Message ID | 20230110161016.28885-1-asharma@mvista.com |
---|---|
State | New, archived |
Headers | show |
Series | [kirkstone] vim: Backport fix for CVE-2023-0049 | expand |
Hi Ashish, Thanks for helping with CVEs. Due to the large number of CVE issues in vim we have adopted a policy of doing version bumps rather than individual CVE patches. So please submit a version bump patch similar to: https://git.openembedded.org/openembedded-core/commit/?id=160f459febc7fb36cc0fe85c63eb26780ace3bfd Also, please submit for the master branch, and I will cherry-pick to the other branches after it is accepted there. Thanks again! Steve On Tue, Jan 10, 2023 at 6:10 AM Ashish Sharma <asharma@mvista.com> wrote: > > Upstream-Status: Backport from 'https://github.com/vim/vim/commit/7b17eb4b063a234376c1ec909ee293e42cff290c' > CVE: CVE-2023-0049 > > Signed-off-by: Ashish Sharma <asharma@mvista.com> > --- > .../vim/files/CVE-2023-0049.patch | 62 +++++++++++++++++++ > meta/recipes-support/vim/vim.inc | 1 + > 2 files changed, 63 insertions(+) > create mode 100644 meta/recipes-support/vim/files/CVE-2023-0049.patch > > diff --git a/meta/recipes-support/vim/files/CVE-2023-0049.patch b/meta/recipes-support/vim/files/CVE-2023-0049.patch > new file mode 100644 > index 00000000000..d8155f5fabb > --- /dev/null > +++ b/meta/recipes-support/vim/files/CVE-2023-0049.patch > @@ -0,0 +1,62 @@ > +From 7b17eb4b063a234376c1ec909ee293e42cff290c Mon Sep 17 00:00:00 2001 > +From: Bram Moolenaar <Bram@vim.org> > +Date: Wed, 4 Jan 2023 14:31:49 +0000 > +Subject: [PATCH] patch 9.0.1143: invalid memory access with bad 'statusline' > + value > + > +Problem: Invalid memory access with bad 'statusline' value. > +Solution: Avoid going over the NUL at the end. > + > +Upstream-Status: Backport from 'https://github.com/vim/vim/commit/7b17eb4b063a234376c1ec909ee293e42cff290c' > +CVE: CVE-2023-0049 > +Signed-off-by: Ashish Sharma <asharma@mvista.com> > +--- > + src/buffer.c | 2 ++ > + src/testdir/test_statusline.vim | 7 +++++++ > + src/version.c | 2 ++ > + 3 files changed, 11 insertions(+) > + > +diff --git a/src/buffer.c b/src/buffer.c > +index 98568987894e..40168226160c 100644 > +--- a/src/buffer.c > ++++ b/src/buffer.c > +@@ -4617,6 +4617,8 @@ build_stl_str_hl( > + #endif > + if (vim_strchr(STL_ALL, *s) == NULL) > + { > ++ if (*s == NUL) // can happen with "%0" > ++ break; > + s++; > + continue; > + } > +diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim > +index a829597655bf..23613bfed37b 100644 > +--- a/src/testdir/test_statusline.vim > ++++ b/src/testdir/test_statusline.vim > +@@ -440,6 +440,13 @@ func Test_statusline() > + set splitbelow& > + endfunc > + > ++func Test_statusline_trailing_percent_zero() > ++ " this was causing illegal memory access > ++ set laststatus=2 stl=%!%0 > ++ call assert_fails('redraw', 'E15: Invalid expression: "%0"') > ++ set laststatus& stl& > ++endfunc > ++ > + func Test_statusline_visual() > + func CallWordcount() > + call wordcount() > +diff --git a/src/version.c b/src/version.c > +index df02bb87b87d..4ccbd537abe3 100644 > +--- a/src/version.c > ++++ b/src/version.c > +@@ -695,6 +695,8 @@ static char *(features[]) = > + > + static int included_patches[] = > + { /* Add new patch number below this line */ > ++/**/ > ++ 1143, > + /**/ > + 1142, > + /**/ > diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc > index d86841efaa8..81c07bfefa8 100644 > --- a/meta/recipes-support/vim/vim.inc > +++ b/meta/recipes-support/vim/vim.inc > @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ > file://vim-add-knob-whether-elf.h-are-checked.patch \ > file://0001-src-Makefile-improve-reproducibility.patch \ > file://no-path-adjust.patch \ > + file://CVE-2023-0049.patch \ > " > > PV .= ".0947" > -- > 2.35.5 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#175718): https://lists.openembedded.org/g/openembedded-core/message/175718 > Mute This Topic: https://lists.openembedded.org/mt/96180104/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-support/vim/files/CVE-2023-0049.patch b/meta/recipes-support/vim/files/CVE-2023-0049.patch new file mode 100644 index 00000000000..d8155f5fabb --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2023-0049.patch @@ -0,0 +1,62 @@ +From 7b17eb4b063a234376c1ec909ee293e42cff290c Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Wed, 4 Jan 2023 14:31:49 +0000 +Subject: [PATCH] patch 9.0.1143: invalid memory access with bad 'statusline' + value + +Problem: Invalid memory access with bad 'statusline' value. +Solution: Avoid going over the NUL at the end. + +Upstream-Status: Backport from 'https://github.com/vim/vim/commit/7b17eb4b063a234376c1ec909ee293e42cff290c' +CVE: CVE-2023-0049 +Signed-off-by: Ashish Sharma <asharma@mvista.com> +--- + src/buffer.c | 2 ++ + src/testdir/test_statusline.vim | 7 +++++++ + src/version.c | 2 ++ + 3 files changed, 11 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index 98568987894e..40168226160c 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -4617,6 +4617,8 @@ build_stl_str_hl( + #endif + if (vim_strchr(STL_ALL, *s) == NULL) + { ++ if (*s == NUL) // can happen with "%0" ++ break; + s++; + continue; + } +diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim +index a829597655bf..23613bfed37b 100644 +--- a/src/testdir/test_statusline.vim ++++ b/src/testdir/test_statusline.vim +@@ -440,6 +440,13 @@ func Test_statusline() + set splitbelow& + endfunc + ++func Test_statusline_trailing_percent_zero() ++ " this was causing illegal memory access ++ set laststatus=2 stl=%!%0 ++ call assert_fails('redraw', 'E15: Invalid expression: "%0"') ++ set laststatus& stl& ++endfunc ++ + func Test_statusline_visual() + func CallWordcount() + call wordcount() +diff --git a/src/version.c b/src/version.c +index df02bb87b87d..4ccbd537abe3 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -695,6 +695,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 1143, + /**/ + 1142, + /**/ diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index d86841efaa8..81c07bfefa8 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://vim-add-knob-whether-elf.h-are-checked.patch \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ + file://CVE-2023-0049.patch \ " PV .= ".0947"
Upstream-Status: Backport from 'https://github.com/vim/vim/commit/7b17eb4b063a234376c1ec909ee293e42cff290c' CVE: CVE-2023-0049 Signed-off-by: Ashish Sharma <asharma@mvista.com> --- .../vim/files/CVE-2023-0049.patch | 62 +++++++++++++++++++ meta/recipes-support/vim/vim.inc | 1 + 2 files changed, 63 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2023-0049.patch