diff options
Diffstat (limited to 'debian')
-rw-r--r-- | debian/.gitlab-ci.yml | 23 | ||||
-rw-r--r-- | debian/changelog | 14 | ||||
-rw-r--r-- | debian/patches/CVE-2022-0318.patch | 104 | ||||
-rw-r--r-- | debian/patches/CVE-2022-0392.patch | 130 | ||||
-rw-r--r-- | debian/patches/CVE-2022-0629.patch | 59 | ||||
-rw-r--r-- | debian/patches/CVE-2022-0696.patch | 69 | ||||
-rw-r--r-- | debian/patches/CVE-2022-1619.patch | 74 | ||||
-rw-r--r-- | debian/patches/CVE-2022-1621.patch | 114 | ||||
-rw-r--r-- | debian/patches/CVE-2022-1785.patch | 89 | ||||
-rw-r--r-- | debian/patches/CVE-2022-1897.patch | 149 | ||||
-rw-r--r-- | debian/patches/CVE-2022-1942.patch | 122 | ||||
-rw-r--r-- | debian/patches/CVE-2022-2000.patch | 65 | ||||
-rw-r--r-- | debian/patches/CVE-2022-2129.patch | 65 | ||||
-rw-r--r-- | debian/patches/CVE-2022-3235.patch | 116 | ||||
-rw-r--r-- | debian/patches/CVE-2022-3256.patch | 73 | ||||
-rw-r--r-- | debian/patches/CVE-2022-3352.patch | 69 | ||||
-rw-r--r-- | debian/patches/series | 14 |
17 files changed, 1329 insertions, 20 deletions
diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml index 80c5e28..6c94c65 100644 --- a/debian/.gitlab-ci.yml +++ b/debian/.gitlab-ci.yml @@ -1,19 +1,4 @@ -.build_template: &build - only: - - branches - before_script: - - adduser --home /home/ci ci --quiet --disabled-login --gecos "" --uid 1000 - - apt-get -q update - - env DEBIAN_FRONTEND=noninteractive apt-get -q -y -o Debug::pkgProblemResolver=yes build-dep . - - env DEBIAN_FRONTEND=noninteractive apt-get -q -y -o Debug::pkgProblemResolver=yes install --no-install-recommends gitpkg fakeroot sudo - - rm -rf ../deb-packages/vim - - install -d -o ci ../deb-packages ../deb-packages/vim - - export UPSTREAM_VERSION=$(dpkg-parsechangelog -SVersion | sed -e 's/^[0-9]*://' -e 's/\(.*\)-[^-]*/\1/') - - sudo -u ci gitpkg --keep-unpacked-source "$CI_COMMIT_SHA" v"$UPSTREAM_VERSION" - script: - - cd ../deb-packages/vim/vim-"$UPSTREAM_VERSION" - - sudo -u ci dpkg-buildpackage -us -uc - -test:buster: - <<: *build - image: debian:buster +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml +variables: + RELEASE: 'buster' diff --git a/debian/changelog b/debian/changelog index 7471584..952d323 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +vim (2:8.1.0875-5+deb10u4) buster-security; urgency=medium + + * Non-maintainer upload by the LTS team. + * Add missing CVE to previous changelog entry. + * Fix CVE-2022-0318, CVE-2022-0392, CVE-2022-0629, + CVE-2022-0696, CVE-2022-1619, CVE-2022-1621, CVE-2022-1785, + CVE-2022-1897, CVE-2022-1942, CVE-2022-2000, CVE-2022-2129, + CVE-2022-3235, CVE-2022-3256, CVE-2022-3352 + + -- Helmut Grohne <helmut@subdivi.de> Wed, 23 Nov 2022 15:54:38 +0100 + vim (2:8.1.0875-5+deb10u3) buster-security; urgency=high * Non-maintainer upload by the LTS team. @@ -10,7 +21,8 @@ vim (2:8.1.0875-5+deb10u3) buster-security; urgency=high CVE-2022-0943, CVE-2022-1154, CVE-2022-1616, CVE-2022-1720, CVE-2022-1851, CVE-2022-1898, CVE_2022-1968, CVE-2022-2285, CVE-2022-2304, CVE-2022-2598, CVE-2022-2946, CVE-2022-3099, - CVE-2022-3134, CVE-2022-3234, CVE-2022-3324, CVE-2022-3705 + CVE-2022-3134, CVE-2022-3234, CVE-2022-3324, CVE-2022-3705, + CVE-2021-3872 Multiple security vulnerabilities have been discovered in vim, an enhanced vi editor. Buffer overflows, out-of-bounds reads and use-after-free may lead to a denial-of-service (application crash) or other unspecified diff --git a/debian/patches/CVE-2022-0318.patch b/debian/patches/CVE-2022-0318.patch new file mode 100644 index 0000000..b2005a7 --- /dev/null +++ b/debian/patches/CVE-2022-0318.patch @@ -0,0 +1,104 @@ +From 57df9e8a9f9ae1aafdde9b86b10ad907627a87dc Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Thu, 20 Jan 2022 12:10:48 +0000 +Subject: [PATCH] patch 8.2.4151: reading beyond the end of a line + +Problem: Reading beyond the end of a line. +Solution: For block insert only use the offset for correcting the length. +--- + src/ops.c | 19 ++----------------- + src/testdir/test_visual.vim | 9 +++++++++ + src/version.c | 2 ++ + 3 files changed, 13 insertions(+), 17 deletions(-) + +Backport: + * In Debian, this patch got swapped with CVE-2022-0261 aka + 9f8c304c8a390ade133bac29963dc8e56ab14cbc. + * We also backport the spaces check from + 4067bd3604215b48e4b4201e28f9e401b08418e4, see #1023818. + * We also backport the expected test output from + fc6ccebea668c49e9e617e0657421b6a8ed9df1e. + * Replace expr-.. by expr-. + +diff --git a/src/ops.c b/src/ops.c +index a9968024901e..e0fa344d8ee6 100644 +--- a/src/ops.c ++++ b/src/ops.c +@@ -629,24 +629,12 @@ block_insert( + } + + if (has_mbyte && spaces > 0) +- { +- int off; ++ /* avoid copying part of a multi-byte character */ ++ offset -= (*mb_head_off)(oldp, oldp + offset); + +- /* Avoid starting halfway a multi-byte character. */ +- if (b_insert) +- { +- off = (*mb_head_off)(oldp, oldp + offset + spaces); +- spaces -= off; +- count -= off; +- } +- else +- { +- // spaces fill the gap, the character that's at the edge moves +- // right +- off = (*mb_head_off)(oldp, oldp + offset); +- offset -= off; +- } +- } ++ if (spaces < 0) // can happen when the cursor was moved ++ spaces = 0; ++ + // Make sure the allocated size matches what is actually copied below. + newp = alloc_check((unsigned)(STRLEN(oldp)) + spaces + s_len + + (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0) +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index b438fa1e66c6..a187aa8e085e 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -417,6 +417,15 @@ + bwipe! + endfunc + ++func Test_visual_block_insert_round_off() ++ new ++ " The number of characters are tuned to fill a 4096 byte allocated block, ++ " so that valgrind reports going over the end. ++ call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)]) ++ exe "normal gg0\<C-V>GI" . repeat('0', 1320) . "\<Esc>" ++ bwipe! ++endfunc ++ + " CVE-2022-0361 + func Test_visual_ex_copy_line() + new +diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim +index 0210ce63c..862e73b9a 100644 +--- a/src/testdir/test_utf8.vim ++++ b/src/testdir/test_utf8.vim +@@ -6,7 +6,7 @@ func Test_visual_block_insert() + new + call setline(1, ["aaa", "あああ", "bbb"]) + exe ":norm! gg0l\<C-V>jjIx\<Esc>" +- call assert_equal(['axaa', 'xあああ', 'bxbb'], getline(1, '$')) ++ call assert_equal(['axaa', ' xあああ', 'bxbb'], getline(1, '$')) + bwipeout! + endfunc + +diff --git a/src/version.c b/src/version.c +index 53f1619f94d4..227eaa958e2b 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -797,6 +797,10 @@ static char *(features[]) = + 5024, + /**/ + 4214, ++/**/ ++ 4152, ++/**/ ++ 4151, + /**/ + 4120, + /**/ diff --git a/debian/patches/CVE-2022-0392.patch b/debian/patches/CVE-2022-0392.patch new file mode 100644 index 0000000..e410044 --- /dev/null +++ b/debian/patches/CVE-2022-0392.patch @@ -0,0 +1,130 @@ +From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Tue, 25 Jan 2022 20:45:16 +0000 +Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in + Ex mode + +Problem: Illegal memory access with bracketed paste in Ex mode. +Solution: Reserve space for the trailing NUL. +--- + src/edit.c | 3 ++- + src/testdir/test_paste.vim | 3 +++ + src/version.c | 2 ++ + 3 files changed, 7 insertions(+), 1 deletion(-) + +From fe4bbac1166f2e4e3fa18cb966ec7305198c8176 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Mon, 20 Jan 2020 21:12:20 +0100 +Subject: [PATCH] patch 8.2.0135: bracketed paste can still cause invalid + memory access + +Problem: Bracketed paste can still cause invalid memory access. (Dominique + Pelle) +Solution: Check for NULL pointer. +--- + src/edit.c | 2 +- + src/testdir/test_search.vim | 3 ++- + src/version.c | 2 ++ + 3 files changed, 5 insertions(+), 2 deletions(-) + +Backport: drop included_patches 135 due to version bump + +From 98a336dd497d3422e7efeef9f24cc9e25aeb8a49 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Mon, 20 Jan 2020 20:22:30 +0100 +Subject: [PATCH] patch 8.2.0133: invalid memory access with search command + +Problem: Invalid memory access with search command. +Solution: When :normal runs out of characters in bracketed paste mode break + out of the loop.(closes #5511) +--- + src/edit.c | 4 ++-- + src/testdir/test_search.vim | 5 +++++ + src/version.c | 2 ++ + 3 files changed, 9 insertions(+), 2 deletions(-) + +Backport: drop included_patches 135 due to version bump + +diff --git a/src/edit.c b/src/edit.c +index ee3caf0dad50..2b5301100ddb 100644 +--- a/src/edit.c ++++ b/src/edit.c +@@ -9183,7 +9183,7 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + int save_paste = p_paste; + + /* If the end code is too long we can't detect it, read everything. */ +- if (STRLEN(end) >= NUMBUFLEN) ++ if (end != NULL && STRLEN(end) >= NUMBUFLEN) + end = NULL; + ++no_mapping; + allow_keys = 0; +@@ -9201,9 +9201,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + { + c = vgetc(); + } while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR); +- if (c == NUL || got_int) ++ if (c == NUL || got_int || (ex_normal_busy > 0 && c == Ctrl_C)) + // When CTRL-C was encountered the typeahead will be flushed and we +- // won't get the end sequence. ++ // won't get the end sequence. Except when using ":normal". + break; + + if (has_mbyte) +@@ -9226,7 +9226,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) + break; + + case PASTE_EX: +- if (gap != NULL && ga_grow(gap, idx) == OK) ++ /* add one for the NUL that is going to be appended */ ++ if (gap != NULL && ga_grow(gap, idx + 1) == OK) + { + mch_memmove((char *)gap->ga_data + gap->ga_len, + buf, (size_t)idx); +diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim +index c94fe7c357ed..5b8d8a0e3e2d 100644 +--- a/src/testdir/test_paste.vim ++++ b/src/testdir/test_paste.vim +@@ -84,6 +84,16 @@ + call assert_equal("\"afoo\<CR>barb", getreg(':')) + endfunc + ++" bracketed paste in Ex-mode ++func Test_paste_ex_mode() ++ unlet! foo ++ call feedkeys("Qlet foo=\"\<Esc>[200~foo\<CR>bar\<Esc>[201~\"\<CR>vi\<CR>", 'xt') ++ call assert_equal("foo\rbar", foo) ++ ++ " pasting more than 40 bytes ++ exe "norm Q\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\<C-C>" ++endfunc ++ + func Test_paste_visual_mode() + new + call setline(1, 'here are some words') +diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim +index 60152f602..89ca6e131 100644 +--- a/src/testdir/test_search.vim ++++ b/src/testdir/test_search.vim +@@ -1187,3 +1187,9 @@ + call assert_equal(bufcontent[1], @/) + call Incsearch_cleanup() + endfunc ++ ++func Test_search_special() ++ " this was causing illegal memory access and an endless loop ++ set t_PE= ++ exe "norm /\x80PS" ++endfunc +diff --git a/src/version.c b/src/version.c +index 6685b554f537..9dcf34928f8d 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -795,6 +795,8 @@ static char *(features[]) = + 805, + /**/ + 5024, ++/**/ ++ 4218, + /**/ + 4214, + /**/ diff --git a/debian/patches/CVE-2022-0629.patch b/debian/patches/CVE-2022-0629.patch new file mode 100644 index 0000000..b3348ef --- /dev/null +++ b/debian/patches/CVE-2022-0629.patch @@ -0,0 +1,59 @@ +From 34f8117dec685ace52cd9e578e2729db278163fc Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Wed, 16 Feb 2022 12:16:19 +0000 +Subject: [PATCH] patch 8.2.4397: crash when using many composing characters in + error message + +Problem: Crash when using many composing characters in error message. +Solution: Use mb_cptr2char_adv() instead of mb_ptr2char_adv(). +--- + src/testdir/test_assert.vim | 8 ++++++++ + src/testing.c | 2 +- + src/version.c | 2 ++ + 3 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim +index 8987f3f8dfcd..27b2d73fbfc8 100644 +--- a/src/testdir/test_assert.vim ++++ b/src/testdir/test_assert.vim +@@ -35,6 +35,14 @@ func Test_assert_equal() + call assert_equal('XxxxxxxxxxxxxxxxxxxxxxX', 'XyyyyyyyyyyyyyyyyyyyyyyyyyX') + call assert_match("Expected 'X\\\\\\[x occurs 21 times]X' but got 'X\\\\\\[y occurs 25 times]X'", v:errors[0]) + call remove(v:errors, 0) ++ ++ " many composing characters are handled properly ++ call setline(1, ' ') ++ norm 100gr݀ ++ call assert_equal(1, getline(1)) ++ call assert_match("Expected 1 but got '.* occurs 100 times]'", v:errors[0]) ++ call remove(v:errors, 0) ++ bwipe! + endfunc + + func Test_assert_equalfile() +diff --git a/src/testing.c b/src/testing.c +index 448c01c1e964..48ba14d2cafd 100644 +--- a/src/eval.c ++++ b/src/eval.c +@@ -101,7 +101,7 @@ ga_concat_shorten_esc(garray_T *gap, char_u *str) + { + same_len = 1; + s = p; +- c = mb_ptr2char_adv(&s); ++ c = mb_cptr2char_adv(&s); + clen = s - p; + while (*s != NUL && c == mb_ptr2char(s)) + { +diff --git a/src/version.c b/src/version.c +index fb1b8476e1a6..b4983661cadc 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -795,6 +795,8 @@ static char *(features[]) = + 805, + /**/ + 5024, ++/**/ ++ 4397, + /**/ + 4218, + /**/ diff --git a/debian/patches/CVE-2022-0696.patch b/debian/patches/CVE-2022-0696.patch new file mode 100644 index 0000000..0e1491e --- /dev/null +++ b/debian/patches/CVE-2022-0696.patch @@ -0,0 +1,69 @@ +From 0f6e28f686dbb59ab3b562408ab9b2234797b9b1 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Sun, 20 Feb 2022 20:49:35 +0000 +Subject: [PATCH] patch 8.2.4428: crash when switching tabpage while in the + cmdline window + +Problem: Crash when switching tabpage while in the cmdline window. +Solution: Disallow switching tabpage when in the cmdline window. +--- + src/evalvars.c | 14 ++------------ + src/proto/window.pro | 1 + + src/usercmd.c | 24 ++++-------------------- + src/version.c | 2 ++ + src/window.c | 26 ++++++++++++++++++++++++++ + 5 files changed, 35 insertions(+), 32 deletions(-) + +Backport: Since the old version dosn't do command line completion +correctly, those parts are dropped and we only forbid switching the tab +page. + +diff --git a/src/version.c b/src/version.c +index c5f5c22f90ac..777476d80dce 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -795,6 +795,8 @@ static char *(features[]) = + 805, + /**/ + 5024, ++/**/ ++ 4428, + /**/ + 4397, + /**/ +diff --git a/src/window.c b/src/window.c +index 1f5e7096047c..b00ed977fc04 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -3656,6 +3656,14 @@ win_new_tabpage(int after) + tabpage_T *newtp; + int n; + ++#ifdef FEAT_CMDWIN ++ if (cmdwin_type != 0) ++ { ++ emsg(_("E11: Invalid in command-line window; :q<CR> closes the window")); ++ return FAIL; ++ } ++#endif ++ + newtp = alloc_tabpage(); + if (newtp == NULL) + return FAIL; +@@ -3997,6 +4005,7 @@ goto_tabpage(int n) + text_locked_msg(); + return; + } ++ CHECK_CMDWIN; + + /* If there is only one it can't work. */ + if (first_tabpage->tp_next == NULL) +@@ -4064,6 +4073,8 @@ goto_tabpage_tp( + int trigger_enter_autocmds, + int trigger_leave_autocmds) + { ++ CHECK_CMDWIN; ++ + /* Don't repeat a message in another tab page. */ + set_keep_msg(NULL, 0); + diff --git a/debian/patches/CVE-2022-1619.patch b/debian/patches/CVE-2022-1619.patch new file mode 100644 index 0000000..121a1b7 --- /dev/null +++ b/debian/patches/CVE-2022-1619.patch @@ -0,0 +1,74 @@ +From ef02f16609ff0a26ffc6e20263523424980898fe Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Sat, 7 May 2022 10:49:10 +0100 +Subject: [PATCH] patch 8.2.4899: with latin1 encoding CTRL-W might go before + the cmdline + +Problem: With latin1 encoding CTRL-W might go before the start of the + command line. +Solution: Check already being at the start of the command line. +--- + src/ex_getln.c | 11 +++++++---- + src/testdir/test_cmdline.vim | 3 +++ + src/version.c | 2 ++ + 3 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/src/ex_getln.c b/src/ex_getln.c +index a97024b35171..7020f5143a01 100644 +--- a/src/ex_getln.c ++++ b/src/ex_getln.c +@@ -1635,10 +1635,13 @@ + { + while (p > ccline.cmdbuff && vim_isspace(p[-1])) + --p; +- i = vim_iswordc(p[-1]); +- while (p > ccline.cmdbuff && !vim_isspace(p[-1]) +- && vim_iswordc(p[-1]) == i) +- --p; ++ if (p > ccline.cmdbuff) ++ { ++ i = vim_iswordc(p[-1]); ++ while (p > ccline.cmdbuff && !vim_isspace(p[-1]) ++ && vim_iswordc(p[-1]) == i) ++ --p; ++ } + } + else + --p; +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index 474638fb00d6..5a849f77f755 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -641,6 +641,19 @@ + let &lines = lines + let &columns = columns + endfunc ++ ++func Test_cmdline_remove_char() ++ let encoding_save = &encoding ++ ++ for e in ['utf8', 'latin1'] ++ exe 'set encoding=' . e ++ ++ " This was going before the start in latin1. ++ call feedkeys(": \<C-W>\<CR>", 'tx') ++ endfor ++ ++ let &encoding = encoding_save ++endfunc + + + set cpo& +diff --git a/src/version.c b/src/version.c +index 201d26f06eb9..05888c722e8e 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -795,6 +795,8 @@ static char *(features[]) = + 805, + /**/ + 5024, ++/**/ ++ 4899, + /**/ + 4428, + /**/ diff --git a/debian/patches/CVE-2022-1621.patch b/debian/patches/CVE-2022-1621.patch new file mode 100644 index 0000000..29f8532 --- /dev/null +++ b/debian/patches/CVE-2022-1621.patch @@ -0,0 +1,114 @@ +From 7c824682d2028432ee082703ef0ab399867a089b Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Sun, 8 May 2022 22:32:58 +0100 +Subject: [PATCH] patch 8.2.4919: can add invalid bytes with :spellgood + +Problem: Can add invalid bytes with :spellgood. +Solution: Check for a valid word string. +--- + src/errors.h | 4 ++++ + src/mbyte.c | 2 +- + src/spellfile.c | 10 ++++++++++ + src/testdir/test_spell_utf8.vim | 5 +++++ + src/version.c | 2 ++ + 5 files changed, 22 insertions(+), 1 deletion(-) + +From fe978c2b6bb9d897d962595a4a51dd7a71dc8e89 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Sun, 8 May 2022 22:43:51 +0100 +Subject: [PATCH] patch 8.2.4921: spell test fails because of new illegal byte + check + +Problem: Spell test fails because of new illegal byte check. +Solution: Remove the test. +--- + src/testdir/test_spell.vim | 8 -------- + src/version.c | 2 ++ + 2 files changed, 2 insertions(+), 8 deletions(-) + +diff --git a/src/mbyte.c b/src/mbyte.c +index 2b7f9991ae14..a01a05140207 100644 +--- a/src/mbyte.c ++++ b/src/mbyte.c +@@ -4047,7 +4047,7 @@ utf_find_illegal(void) + convert_setup(&vimconv, NULL, NULL); + } + +-#if defined(FEAT_GUI_GTK) || defined(PROTO) ++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO) + /* + * Return TRUE if string "s" is a valid utf-8 string. + * When "end" is NULL stop at the first NUL. +diff --git a/src/spellfile.c b/src/spellfile.c +index 22cf82da0872..f0d6d96a47f0 100644 +--- a/src/spellfile.c ++++ b/src/spellfile.c +@@ -4361,6 +4361,10 @@ store_word( + int res = OK; + char_u *p; + ++ // Avoid adding illegal bytes to the word tree. ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ return FAIL; ++ + (void)spell_casefold(word, len, foldword, MAXWLEN); + for (p = pfxlist; res == OK; ++p) + { +@@ -6167,6 +6171,12 @@ spell_add_word( + int i; + char_u *spf; + ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ { ++ emsg(_("E1280: Illegal character in word")); ++ return; ++ } ++ + if (idx == 0) /* use internal wordlist */ + { + if (int_wordlist == NULL) +diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim +index 79dc3e4a4a62..17fa23555818 100644 +--- a/src/testdir/test_spell.vim ++++ b/src/testdir/test_spell.vim +@@ -476,16 +476,6 @@ + bwipe! + endfunc + +-func Test_spell_single_word() +- set spell +- new +- silent! norm 0R00 +- spell! +- silent 0norm 0r$ Dvz= +- set nospell +- bwipe! +-endfunc +- + let g:test_data_aff1 = [ + \"SET ISO8859-1", + \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ", +@@ -936,3 +926,8 @@ + \"SAL Z S", + \ ] + ++" Invalid bytes may cause trouble when creating the word list. ++func Test_check_for_valid_word() ++ call assert_fails("spellgood! 0\xac", 'E1280:') ++endfunc ++ +diff --git a/src/version.c b/src/version.c +index f949dd6d7ed0..c4f5655bf6c2 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -795,6 +795,10 @@ static char *(features[]) = + 805, + /**/ + 5024, ++/**/ ++ 4921, ++/**/ ++ 4919, + /**/ + 4899, + /**/ diff --git a/debian/patches/CVE-2022-1785.patch b/debian/patches/CVE-2022-1785.patch new file mode 100644 index 0000000..1d3817f --- /dev/null +++ b/debian/patches/CVE-2022-1785.patch @@ -0,0 +1,89 @@ +From e2bd8600b873d2cd1f9d667c28cba8b1dba18839 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Wed, 18 May 2022 13:11:57 +0100 +Subject: [PATCH] patch 8.2.4977: memory access error when substitute + expression changes window + +Problem: Memory access error when substitute expression changes window. +Solution: Disallow changing window in substitute expression. +--- + src/ex_cmds.c | 11 +++++++++++ + src/testdir/test_substitute.vim | 13 +++++++++++++ + src/version.c | 2 ++ + 3 files changed, 26 insertions(+) + +Backport: Use textlock instead of textwinlock. In this version, textwinlock + wasn't yet split out from textlock and it'll get merged back later. + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index 7e730becb48f..210e21fe7a5b 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -5576,12 +5576,17 @@ ex_substitute(exarg_T *eap) + /* Save flags for recursion. They can change for e.g. + * :s/^/\=execute("s#^##gn") */ + subflags_save = subflags; ++ ++ /* Disallow changing text or switching window in an expression. */ ++ ++textlock; + #endif + /* get length of substitution part */ + sublen = vim_regsub_multi(®match, + sub_firstlnum - regmatch.startpos[0].lnum, + sub, sub_firstline, FALSE, p_magic, TRUE); + #ifdef FEAT_EVAL ++ --textlock; ++ + /* Don't keep flags set by a recursive call. */ + subflags = subflags_save; + if (subflags.do_count) +@@ -5670,9 +5675,15 @@ ex_substitute(exarg_T *eap) + mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len); + new_end += copy_len; + ++#ifdef FEAT_EVAL ++ ++textlock; ++#endif + (void)vim_regsub_multi(®match, + sub_firstlnum - regmatch.startpos[0].lnum, + sub, new_end, TRUE, p_magic, TRUE); ++#ifdef FEAT_EVAL ++ --textlock; ++#endif + sub_nsubs++; + did_sub = TRUE; + +diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim +index f3fd7ab1ce77..a1c324ed8d20 100644 +--- a/src/testdir/test_substitute.vim ++++ b/src/testdir/test_substitute.vim +@@ -517,3 +517,16 @@ func Test_using_old_sub() + set nocompatible + endfunc + ++" This was switching windows in between computing the length and using it. ++func Test_sub_change_window() ++ silent! lfile ++ sil! norm o0000000000000000000000000000000000000000000000000000 ++ func Repl() ++ lopen ++ endfunc ++ silent! s/\%')/\=Repl() ++ bwipe! ++ bwipe! ++ delfunc Repl ++endfunc ++ +diff --git a/src/version.c b/src/version.c +index 4c63ea0771ad..782642b5d5a1 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -795,6 +795,8 @@ static char *(features[]) = + 805, + /**/ + 5024, ++/**/ ++ 4977, + /**/ + 4921, + /**/ diff --git a/debian/patches/CVE-2022-1897.patch b/debian/patches/CVE-2022-1897.patch new file mode 100644 index 0000000..1a44481 --- /dev/null +++ b/debian/patches/CVE-2022-1897.patch @@ -0,0 +1,149 @@ +From 338f1fc0ee3ca929387448fe464579d6113fa76a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Thu, 26 May 2022 15:56:23 +0100 +Subject: [PATCH] patch 8.2.5023: substitute overwrites allocated buffer + +Problem: Substitute overwrites allocated buffer. +Solution: Disallow undo when in a substitute command. +--- + src/normal.c | 42 ++++++++++++++++----------------- + src/testdir/test_substitute.vim | 22 +++++++++++++++++ + src/undo.c | 6 +++++ + src/version.c | 2 ++ + 4 files changed, 51 insertions(+), 21 deletions(-) + +diff --git a/src/normal.c b/src/normal.c +index bc3e29e1abaa..53c50dc8b368 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -514,6 +514,22 @@ find_command(int cmdchar) + return idx; + } + ++/* ++ * If currently editing a cmdline or text is locked: beep and give an error ++ * message, return TRUE. ++ */ ++ static int ++check_text_locked(oparg_T *oap) ++{ ++ if (text_locked()) ++ { ++ clearopbeep(oap); ++ text_locked_msg(); ++ return TRUE; ++ } ++ return FALSE; ++} ++ + /* + * Execute a command in Normal mode. + */ +@@ -775,14 +791,9 @@ normal_cmd( + goto normal_end; + } + +- if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW)) +- { +- /* This command is not allowed while editing a cmdline: beep. */ +- clearopbeep(oap); +- text_locked_msg(); +- goto normal_end; +- } +- if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked()) ++ if ((nv_cmds[idx].cmd_flags & NV_NCW) ++ && (check_text_locked(oap) || curbuf_locked())) ++ /* this command is not allowed now */ + goto normal_end; + + /* +@@ -6164,12 +6175,8 @@ nv_gotofile(cmdarg_T *cap) + char_u *ptr; + linenr_T lnum = -1; + +- if (text_locked()) +- { +- clearopbeep(cap->oap); +- text_locked_msg(); ++ if (check_text_locked(cap->oap)) + return; +- } + if (curbuf_locked()) + { + clearop(cap->oap); +@@ -8330,14 +8337,7 @@ nv_g_cmd(cmdarg_T *cap) + + /* "gQ": improved Ex mode */ + case 'Q': +- if (text_locked()) +- { +- clearopbeep(cap->oap); +- text_locked_msg(); +- break; +- } +- +- if (!checkclearopq(oap)) ++ if (!check_text_locked(cap->oap) && !checkclearopq(oap)) + do_exmode(TRUE); + break; + +diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim +index a1c324ed8d20..c8df09f4ec1e 100644 +--- a/src/testdir/test_substitute.vim ++++ b/src/testdir/test_substitute.vim +@@ -530,3 +530,25 @@ func Test_sub_change_window() + delfunc Repl + endfunc + ++" This was undoign a change in between computing the length and using it. ++func Do_Test_sub_undo_change() ++ new ++ norm o0000000000000000000000000000000000000000000000000000 ++ silent! s/\%')/\=Repl() ++ bwipe! ++endfunc ++ ++func Test_sub_undo_change() ++ func Repl() ++ silent! norm g- ++ endfunc ++ call Do_Test_sub_undo_change() ++ ++ func! Repl() ++ silent earlier ++ endfunc ++ call Do_Test_sub_undo_change() ++ ++ delfunc Repl ++endfunc ++ +diff --git a/src/undo.c b/src/undo.c +index cac09f0f58df..81cc28e8b801 100644 +--- a/src/undo.c ++++ b/src/undo.c +@@ -2278,6 +2278,12 @@ undo_time( + int above = FALSE; + int did_undo = TRUE; + ++ if (text_locked()) ++ { ++ text_locked_msg(); ++ return; ++ } ++ + /* First make sure the current undoable change is synced. */ + if (curbuf->b_u_synced == FALSE) + u_sync(TRUE); +diff --git a/src/version.c b/src/version.c +index 9751865c7adf..cd6c33162204 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -795,6 +795,8 @@ static char *(features[]) = + 805, + /**/ + 5024, ++/**/ ++ 5023, + /**/ + 4977, + /**/ diff --git a/debian/patches/CVE-2022-1942.patch b/debian/patches/CVE-2022-1942.patch new file mode 100644 index 0000000..e2f5b9c --- /dev/null +++ b/debian/patches/CVE-2022-1942.patch @@ -0,0 +1,122 @@ +From 71223e2db87c2bf3b09aecb46266b56cda26191d Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Mon, 30 May 2022 15:23:09 +0100 +Subject: [PATCH] patch 8.2.5043: can open a cmdline window from a substitute + expression + +Problem: Can open a cmdline window from a substitute expression. +Solution: Disallow opening a command line window when text or buffer is + locked. +--- + src/buffer.c | 7 +------ + src/ex_getln.c | 19 +++++++++++++++++++ + src/proto/ex_getln.pro | 5 +++-- + src/testdir/test_substitute.vim | 25 +++++++++++++++++++++++++ + src/version.c | 2 ++ + src/window.c | 5 +---- + 6 files changed, 51 insertions(+), 12 deletions(-) + +Backport: Drop test case, because the expected E565 was only introduced in + 8.2.0670 and the testcase does not otherwise fail or issue messages in + valgrind. + +diff --git a/src/buffer.c b/src/buffer.c +index efec431c822d..e775398d0294 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -2297,12 +2297,7 @@ buflist_getfile( + if (buf == curbuf) + return OK; + +- if (text_locked()) +- { +- text_locked_msg(); +- return FAIL; +- } +- if (curbuf_locked()) ++ if (text_or_buf_locked()) + return FAIL; + + /* altfpos may be changed by getfile(), get it now */ +diff --git a/src/ex_getln.c b/src/ex_getln.c +index 9dadfbf2fabe..623bd1d4984a 100644 +--- a/src/ex_getln.c ++++ b/src/ex_getln.c +@@ -2589,6 +2589,21 @@ get_text_locked_msg(void) + return e_secure; + } + ++/* ++ * Check for text, window or buffer locked. ++ * Give an error message and return TRUE if something is locked. ++ */ ++ int ++text_or_buf_locked(void) ++{ ++ if (text_locked()) ++ { ++ text_locked_msg(); ++ return TRUE; ++ } ++ return curbuf_locked(); ++} ++ + /* + * Check if "curbuf_lock" or "allbuf_lock" is set and return TRUE when it is + * and give an error message. +@@ -7188,6 +7203,10 @@ open_cmdwin(void) + int save_KeyTyped; + #endif + ++ /* Can't do this when text or buffer is locked. */ ++ if (text_or_buf_locked()) ++ return K_IGNORE; ++ + /* Can't do this recursively. Can't do it when typing a password. */ + if (cmdwin_type != 0 + # if defined(FEAT_CRYPT) || defined(FEAT_EVAL) +diff --git a/src/proto/ex_getln.pro b/src/proto/ex_getln.pro +index 8c8bd0ebd4cd..bcc310c7dd0e 100644 +--- a/src/proto/ex_getln.pro ++++ b/src/proto/ex_getln.pro +@@ -5,6 +5,7 @@ + int text_locked(void); + void text_locked_msg(void); + char *get_text_locked_msg(void); ++int text_or_buf_locked(void); + int curbuf_locked(void); + int allbuf_locked(void); + char_u *getexline(int c, void *cookie, int indent); +diff --git a/src/version.c b/src/version.c +index 18a1fdb41cb6..a15bb3ed8d6a 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -791,6 +791,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 5043, + /**/ + 805, + /**/ +diff --git a/src/window.c b/src/window.c +index f2913d4a76ef..9b5ac97286cd 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -4173,14 +4173,11 @@ win_goto(win_T *wp) + win_T *owp = curwin; + #endif + +- if (text_locked()) ++ if (text_or_buf_locked()) + { + beep_flush(); +- text_locked_msg(); + return; + } +- if (curbuf_locked()) +- return; + + if (wp->w_buffer != curbuf) + reset_VIsual_and_resel(); diff --git a/debian/patches/CVE-2022-2000.patch b/debian/patches/CVE-2022-2000.patch new file mode 100644 index 0000000..7f1a1e6 --- /dev/null +++ b/debian/patches/CVE-2022-2000.patch @@ -0,0 +1,65 @@ +From 44a3f3353e0407e9fffee138125a6927d1c9e7e5 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Mon, 6 Jun 2022 15:38:21 +0100 +Subject: [PATCH] patch 8.2.5063: error for a command may go over the end of + IObuff + +Problem: Error for a command may go over the end of IObuff. +Solution: Truncate the message. +--- + src/ex_docmd.c | 12 ++++++++++-- + src/testdir/test_cmdline.vim | 5 +++++ + src/version.c | 2 ++ + 3 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/src/ex_docmd.c b/src/ex_docmd.c +index cfb40e8d5cfa..634a1bcef566 100644 +--- a/src/ex_docmd.c ++++ b/src/ex_docmd.c +@@ -3111,9 +3111,17 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent) + static void + append_command(char_u *cmd) + { +- char_u *s = cmd; +- char_u *d; ++ size_t len = STRLEN(IObuff); ++ char_u *s = cmd; ++ char_u *d; + ++ if (len > IOSIZE - 100) ++ { ++ // Not enough space, truncate and put in "...". ++ d = IObuff + IOSIZE - 100; ++ d -= mb_head_off(IObuff, d); ++ STRCPY(d, "..."); ++ } + STRCAT(IObuff, ": "); + d = IObuff + STRLEN(IObuff); + while (*s != NUL && d - IObuff + 5 < IOSIZE) +diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim +index 77965b3f65a3..2289c343e9f8 100644 +--- a/src/testdir/test_cmdline.vim ++++ b/src/testdir/test_cmdline.vim +@@ -657,3 +657,9 @@ + + + set cpo& ++ ++func Test_long_error_message() ++ " the error should be truncated, not overrun IObuff ++ silent! norm Q00000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ++endfunc ++ +diff --git a/src/version.c b/src/version.c +index 542028606dde..dd585c81afe9 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -791,6 +791,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 5063, + /**/ + 5043, + /**/ diff --git a/debian/patches/CVE-2022-2129.patch b/debian/patches/CVE-2022-2129.patch new file mode 100644 index 0000000..70bdd57 --- /dev/null +++ b/debian/patches/CVE-2022-2129.patch @@ -0,0 +1,65 @@ +From d6211a52ab9f53b82f884561ed43d2fe4d24ff7d Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Sat, 18 Jun 2022 19:48:14 +0100 +Subject: [PATCH] patch 8.2.5126: substitute may overrun destination buffer + +Problem: Substitute may overrun destination buffer. +Solution: Disallow switching buffers in a substitute expression. +--- + src/ex_docmd.c | 7 ++++--- + src/testdir/test_substitute.vim | 13 +++++++++++++ + src/version.c | 2 ++ + 3 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/src/ex_docmd.c b/src/ex_docmd.c +index fed9330b52e9..1185cd1550a6 100644 +--- a/src/ex_docmd.c ++++ b/src/ex_docmd.c +@@ -8778,9 +8778,10 @@ do_exedit( + #endif + ) + { +- /* Can't edit another file when "curbuf_lock" is set. Only ":edit" +- * can bring us here, others are stopped earlier. */ +- if (*eap->arg != NUL && curbuf_locked()) ++ /* Can't edit another file when "textlock" or "curbuf_lock" is set. ++ * Only ":edit" or ":script" can bring us here, others are stopped ++ earlier. */ ++ if (*eap->arg != NUL && text_or_buf_locked()) + return; + + n = readonlymode; +diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim +index 46ea95513192..c056fa965692 100644 +--- a/src/testdir/test_substitute.vim ++++ b/src/testdir/test_substitute.vim +@@ -552,3 +552,16 @@ + delfunc Repl + endfunc + ++" This was editing a script file from the expression ++func Test_sub_edit_scriptfile() ++ new ++ norm o0000000000000000000000000000000000000000000000000000 ++ func EditScript() ++ silent! scr! Xfile ++ endfunc ++ s/\%')/\=EditScript() ++ ++ delfunc EditScript ++ bwipe! ++endfunc ++ +diff --git a/src/version.c b/src/version.c +index 82ac4eaf2dd9..2f397ae315f7 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -791,6 +791,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 5126, + /**/ + 5063, + /**/ diff --git a/debian/patches/CVE-2022-3235.patch b/debian/patches/CVE-2022-3235.patch new file mode 100644 index 0000000..fc3e20e --- /dev/null +++ b/debian/patches/CVE-2022-3235.patch @@ -0,0 +1,116 @@ +From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Sat, 17 Sep 2022 19:43:23 +0100 +Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter + autocmd + +Problem: Using freed memory with cmdwin and BufEnter autocmd. +Solution: Make sure pointer to b_p_iminsert is still valid. +--- + src/ex_getln.c | 8 ++++++-- + src/testdir/test_cmdwin.vim | 10 ++++++++++ + src/version.c | 2 ++ + 3 files changed, 18 insertions(+), 2 deletions(-) + +Backport: rewrote b_im_ptr handling + +diff --git a/src/ex_getln.c b/src/ex_getln.c +index 70436b31f05e..a4fb61145c96 100644 +--- a/src/ex_getln.c ++++ b/src/ex_getln.c +@@ -858,6 +858,7 @@ getcmdline_int( + #endif + expand_T xpc; + long *b_im_ptr = NULL; ++ buf_T *b_im_ptr_buf = NULL; // buffer where b_im_ptr is valid + struct cmdline_info save_ccline; + int did_save_ccline = FALSE; + int cmdline_type; +@@ -968,6 +969,7 @@ getcmdline_int( + b_im_ptr = &curbuf->b_p_iminsert; + else + b_im_ptr = &curbuf->b_p_imsearch; ++ b_im_ptr_buf = curbuf; + if (*b_im_ptr == B_IMODE_LMAP) + State |= LANGMAP; + #ifdef HAVE_INPUT_METHOD +@@ -1718,7 +1720,7 @@ getcmdline_int( + #ifdef HAVE_INPUT_METHOD + im_set_active(FALSE); /* Disable input method */ + #endif +- if (b_im_ptr != NULL) ++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)) + { + if (State & LANGMAP) + *b_im_ptr = B_IMODE_LMAP; +@@ -1732,7 +1734,7 @@ getcmdline_int( + /* There are no ":lmap" mappings, toggle IM. When + * 'imdisable' is set don't try getting the status, it's + * always off. */ +- if ((p_imdisable && b_im_ptr != NULL) ++ if ((p_imdisable && b_im_ptr != NULL && buf_valid(b_im_ptr_buf)) + ? *b_im_ptr == B_IMODE_IM : im_get_status()) + { + im_set_active(FALSE); /* Disable input method */ +@@ -1742,12 +1744,12 @@ getcmdline_int( + else + { + im_set_active(TRUE); /* Enable input method */ +- if (b_im_ptr != NULL) ++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)) + *b_im_ptr = B_IMODE_IM; + } + } + #endif +- if (b_im_ptr != NULL) ++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)) + { + if (b_im_ptr == &curbuf->b_p_iminsert) + set_iminsert_global(); +@@ -2476,7 +2478,8 @@ getcmdline_int( + + State = save_State; + #ifdef HAVE_INPUT_METHOD +- if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP) ++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf) ++ && *b_im_ptr != B_IMODE_LMAP) + im_save_status(b_im_ptr); + im_set_active(FALSE); + #endif +diff --git a/src/testdir/test_cmdwin.vim b/src/testdir/test_cmdwin.vim +index d62673aba254..fe849bcc1686 100644 +--- /dev/null ++++ b/src/testdir/test_cmdwin.vim +@@ -0,0 +0,12 @@ ++" This was using a pointer to a freed buffer ++func Test_cmdwin_freed_buffer_ptr() ++ au BufEnter * next 0| file ++ edit 0 ++ silent! norm q/ ++ ++ au! BufEnter ++ bwipe! ++endfunc ++ ++ ++" vim: shiftwidth=2 sts=2 expandtab +--- a/src/testdir/Make_all.mak ++++ b/src/testdir/Make_all.mak +@@ -89,6 +89,7 @@ + test_clientserver \ + test_close_count \ + test_cmdline \ ++ test_cmdwin \ + test_command_count \ + test_comparators \ + test_compiler \ +--- a/src/version.c ++++ b/src/version.c +@@ -2618,6 +2618,7 @@ + "8.2.3403", + "8.2.3409", + "8.2.3428", ++ "9.0.0490", + /**/ + NULL + }; diff --git a/debian/patches/CVE-2022-3256.patch b/debian/patches/CVE-2022-3256.patch new file mode 100644 index 0000000..ab1abab --- /dev/null +++ b/debian/patches/CVE-2022-3256.patch @@ -0,0 +1,73 @@ +From 8ecfa2c56b4992c7f067b92488aa9acea5a454ad Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Wed, 21 Sep 2022 13:07:22 +0100 +Subject: [PATCH] patch 9.0.0530: using freed memory when autocmd changes mark + +Problem: Using freed memory when autocmd changes mark. +Solution: Copy the mark before editing another buffer. +--- + src/mark.c | 12 +++++++----- + src/testdir/test_marks.vim | 13 +++++++++++++ + src/version.c | 2 ++ + 3 files changed, 22 insertions(+), 5 deletions(-) + +diff --git a/src/mark.c b/src/mark.c +index ade5a1087b7d..584db033d3ca 100644 +--- a/src/mark.c ++++ b/src/mark.c +@@ -252,17 +252,19 @@ movemark(int count) + fname2fnum(jmp); + if (jmp->fmark.fnum != curbuf->b_fnum) + { +- /* jump to other file */ +- if (buflist_findnr(jmp->fmark.fnum) == NULL) ++ /* Make a copy, an autocommand may make "jmp" invalid. */ ++ fmark_T fmark = jmp->fmark; ++ ++ /* jump to the file with the mark */ ++ if (buflist_findnr(fmark.fnum) == NULL) + { /* Skip this one .. */ + count += count < 0 ? -1 : 1; + continue; + } +- if (buflist_getfile(jmp->fmark.fnum, jmp->fmark.mark.lnum, +- 0, FALSE) == FAIL) ++ if (buflist_getfile(fmark.fnum, fmark.mark.lnum, 0, FALSE) == FAIL) + return (pos_T *)NULL; + /* Set lnum again, autocommands my have changed it */ +- curwin->w_cursor = jmp->fmark.mark; ++ curwin->w_cursor = fmark.mark; + pos = (pos_T *)-1; + } + else +diff --git a/src/testdir/test_marks.vim b/src/testdir/test_marks.vim +index 12501a3aba07..20fb3041f244 100644 +--- a/src/testdir/test_marks.vim ++++ b/src/testdir/test_marks.vim +@@ -174,3 +174,16 @@ func Test_getmarklist() + call assert_fails('mark xx', 'E488:') + call assert_fails('mark _', 'E191:') + endfunc ++" This was using freed memory ++func Test_jump_mark_autocmd() ++ next 00 ++ edit 0 ++ sargument ++ au BufEnter 0 all ++ sil norm ++ ++ au! BufEnter ++ bwipe! ++endfunc ++ ++ +--- a/src/version.c ++++ b/src/version.c +@@ -2619,6 +2619,7 @@ + "8.2.3409", + "8.2.3428", + "9.0.0490", ++ "9.0.0530", + /**/ + NULL + }; diff --git a/debian/patches/CVE-2022-3352.patch b/debian/patches/CVE-2022-3352.patch new file mode 100644 index 0000000..f55e40d --- /dev/null +++ b/debian/patches/CVE-2022-3352.patch @@ -0,0 +1,69 @@ +From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Wed, 28 Sep 2022 11:48:30 +0100 +Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer + +Problem: SpellFileMissing autocmd may delete buffer. +Solution: Disallow deleting the current buffer to avoid using freed memory. +--- + src/buffer.c | 7 ++++++- + src/spell.c | 6 ++++++ + src/testdir/test_autocmd.vim | 10 ++++++++++ + src/version.c | 2 ++ + 4 files changed, 24 insertions(+), 1 deletion(-) + +Backport: src/buffer.c isn't vulnerable yet + +diff --git a/src/spell.c b/src/spell.c +index 628814fe6db3..975b5a6789a9 100644 +--- a/src/spell.c ++++ b/src/spell.c +@@ -1813,6 +1813,10 @@ spell_load_lang(char_u *lang) + sl.sl_slang = NULL; + sl.sl_nobreak = FALSE; + ++ // Disallow deleting the current buffer. Autocommands can do weird things ++ // and cause "lang" to be freed. ++ ++curbuf->b_locked; ++ + /* We may retry when no spell file is found for the language, an + * autocommand may load it then. */ + for (round = 1; round <= 2; ++round) +@@ -1866,6 +1870,8 @@ spell_load_lang(char_u *lang) + STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl"); + do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl); + } ++ ++ --curbuf->b_locked; + } + + /* +diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim +index 86732f15dbe4..70f0f553a226 100644 +--- a/src/testdir/test_autocmd.vim ++++ b/src/testdir/test_autocmd.vim +@@ -1416,3 +1416,14 @@ + endfunc + + " FileChangedShell tested in test_filechanged.vim ++ ++" this was wiping out the current buffer and using freed memory ++func Test_SpellFileMissing_bwipe() ++ next 0 ++ au SpellFileMissing 0 bwipe ++ call assert_fails('set spell spelllang=0', 'E937:') ++ ++ au! SpellFileMissing ++ bwipe ++endfunc ++ +--- a/src/version.c ++++ b/src/version.c +@@ -2620,6 +2620,7 @@ + "8.2.3428", + "9.0.0490", + "9.0.0530", ++ "9.0.0614", + /**/ + NULL + }; diff --git a/debian/patches/series b/debian/patches/series index 5cb3483..acb4b8e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -62,3 +62,17 @@ CVE-2022-3134.patch CVE-2022-3234.patch CVE-2022-3324.patch CVE-2022-3705.patch +CVE-2022-0318.patch +CVE-2022-0392.patch +CVE-2022-0629.patch +CVE-2022-0696.patch +CVE-2022-1619.patch +CVE-2022-1621.patch +CVE-2022-1785.patch +CVE-2022-1897.patch +CVE-2022-1942.patch +CVE-2022-2000.patch +CVE-2022-2129.patch +CVE-2022-3235.patch +CVE-2022-3256.patch +CVE-2022-3352.patch |