From 2de5f9d284257c368ee5b343e9559bf740c3377f Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 8 May 2024 07:10:39 +0200 Subject: Adding debian version 2:8.1.0875-5+deb10u6. Signed-off-by: Daniel Baumann --- debian/changelog | 8 +++ ...-heap-use-after-free-in-ins_compl_get_exp.patch | 45 ++++++++++++++++ ...1-heap-buffer-overflow-in-vim_regsub_both.patch | 62 ++++++++++++++++++++++ debian/patches/series | 2 + 4 files changed, 117 insertions(+) create mode 100644 debian/patches/CVE-2023-4752-heap-use-after-free-in-ins_compl_get_exp.patch create mode 100644 debian/patches/CVE-2023-4781-heap-buffer-overflow-in-vim_regsub_both.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index f9b22b7..8612528 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +vim (2:8.1.0875-5+deb10u6) buster-security; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * CVE-2023-4752: heap use after free in ins_compl_get_exp() + * CVE-2023-4781: heap-buffer-overflow in vim_regsub_both() + + -- Bastien Roucariès Wed, 27 Sep 2023 19:47:00 +0000 + vim (2:8.1.0875-5+deb10u5) buster-security; urgency=high * Non-maintainer upload by the LTS team. diff --git a/debian/patches/CVE-2023-4752-heap-use-after-free-in-ins_compl_get_exp.patch b/debian/patches/CVE-2023-4752-heap-use-after-free-in-ins_compl_get_exp.patch new file mode 100644 index 0000000..cbe7a0b --- /dev/null +++ b/debian/patches/CVE-2023-4752-heap-use-after-free-in-ins_compl_get_exp.patch @@ -0,0 +1,45 @@ +From: Christian Brabandt +Date: Wed, 27 Sep 2023 22:42:36 +0000 +Subject: CVE-2023-4752: heap use after free in ins_compl_get_exp() + +Problem: heap use after free in ins_compl_get_exp() +Solution: validate buffer before accessing it + +Signed-off-by: Christian Brabandt +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-4752 +origin: https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139 +bug: https://huntr.dev/bounties/85f62dd7-ed84-4fa2-b265-8a369a318757/ + +[backport] +ins_compl_get_exp is under sr/edit.c +--- + src/edit.c | 2 +- + src/version.c | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/edit.c b/src/edit.c +index f2521e1..428b69c 100644 +--- a/src/edit.c ++++ b/src/edit.c +@@ -4752,7 +4752,7 @@ ins_compl_get_exp(pos_T *ini) + else + { + /* Mark a buffer scanned when it has been scanned completely */ +- if (type == 0 || type == CTRL_X_PATH_PATTERNS) ++ if (buf_valid(ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS)) + ins_buf->b_scanned = TRUE; + + compl_started = FALSE; +diff --git a/src/version.c b/src/version.c +index a03d79b..d863dd1 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -791,6 +791,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 1858, + /**/ + 5126, + /**/ diff --git a/debian/patches/CVE-2023-4781-heap-buffer-overflow-in-vim_regsub_both.patch b/debian/patches/CVE-2023-4781-heap-buffer-overflow-in-vim_regsub_both.patch new file mode 100644 index 0000000..862f43a --- /dev/null +++ b/debian/patches/CVE-2023-4781-heap-buffer-overflow-in-vim_regsub_both.patch @@ -0,0 +1,62 @@ +From: Christian Brabandt +Date: Thu, 28 Sep 2023 13:47:03 +0000 +Subject: CVE-2023-4781: heap-buffer-overflow in vim_regsub_both + +Problem: heap-buffer-overflow in vim_regsub_both +Solution: Disallow exchanging windows when textlock is active + +Signed-off-by: Christian Brabandt + +origin: https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93.patch +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-4781 +bug: https://huntr.dev/bounties/c867eb0a-aa8b-4946-a621-510350673883/ +--- +--- + src/ex_cmds.c | 3 +++ + src/version.c | 2 ++ + src/window.c | 5 +++++ + 3 files changed, 10 insertions(+) + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index e4dffdb..766cfbe 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -5604,6 +5604,9 @@ do_sub(exarg_T *eap) + { + nmatch = curbuf->b_ml.ml_line_count - sub_firstlnum + 1; + skip_match = TRUE; ++ // safety check ++ if (nmatch < 0) ++ goto skip; + } + + /* Need room for: +diff --git a/src/version.c b/src/version.c +index d863dd1..86c3195 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -791,6 +791,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 1873, + /**/ + 1858, + /**/ +diff --git a/src/window.c b/src/window.c +index 82ece3e..71908f6 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -1604,6 +1604,11 @@ win_rotate(int upwards, int count) + beep_flush(); + return; + } ++ if (text_or_buf_locked()) ++ { ++ beep_flush(); ++ return; ++ } + + #ifdef FEAT_GUI + need_mouse_correct = TRUE; diff --git a/debian/patches/series b/debian/patches/series index 56ef38a..7bb1dfd 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -80,3 +80,5 @@ CVE-2022-4141.patch CVE-2023-0054.patch CVE-2023-1175.patch CVE-2023-2610.patch +CVE-2023-4752-heap-use-after-free-in-ins_compl_get_exp.patch +CVE-2023-4781-heap-buffer-overflow-in-vim_regsub_both.patch -- cgit v1.2.3