim +@@ -196,6 +196,12 @@ func Test_crash1_3() + call term_sendkeys(buf, args) + call TermWait(buf, 50) + ++ let file = 'crash/dialog_changed_uaf' ++ let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\" ++ let args = printf(cmn_args, vim, file) ++ call term_sendkeys(buf, args) ++ call TermWait(buf, 150) ++ + " clean up + exe buf .. "bw!" + bw! +diff --git a/src/version.c b/src/version.c +index 0e49ebd7a05f22..3ca60012693a3c 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -704,6 +704,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 648, + /**/ + 647, + /**/ + diff --git a/vim.spec b/vim.spec index eedfe1fa625b8e0970e98365bc69409cee564bb5..4e2c0efd51619ad5318d416594a9f0201bd29335 100644 --- a/vim.spec +++ b/vim.spec @@ -1,4 +1,4 @@ -%define anolis_release 4 +%define anolis_release 6 %bcond_without gui %bcond_with default_editor @@ -62,6 +62,8 @@ Patch0001: 1001-vim-8.0-copy-paste.patch Patch0002: 1002-stack-buffer-overflow-in-option-callback-functions.patch #https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919 Patch0003: 1003-fix-cve-2025-24014.patch +#https://github.com/vim/vim/commit/b29f4abcd4b3382fa746edd1d0562b7b48c +Patch0004: 0001-fix.patch BuildRequires: autoconf gcc glibc-gconv-extra make BuildRequires: gettext gpm-devel libacl-devel @@ -806,6 +808,7 @@ touch %{buildroot}/%{data_dir}/vimfiles/doc/tags %endif %changelog +* Tus xxxxx -3:9.0.2092-5 * Fri Feb 28 2025 yangxinyu - 3:9.0.2092-4 - fix fix CVE-2025-24014