summaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/changelog8
-rw-r--r--debian/patches/CVE-2023-4752-heap-use-after-free-in-ins_compl_get_exp.patch45
-rw-r--r--debian/patches/CVE-2023-4781-heap-buffer-overflow-in-vim_regsub_both.patch62
-rw-r--r--debian/patches/series2
4 files changed, 117 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index f9b22b7..8612528 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+vim (2:8.1.0875-5+deb10u6) buster-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * CVE-2023-4752: heap use after free in ins_compl_get_exp()
+ * CVE-2023-4781: heap-buffer-overflow in vim_regsub_both()
+
+ -- Bastien Roucariès <rouca@debian.org> Wed, 27 Sep 2023 19:47:00 +0000
+
vim (2:8.1.0875-5+deb10u5) buster-security; urgency=high
* Non-maintainer upload by the LTS team.
diff --git a/debian/patches/CVE-2023-4752-heap-use-after-free-in-ins_compl_get_exp.patch b/debian/patches/CVE-2023-4752-heap-use-after-free-in-ins_compl_get_exp.patch
new file mode 100644
index 0000000..cbe7a0b
--- /dev/null
+++ b/debian/patches/CVE-2023-4752-heap-use-after-free-in-ins_compl_get_exp.patch
@@ -0,0 +1,45 @@
+From: Christian Brabandt <cb@256bit.org>
+Date: Wed, 27 Sep 2023 22:42:36 +0000
+Subject: CVE-2023-4752: heap use after free in ins_compl_get_exp()
+
+Problem: heap use after free in ins_compl_get_exp()
+Solution: validate buffer before accessing it
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-4752
+origin: https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139
+bug: https://huntr.dev/bounties/85f62dd7-ed84-4fa2-b265-8a369a318757/
+
+[backport]
+ins_compl_get_exp is under sr/edit.c
+---
+ src/edit.c | 2 +-
+ src/version.c | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/edit.c b/src/edit.c
+index f2521e1..428b69c 100644
+--- a/src/edit.c
++++ b/src/edit.c
+@@ -4752,7 +4752,7 @@ ins_compl_get_exp(pos_T *ini)
+ else
+ {
+ /* Mark a buffer scanned when it has been scanned completely */
+- if (type == 0 || type == CTRL_X_PATH_PATTERNS)
++ if (buf_valid(ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS))
+ ins_buf->b_scanned = TRUE;
+
+ compl_started = FALSE;
+diff --git a/src/version.c b/src/version.c
+index a03d79b..d863dd1 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 1858,
+ /**/
+ 5126,
+ /**/
diff --git a/debian/patches/CVE-2023-4781-heap-buffer-overflow-in-vim_regsub_both.patch b/debian/patches/CVE-2023-4781-heap-buffer-overflow-in-vim_regsub_both.patch
new file mode 100644
index 0000000..862f43a
--- /dev/null
+++ b/debian/patches/CVE-2023-4781-heap-buffer-overflow-in-vim_regsub_both.patch
@@ -0,0 +1,62 @@
+From: Christian Brabandt <cb@256bit.org>
+Date: Thu, 28 Sep 2023 13:47:03 +0000
+Subject: CVE-2023-4781: heap-buffer-overflow in vim_regsub_both
+
+Problem: heap-buffer-overflow in vim_regsub_both
+Solution: Disallow exchanging windows when textlock is active
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+origin: https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93.patch
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-4781
+bug: https://huntr.dev/bounties/c867eb0a-aa8b-4946-a621-510350673883/
+---
+---
+ src/ex_cmds.c | 3 +++
+ src/version.c | 2 ++
+ src/window.c | 5 +++++
+ 3 files changed, 10 insertions(+)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index e4dffdb..766cfbe 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -5604,6 +5604,9 @@ do_sub(exarg_T *eap)
+ {
+ nmatch = curbuf->b_ml.ml_line_count - sub_firstlnum + 1;
+ skip_match = TRUE;
++ // safety check
++ if (nmatch < 0)
++ goto skip;
+ }
+
+ /* Need room for:
+diff --git a/src/version.c b/src/version.c
+index d863dd1..86c3195 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 1873,
+ /**/
+ 1858,
+ /**/
+diff --git a/src/window.c b/src/window.c
+index 82ece3e..71908f6 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -1604,6 +1604,11 @@ win_rotate(int upwards, int count)
+ beep_flush();
+ return;
+ }
++ if (text_or_buf_locked())
++ {
++ beep_flush();
++ return;
++ }
+
+ #ifdef FEAT_GUI
+ need_mouse_correct = TRUE;
diff --git a/debian/patches/series b/debian/patches/series
index 56ef38a..7bb1dfd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -80,3 +80,5 @@ CVE-2022-4141.patch
CVE-2023-0054.patch
CVE-2023-1175.patch
CVE-2023-2610.patch
+CVE-2023-4752-heap-use-after-free-in-ins_compl_get_exp.patch
+CVE-2023-4781-heap-buffer-overflow-in-vim_regsub_both.patch