From 2b8744b5dec19f4828152efe6eadac98e6df13d3 Mon Sep 17 00:00:00 2001 From: hongwei-qin Date: Mon, 21 Mar 2022 04:17:33 -0400 Subject: [PATCH 1/3] update to vim-8.0.1763-16.el8_5.12 Signed-off-by: hongwei-qin --- ...lock-insert-goes-over-the-end-of-the.patch | 95 +++++++++++++++++++ ...151-reading-beyond-the-end-of-a-line.patch | 46 +++++++++ ...llegal-memory-access-with-large-tabs.patch | 12 +++ ...llegal-memory-access-when-copying-li.patch | 33 +++++++ ...llegal-memory-access-with-bracketed-.patch | 85 +++++++++++++++++ ...sing-freed-memory-when-substitute-wi.patch | 51 ++++++++++ 0001-vim-anolis-build-with-ruby26.patch | 60 ------------ vim.spec | 73 ++++++++++---- 8 files changed, 377 insertions(+), 78 deletions(-) create mode 100644 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch create mode 100644 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch create mode 100644 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch create mode 100644 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch create mode 100644 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch create mode 100644 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch delete mode 100644 0001-vim-anolis-build-with-ruby26.patch diff --git a/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch b/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch new file mode 100644 index 0000000..31d30c1 --- /dev/null +++ b/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch @@ -0,0 +1,95 @@ +diff -up vim80/src/ops.c.cve0261 vim80/src/ops.c +--- vim80/src/ops.c.cve0261 2022-01-26 14:30:27.475308323 +0100 ++++ vim80/src/ops.c 2022-01-26 14:34:16.650933713 +0100 +@@ -636,23 +636,30 @@ block_insert( + if (b_insert) + { + off = (*mb_head_off)(oldp, oldp + offset + spaces); ++ spaces -= off; ++ count -= off; + } + else + { +- off = (*mb_off_next)(oldp, oldp + offset); +- offset += off; ++ // spaces fill the gap, the character that's at the edge moves ++ // right ++ off = (*mb_head_off)(oldp, oldp + offset); ++ offset -= off; + } + spaces -= off; + count -= off; + } + #endif + +- newp = alloc_check((unsigned)(STRLEN(oldp)) + s_len + count + 1); ++ // Make sure the allocated size matches what is actually copied below. ++ newp = alloc(STRLEN(oldp) + spaces + s_len ++ + (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0) ++ + count + 1); + if (newp == NULL) + continue; + + /* copy up to shifted part */ +- mch_memmove(newp, oldp, (size_t)(offset)); ++ mch_memmove(newp, oldp, (size_t)offset); + oldp += offset; + + /* insert pre-padding */ +@@ -662,14 +669,21 @@ block_insert( + mch_memmove(newp + offset + spaces, s, (size_t)s_len); + offset += s_len; + +- if (spaces && !bdp->is_short) ++ if (spaces > 0 && !bdp->is_short) + { +- /* insert post-padding */ +- vim_memset(newp + offset + spaces, ' ', (size_t)(p_ts - spaces)); +- /* We're splitting a TAB, don't copy it. */ +- oldp++; +- /* We allowed for that TAB, remember this now */ +- count++; ++ if (*oldp == TAB) ++ { ++ // insert post-padding ++ vim_memset(newp + offset + spaces, ' ', ++ (size_t)(p_ts - spaces)); ++ // we're splitting a TAB, don't copy it ++ oldp++; ++ // We allowed for that TAB, remember this now ++ count++; ++ } ++ else ++ // Not a TAB, no extra spaces ++ count = spaces; + } + + if (spaces > 0) +@@ -2738,9 +2752,9 @@ op_insert(oparg_T *oap, long count1) + oap->start_vcol = t; + } + else if (oap->op_type == OP_APPEND +- && oap->end.col ++ && oap->start.col + #ifdef FEAT_VIRTUALEDIT +- + oap->end.coladd ++ + oap->start.coladd + #endif + >= curbuf->b_op_start_orig.col + #ifdef FEAT_VIRTUALEDIT +diff -up vim80/src/testdir/test_visual.vim.cve0261 vim80/src/testdir/test_visual.vim +--- vim80/src/testdir/test_visual.vim.cve0261 2022-01-26 14:30:27.476308325 +0100 ++++ vim80/src/testdir/test_visual.vim 2022-01-26 14:36:03.482225225 +0100 +@@ -254,3 +254,12 @@ func Test_virtual_replace2() + %d_ + set bs&vim + endfunc ++ ++func Test_visual_block_append_invalid_char() ++ " this was going over the end of the line ++ new ++ call setline(1, [' let xxx', 'xxxxxˆ', 'xxxxxxxxxxx']) ++ exe "normal 0\jjA-\" ++ call assert_equal([' - let xxx', 'xxxxx -ˆ', 'xxxxxxxx-xxx'], getline(1, 3)) ++ bwipe! ++endfunc diff --git a/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch b/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch new file mode 100644 index 0000000..8e92918 --- /dev/null +++ b/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch @@ -0,0 +1,46 @@ +diff --git a/src/ops.c b/src/ops.c +index e9cfb1d..e35b033 100644 +--- a/src/ops.c ++++ b/src/ops.c +@@ -629,26 +629,9 @@ block_insert( + + #ifdef FEAT_MBYTE + if (has_mbyte && spaces > 0) +- { +- int off; ++ // avoid copying part of a multi-byte character ++ offset -= (*mb_head_off)(oldp, oldp + offset); + +- /* Avoid starting halfway a multi-byte character. */ +- if (b_insert) +- { +- off = (*mb_head_off)(oldp, oldp + offset + spaces); +- spaces -= off; +- count -= off; +- } +- else +- { +- // spaces fill the gap, the character that's at the edge moves +- // right +- off = (*mb_head_off)(oldp, oldp + offset); +- offset -= off; +- } +- spaces -= off; +- count -= off; +- } + #endif + + // Make sure the allocated size matches what is actually copied below. +diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim +index 24e3db8..1042720 100644 +--- a/src/testdir/test_utf8.vim ++++ b/src/testdir/test_utf8.vim +@@ -9,7 +9,7 @@ func Test_visual_block_insert() + new + call setline(1, ["aaa", "あああ", "bbb"]) + exe ":norm! gg0l\jjIx\" +- call assert_equal(['axaa', 'xあああ', 'bxbb'], getline(1, '$')) ++ call assert_equal(['axaa', ' xあああ', 'bxbb'], getline(1, '$')) + bwipeout! + endfunc + diff --git a/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch b/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch new file mode 100644 index 0000000..98e738c --- /dev/null +++ b/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch @@ -0,0 +1,12 @@ +diff -up vim80/src/ex_getln.c.cve0359 vim80/src/ex_getln.c +--- vim80/src/ex_getln.c.cve0359 2022-01-27 16:55:41.386213891 +0100 ++++ vim80/src/ex_getln.c 2022-01-27 17:00:20.330960544 +0100 +@@ -300,7 +300,7 @@ getcmdline( + ccline.cmdindent = (firstc > 0 ? indent : 0); + + /* alloc initial ccline.cmdbuff */ +- alloc_cmdbuff(exmode_active ? 250 : indent + 1); ++ alloc_cmdbuff(indent + 50); + if (ccline.cmdbuff == NULL) + return NULL; /* out of memory */ + ccline.cmdlen = ccline.cmdpos = 0; diff --git a/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch b/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch new file mode 100644 index 0000000..604a8ff --- /dev/null +++ b/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch @@ -0,0 +1,33 @@ +diff -up vim80/src/ex_cmds.c.cve0361 vim80/src/ex_cmds.c +--- vim80/src/ex_cmds.c.cve0361 2022-02-08 12:20:51.277666290 +0100 ++++ vim80/src/ex_cmds.c 2022-02-08 12:20:51.280666209 +0100 +@@ -983,6 +983,8 @@ ex_copy(linenr_T line1, linenr_T line2, + } + + appended_lines_mark(n, count); ++ if (VIsual_active) ++ check_pos(curbuf, &VIsual); + + msgmore((long)count); + } +diff -up vim80/src/testdir/test_visual.vim.cve0361 vim80/src/testdir/test_visual.vim +--- vim80/src/testdir/test_visual.vim.cve0361 2022-02-08 12:20:51.280666209 +0100 ++++ vim80/src/testdir/test_visual.vim 2022-02-08 12:21:44.530356814 +0100 +@@ -263,3 +263,17 @@ func Test_visual_block_append_invalid_ch + call assert_equal([' - let xxx', 'xxxxx -ˆ', 'xxxxxxxx-xxx'], getline(1, 3)) + bwipe! + endfunc ++ ++" this was leaving the end of the Visual area beyond the end of a line ++func Test_visual_ex_copy_line() ++ new ++ call setline(1, ["aaa", "bbbbbbbbbxbb"]) ++ /x ++ exe "normal ggvjfxO" ++ t0 ++ normal gNU ++ bwipe! ++endfunc ++ ++ ++" vim: shiftwidth=2 sts=2 expandtab diff --git a/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch b/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch new file mode 100644 index 0000000..8cb7a44 --- /dev/null +++ b/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch @@ -0,0 +1,85 @@ +commit ec45bc7682fd698d8d39f43732129c4d092355f3 +Author: Tomas Korbar +Date: Wed Feb 2 16:30:11 2022 +0100 + + Fix illegal memory access with bracketed paste in Ex mode + +diff --git a/src/edit.c b/src/edit.c +index f29fbc7..57b8dce 100644 +--- a/src/edit.c ++++ b/src/edit.c +@@ -9519,27 +9519,33 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + int ret_char = -1; + int save_allow_keys = allow_keys; + int save_paste = p_paste; +- int save_ai = curbuf->b_p_ai; + +- /* If the end code is too long we can't detect it, read everything. */ +- if (STRLEN(end) >= NUMBUFLEN) ++ // If the end code is too long we can't detect it, read everything. ++ if (end != NULL && STRLEN(end) >= NUMBUFLEN) + end = NULL; + ++no_mapping; + allow_keys = 0; +- p_paste = TRUE; +- curbuf->b_p_ai = FALSE; ++ if (!p_paste) ++ // Also have the side effects of setting 'paste' to make it work much ++ // faster. ++ set_option_value((char_u *)"paste", TRUE, NULL, 0); + + for (;;) + { + /* When the end is not defined read everything. */ + if (end == NULL && vpeekc() == NUL) + break; +- c = plain_vgetc(); +-#ifdef FEAT_MBYTE ++ do ++ c = vgetc(); ++ while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR); ++ if (c == NUL || got_int || (ex_normal_busy > 0 && c == Ctrl_C)) ++ // When CTRL-C was encountered the typeahead will be flushed and we ++ // won't get the end sequence. Except when using ":normal". ++ break; ++ + if (has_mbyte) + idx += (*mb_char2bytes)(c, buf + idx); + else +-#endif + buf[idx++] = c; + buf[idx] = NUL; + if (end != NULL && STRNCMP(buf, end, idx) == 0) +@@ -9557,7 +9563,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + break; + + case PASTE_EX: +- if (gap != NULL && ga_grow(gap, idx) == OK) ++ // add one for the NUL that is going to be appended ++ if (gap != NULL && ga_grow(gap, idx + 1) == OK) + { + mch_memmove((char *)gap->ga_data + gap->ga_len, + buf, (size_t)idx); +@@ -9582,11 +9589,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + case PASTE_ONE_CHAR: + if (ret_char == -1) + { +-#ifdef FEAT_MBYTE + if (has_mbyte) + ret_char = (*mb_ptr2char)(buf); + else +-#endif + ret_char = buf[0]; + } + break; +@@ -9597,8 +9602,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + + --no_mapping; + allow_keys = save_allow_keys; +- p_paste = save_paste; +- curbuf->b_p_ai = save_ai; ++ if (!save_paste) ++ set_option_value((char_u *)"paste", FALSE, NULL, 0); + + return ret_char; + } diff --git a/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch b/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch new file mode 100644 index 0000000..b37d821 --- /dev/null +++ b/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch @@ -0,0 +1,51 @@ +commit c604f3ad4782fde770617ff688e1ceac0dc1bd7c +Author: Tomas Korbar +Date: Thu Feb 3 10:14:42 2022 +0100 + + Fix using freed memory when substitute with function call + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index e69fbd3..0788573 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -4767,6 +4767,7 @@ do_sub(exarg_T *eap) + int save_do_all; /* remember user specified 'g' flag */ + int save_do_ask; /* remember user specified 'c' flag */ + char_u *pat = NULL, *sub = NULL; /* init for GCC */ ++ char_u *sub_copy = NULL; + int delimiter; + int sublen; + int got_quit = FALSE; +@@ -5062,11 +5063,20 @@ do_sub(exarg_T *eap) + sub_firstline = NULL; + + /* +- * ~ in the substitute pattern is replaced with the old pattern. +- * We do it here once to avoid it to be replaced over and over again. +- * But don't do it when it starts with "\=", then it's an expression. ++ * If the substitute pattern starts with "\=" then it's an expression. ++ * Make a copy, a recursive function may free it. ++ * Otherwise, '~' in the substitute pattern is replaced with the old ++ * pattern. We do it here once to avoid it to be replaced over and over ++ * again. + */ +- if (!(sub[0] == '\\' && sub[1] == '=')) ++ if (sub[0] == '\\' && sub[1] == '=') ++ { ++ sub = vim_strsave(sub); ++ if (sub == NULL) ++ return; ++ sub_copy = sub; ++ } ++ else + sub = regtilde(sub, p_magic); + + /* +@@ -5825,6 +5835,7 @@ outofmem: + #endif + + vim_regfree(regmatch.regprog); ++ vim_free(sub_copy); + + /* Restore the flag values, they can be used for ":&&". */ + subflags.do_all = save_do_all; diff --git a/0001-vim-anolis-build-with-ruby26.patch b/0001-vim-anolis-build-with-ruby26.patch deleted file mode 100644 index 4611343..0000000 --- a/0001-vim-anolis-build-with-ruby26.patch +++ /dev/null @@ -1,60 +0,0 @@ -From b09c684195d803137d52c34fb4d3a410be5ac10f Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Thu, 27 Dec 2018 22:11:01 +0100 -Subject: [PATCH] patch 8.1.0646: cannot build with Ruby 2.6.0 - -Problem: Cannot build with Ruby 2.6.0. -Solution: Add rb_ary_detransient(). (Ozaki Kiichi, closes #3724) ---- - src/if_ruby.c | 15 +++++++++++---- - src/version.c | 2 ++ - 2 files changed, 13 insertions(+), 4 deletions(-) - -diff --git a/src/if_ruby.c b/src/if_ruby.c -index cb9b416036f..34fc0ed1cb3 100644 ---- a/src/if_ruby.c -+++ b/src/if_ruby.c -@@ -123,6 +123,10 @@ - # define rb_gc_writebarrier_unprotect rb_gc_writebarrier_unprotect_stub - #endif - -+#if defined(DYNAMIC_RUBY_VER) && DYNAMIC_RUBY_VER >= 26 -+# define rb_ary_detransient (*dll_rb_ary_detransient) -+#endif -+ - #include - #ifdef RUBY19_OR_LATER - # include -@@ -455,6 +459,9 @@ static VALUE (*dll_rb_float_new) (double); - static VALUE (*dll_rb_float_new) (double); - static VALUE (*dll_rb_ary_new) (void); - static VALUE (*dll_rb_ary_push) (VALUE, VALUE); -+# if DYNAMIC_RUBY_VER >= 26 -+static void (*dll_rb_ary_detransient) (VALUE); -+# endif - # if defined(RUBY19_OR_LATER) || defined(RUBY_INIT_STACK) - # ifdef __ia64 - static void * (*dll_rb_ia64_bsp) (void); -@@ -666,6 +673,9 @@ static struct - {"rb_ary_new", (RUBY_PROC*)&dll_rb_ary_new}, - {"rb_ary_push", (RUBY_PROC*)&dll_rb_ary_push}, - # endif -+# if DYNAMIC_RUBY_VER >= 26 -+ {"rb_ary_detransient", (RUBY_PROC*)&dll_rb_ary_detransient}, -+# endif - # ifdef RUBY19_OR_LATER - {"rb_int2big", (RUBY_PROC*)&dll_rb_int2big}, - {"ruby_script", (RUBY_PROC*)&dll_ruby_script}, -@@ -966,11 +976,8 @@ static int ensure_ruby_initialized(void) - - static void error_print(int state) - { --#ifndef DYNAMIC_RUBY --#if !(defined(RUBY_VERSION) && RUBY_VERSION >= 19) \ -- && !(defined(DYNAMIC_RUBY_VER) && DYNAMIC_RUBY_VER >= 19) -+#if !defined(DYNAMIC_RUBY) && !defined(RUBY19_OR_LATER) - RUBYEXTERN VALUE ruby_errinfo; --#endif - #endif - VALUE eclass; - VALUE einfo; diff --git a/vim.spec b/vim.spec index 94117fa..8bd7a1d 100644 --- a/vim.spec +++ b/vim.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 %define patchlevel 1763 %if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1} %define WITH_SELINUX 1 @@ -25,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 16%{anolis_release}%{?dist}.4 +Release: 16%{?dist}.12 License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -89,11 +88,18 @@ Patch3026: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch Patch3027: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch # CVE-2021-4192 vim: vulnerable to Use After Free Patch3028: 0001-patch-8.2.3949-using-freed-memory-with-V.patch - -# Add by Anolis -# backport patch to fix build error with ruby -Patch10000: 0001-vim-anolis-build-with-ruby26.patch -# End +# CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c +Patch3029: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch +# CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c +Patch3030: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch +# CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c +Patch3031: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch +# CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c +Patch3032: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch +# CVE-2022-0413 vim: use after free in src/ex_cmds.c +Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch +# CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository +Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -299,8 +305,12 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3026 -p1 -b .cve4019 %patch3027 -p1 -b .cve4193 %patch3028 -p1 -b .cve4192 - -%patch10000 -p1 +%patch3029 -p1 -b .cve0261 +%patch3030 -p1 -b .cve0318 +%patch3031 -p1 -b .cve0359 +%patch3032 -p1 -b .cve0392 +%patch3033 -p1 -b .cve0413 +%patch3034 -p1 -b .cve0361 %build %if 0%{?rhel} > 7 @@ -331,8 +341,8 @@ perl -pi -e "s/vimrc/virc/" os_unix.h --disable-pythoninterp --disable-perlinterp --disable-tclinterp \ --with-tlib=ncurses --enable-gui=no --disable-gpm --exec-prefix=/ \ --enable-fips-warning \ - --with-compiledby="OpenAnolis Community" \ - --with-modified-by="OpenAnolis Community" + --with-compiledby="" \ + --with-modified-by="" make VIMRCLOC=/etc VIMRUNTIMEDIR=/usr/share/vim/%{vimdir} %{?_smp_mflags} cp vim minimal-vim @@ -350,8 +360,8 @@ mv -f ex_cmds.c.save ex_cmds.c --with-tlib=ncurses \ --enable-gtk3-check --enable-gui=gtk3 \ --enable-fips-warning \ - --with-compiledby="OpenAnolis Community" --enable-cscope \ - --with-modified-by="OpenAnolis Community" \ + --with-compiledby="" --enable-cscope \ + --with-modified-by="" \ %if "%{withnetbeans}" == "1" --enable-netbeans \ %else @@ -385,10 +395,10 @@ make clean --disable-tclinterp \ --with-x=no \ --enable-gui=no --exec-prefix=%{_prefix} --enable-multibyte \ - --enable-cscope --with-modified-by="OpenAnolis Community" \ + --enable-cscope --with-modified-by="" \ --with-tlib=ncurses \ --enable-fips-warning \ - --with-compiledby="OpenAnolis Community" \ + --with-compiledby="" \ %if "%{withnetbeans}" == "1" --enable-netbeans \ %else @@ -819,9 +829,36 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog -* Thu Feb 17 2022 Mahailiang - 2:8.0.1763-16.0.1.4 -- Rebrand to Anolis(Xiaoxuan Yang) -- Fix build issue with ruby(Liwei Ge) +* Tue Feb 08 2022 Zdenek Dohnal - 2:8.0.1763-16.12 +- CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository + +* Fri Feb 04 2022 Tomas Korbar - 2:8.0.1763-16.11 +- CVE-2022-0413 vim: use after free in src/ex_cmds.c +- Fix specfile problems +- Resolves: rhbz#2048525 + +* Thu Feb 03 2022 Tomas Korbar - 2:8.0.1763-16.10 +- CVE-2022-0413 vim: use after free in src/ex_cmds.c +- Resolves: rhbz#2048525 + +* Wed Feb 02 2022 Tomas Korbar - 2:8.0.1763-16.9 +- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c +- Improve fix +- Resolves: rhbz#2049403 + +* Wed Feb 02 2022 Tomas Korbar - 2:8.0.1763-16.8 +- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c +- Resolves: rhbz#2049403 + +* Thu Jan 27 2022 Zdenek Dohnal - 2:8.0.1763-16.7 +- CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c + +* Thu Jan 27 2022 Zdenek Dohnal - 2:8.0.1763-16.6 +- fix test suite after fix for CVE-2022-0318 + +* Wed Jan 26 2022 Zdenek Dohnal - 2:8.0.1763-16.5 +- CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c +- CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c * Wed Jan 12 2022 Zdenek Dohnal - 2:8.0.1763-16.4 - CVE-2021-4193 vim: vulnerable to Out-of-bounds Read -- Gitee From c0cc2847844d0bc0d7ef69686015f5842c269e98 Mon Sep 17 00:00:00 2001 From: yangxiaoxuan Date: Thu, 28 Jan 2021 08:55:59 +0800 Subject: [PATCH 2/3] spec: rebrand to anolis modify bugurl Signed-off-by: yangxiaoxuan Change-Id: I5b26e101bdec7a3f037b710bab1d4dc31b0a29b2 --- vim.spec | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/vim.spec b/vim.spec index 8bd7a1d..c88d879 100644 --- a/vim.spec +++ b/vim.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 %define patchlevel 1763 %if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1} %define WITH_SELINUX 1 @@ -24,7 +25,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 16%{?dist}.12 +Release: 16%{anolis_release}%{?dist}.12 License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -341,8 +342,8 @@ perl -pi -e "s/vimrc/virc/" os_unix.h --disable-pythoninterp --disable-perlinterp --disable-tclinterp \ --with-tlib=ncurses --enable-gui=no --disable-gpm --exec-prefix=/ \ --enable-fips-warning \ - --with-compiledby="" \ - --with-modified-by="" + --with-compiledby="OpenAnolis Community" \ + --with-modified-by="OpenAnolis Community" make VIMRCLOC=/etc VIMRUNTIMEDIR=/usr/share/vim/%{vimdir} %{?_smp_mflags} cp vim minimal-vim @@ -360,8 +361,8 @@ mv -f ex_cmds.c.save ex_cmds.c --with-tlib=ncurses \ --enable-gtk3-check --enable-gui=gtk3 \ --enable-fips-warning \ - --with-compiledby="" --enable-cscope \ - --with-modified-by="" \ + --with-compiledby="OpenAnolis Community" --enable-cscope \ + --with-modified-by="OpenAnolis Community" \ %if "%{withnetbeans}" == "1" --enable-netbeans \ %else @@ -395,10 +396,10 @@ make clean --disable-tclinterp \ --with-x=no \ --enable-gui=no --exec-prefix=%{_prefix} --enable-multibyte \ - --enable-cscope --with-modified-by="" \ + --enable-cscope --with-modified-by="OpenAnolis Community" \ --with-tlib=ncurses \ --enable-fips-warning \ - --with-compiledby="" \ + --with-compiledby="OpenAnolis Community" \ %if "%{withnetbeans}" == "1" --enable-netbeans \ %else @@ -829,6 +830,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog +* Mon Mar 21 2022 Mahailiang - 2:8.0.1763-16.0.1.12 +- Rebrand to Anolis + * Tue Feb 08 2022 Zdenek Dohnal - 2:8.0.1763-16.12 - CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository -- Gitee From 79497e3e0e3682bb1a8d37b6ded68e8b530eff64 Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Tue, 2 Feb 2021 20:59:11 +0800 Subject: [PATCH 3/3] build: fix build issue with ruby Signed-off-by: Liwei Ge Change-Id: I549044bc52aa557941a2d87f6fe8b8ce6a7b7539 --- 0001-vim-anolis-build-with-ruby26.patch | 60 +++++++++++++++++++++++++ vim.spec | 10 ++++- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 0001-vim-anolis-build-with-ruby26.patch diff --git a/0001-vim-anolis-build-with-ruby26.patch b/0001-vim-anolis-build-with-ruby26.patch new file mode 100644 index 0000000..4611343 --- /dev/null +++ b/0001-vim-anolis-build-with-ruby26.patch @@ -0,0 +1,60 @@ +From b09c684195d803137d52c34fb4d3a410be5ac10f Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 27 Dec 2018 22:11:01 +0100 +Subject: [PATCH] patch 8.1.0646: cannot build with Ruby 2.6.0 + +Problem: Cannot build with Ruby 2.6.0. +Solution: Add rb_ary_detransient(). (Ozaki Kiichi, closes #3724) +--- + src/if_ruby.c | 15 +++++++++++---- + src/version.c | 2 ++ + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/src/if_ruby.c b/src/if_ruby.c +index cb9b416036f..34fc0ed1cb3 100644 +--- a/src/if_ruby.c ++++ b/src/if_ruby.c +@@ -123,6 +123,10 @@ + # define rb_gc_writebarrier_unprotect rb_gc_writebarrier_unprotect_stub + #endif + ++#if defined(DYNAMIC_RUBY_VER) && DYNAMIC_RUBY_VER >= 26 ++# define rb_ary_detransient (*dll_rb_ary_detransient) ++#endif ++ + #include + #ifdef RUBY19_OR_LATER + # include +@@ -455,6 +459,9 @@ static VALUE (*dll_rb_float_new) (double); + static VALUE (*dll_rb_float_new) (double); + static VALUE (*dll_rb_ary_new) (void); + static VALUE (*dll_rb_ary_push) (VALUE, VALUE); ++# if DYNAMIC_RUBY_VER >= 26 ++static void (*dll_rb_ary_detransient) (VALUE); ++# endif + # if defined(RUBY19_OR_LATER) || defined(RUBY_INIT_STACK) + # ifdef __ia64 + static void * (*dll_rb_ia64_bsp) (void); +@@ -666,6 +673,9 @@ static struct + {"rb_ary_new", (RUBY_PROC*)&dll_rb_ary_new}, + {"rb_ary_push", (RUBY_PROC*)&dll_rb_ary_push}, + # endif ++# if DYNAMIC_RUBY_VER >= 26 ++ {"rb_ary_detransient", (RUBY_PROC*)&dll_rb_ary_detransient}, ++# endif + # ifdef RUBY19_OR_LATER + {"rb_int2big", (RUBY_PROC*)&dll_rb_int2big}, + {"ruby_script", (RUBY_PROC*)&dll_ruby_script}, +@@ -966,11 +976,8 @@ static int ensure_ruby_initialized(void) + + static void error_print(int state) + { +-#ifndef DYNAMIC_RUBY +-#if !(defined(RUBY_VERSION) && RUBY_VERSION >= 19) \ +- && !(defined(DYNAMIC_RUBY_VER) && DYNAMIC_RUBY_VER >= 19) ++#if !defined(DYNAMIC_RUBY) && !defined(RUBY19_OR_LATER) + RUBYEXTERN VALUE ruby_errinfo; +-#endif + #endif + VALUE eclass; + VALUE einfo; diff --git a/vim.spec b/vim.spec index c88d879..95ee3f9 100644 --- a/vim.spec +++ b/vim.spec @@ -102,6 +102,11 @@ Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch # CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch +# Add by Anolis +# backport patch to fix build error with ruby +Patch10000: 0001-vim-anolis-build-with-ruby26.patch +# End + # gcc is no longer in buildroot by default BuildRequires: gcc @@ -313,6 +318,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3033 -p1 -b .cve0413 %patch3034 -p1 -b .cve0361 +%patch10000 -p1 + %build %if 0%{?rhel} > 7 export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 @@ -831,7 +838,8 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %changelog * Mon Mar 21 2022 Mahailiang - 2:8.0.1763-16.0.1.12 -- Rebrand to Anolis +- Rebrand to Anolis(Xiaoxuan Yang) +- Fix build issue with ruby(Liwei Ge) * Tue Feb 08 2022 Zdenek Dohnal - 2:8.0.1763-16.12 - CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository -- Gitee