diff --git a/0001-fix-cve-2025-22134.patch b/0001-fix-cve-2025-22134.patch new file mode 100644 index 0000000000000000000000000000000000000000..309a8dfe64e108e011be29eecb9cc87d30a640ff --- /dev/null +++ b/0001-fix-cve-2025-22134.patch @@ -0,0 +1,113 @@ +From ac9fef90ff5214d7ede6bdcb618a74186ce13c3d Mon Sep 17 00:00:00 2001 +From: Huang Yang +Date: Thu, 27 Mar 2025 03:22:35 +0000 +Subject: [PATCH] fix cve 2025 22134 + +fix cve 2025 22134 +--- + src/arglist.c | 4 ++++ + src/misc1.c | 4 ++++ + src/testdir/test_visual.vim | 26 ++++++++++++++++++++++---- + 3 files changed, 30 insertions(+), 4 deletions(-) + +diff --git a/src/arglist.c b/src/arglist.c +index a63f6c7..b7ffdc1 100644 +--- a/src/arglist.c ++++ b/src/arglist.c +@@ -1242,6 +1242,10 @@ do_arg_all( + + tabpage_T *new_lu_tp = curtab; + ++ // Stop Visual mode, the cursor and "VIsual" may very well be invalid after ++ // switching to another buffer. ++ reset_VIsual_and_resel(); ++ + // Try closing all windows that are not in the argument list. + // Also close windows that are not full width; + // When 'hidden' or "forceit" set the buffer becomes hidden. +diff --git a/src/misc1.c b/src/misc1.c +index 5f9828e..10baf9f 100644 +--- a/src/misc1.c ++++ b/src/misc1.c +@@ -535,11 +535,15 @@ plines_m_win(win_T *wp, linenr_T first, linenr_T last, int limit_winheight) + gchar_pos(pos_T *pos) + { + char_u *ptr; ++ int ptrlen; + + // When searching columns is sometimes put at the end of a line. + if (pos->col == MAXCOL) + return NUL; ++ ptrlen = STRLEN(ml_get(pos->lnum)); + ptr = ml_get_pos(pos); ++ if (pos->col > ptrlen) ++ return NUL; + if (has_mbyte) + return (*mb_ptr2char)(ptr); + return (int)*ptr; +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index 290641e..5e005c4 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -469,7 +469,7 @@ func Test_Visual_Block() + \ "\t{", + \ "\t}"], getline(1, '$')) + +- close! ++ bw! + endfunc + + " Test for 'p'ut in visual block mode +@@ -1079,7 +1079,7 @@ func Test_star_register() + + delmarks < > + call assert_fails('*yank', 'E20:') +- close! ++ bw! + endfunc + + " Test for changing text in visual mode with 'exclusive' selection +@@ -1095,7 +1095,7 @@ func Test_exclusive_selection() + call assert_equal('l one', getline(1)) + set virtualedit& + set selection& +- close! ++ bw! + endfunc + + " Test for starting linewise visual with a count. +@@ -1152,7 +1152,7 @@ func Test_visual_inner_block() + 8,9d + call cursor(5, 1) + call assert_beeps('normal ViBiB') +- close! ++ bw! + endfunc + + func Test_visual_put_in_block() +@@ -1587,4 +1587,22 @@ func Test_Visual_r_CTRL_C() + bw! + endfu + ++" the following caused a Heap-Overflow, because Vim was accessing outside of a ++" line end ++func Test_visual_pos_buffer_heap_overflow() ++ set virtualedit=all ++ args Xa Xb ++ all ++ call setline(1, ['', '', '']) ++ call cursor(3, 1) ++ wincmd w ++ call setline(1, 'foobar') ++ normal! $lv0 ++ all ++ call setreg('"', 'baz') ++ normal! [P ++ set virtualedit= ++ bw! Xa Xb ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.41.0 + diff --git a/vim.spec b/vim.spec index 5fa603f90e2a452763f33d240f496d3b71e5770d..237d4b72c74fc7bfb4d10250e1d8f6be1ec40399 100644 --- a/vim.spec +++ b/vim.spec @@ -1,4 +1,4 @@ -%define anolis_release 5 +%define anolis_release 6 %bcond_without gui %bcond_with default_editor @@ -71,6 +71,8 @@ Patch1001: 1001-vim-8.0-copy-paste.patch Patch1002: 1002-stack-buffer-overflow-in-option-callback-functions.patch #https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919 Patch1003: 1003-fix-cve-2025-24014.patch +#https://github.com/vim/vim/commit/c9a1e257f1630a0866447e53a564f7ff96a80ead +Patch1004: 0001-fix-cve-2025-22134.patch BuildRequires: autoconf gcc glibc-gconv-extra make BuildRequires: gettext gpm-devel libacl-devel @@ -815,6 +817,9 @@ touch %{buildroot}/%{data_dir}/vimfiles/doc/tags %endif %changelog +* Thu Mar 27 2025 Huanng Yang - 3:9.0.2092-6 +- fix fix CVE-2025-22134 + * Mon Mar 3 2025 Chang Gao - 3:9.0.2092-5 - Fix cve regression: - CVE-2023-48231~CVE-2023-48237 and CVE-2023-48706