vim: fix CVE-2021-3968 and CVE-2021-3973

Message ID	20211129151005.276453-1-ross.burton@arm.com
State	Accepted, archived
Commit	bec5caadfb53638748d8c41ce7230c2bf7808d27
Headers	show Return-Path: <ross@burtonini.com> ip: 217.140.110.172, mailfrom: ross.burton@arm.com) From: Ross Burton <ross.burton@arm.com> To: openembedded-core@lists.openembedded.org Subject: [PATCH] vim: fix CVE-2021-3968 and CVE-2021-3973 Date: Mon, 29 Nov 2021 15:10:05 +0000 Message-Id: <20211129151005.276453-1-ross.burton@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	vim: fix CVE-2021-3968 and CVE-2021-3973 \| expand vim: fix CVE-2021-3968 and CVE-2021-3973

diff --git a/meta/recipes-support/vim/files/0001-patch-8.2.3610-crash-when-ModeChanged-triggered-too-.patch b/meta/recipes-support/vim/files/0001-patch-8.2.3610-crash-when-ModeChanged-triggered-too-.patch new file mode 100644 index 0000000000..0f774df251 --- /dev/null +++ b/meta/recipes-support/vim/files/0001-patch-8.2.3610-crash-when-ModeChanged-triggered-too-.patch @@ -0,0 +1,41 @@ +CVE: CVE-2021-3968 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 54a16b2da3a0f664ca7fd182c16d2c2b8ea8131f Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Wed, 17 Nov 2021 16:52:40 +0000 +Subject: [PATCH] patch 8.2.3610: crash when ModeChanged triggered too early + +Problem: Crash when ModeChanged triggered too early. +Solution: Trigger ModeChanged after setting VIsual. +--- + src/normal.c | 1 + + src/version.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/src/normal.c b/src/normal.c +index d6333b948..7cb959257 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -5675,6 +5675,7 @@ n_start_visual_mode(int c) + foldAdjustVisual(); + #endif + ++ trigger_modechanged(); + setmouse(); + #ifdef FEAT_CONCEAL + // Check for redraw after changing the state. +diff --git a/src/version.c b/src/version.c +index e1bc0d09b..52be3c39d 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -742,6 +742,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 3610, + /**/ + 3582, + /**/ diff --git a/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch b/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch new file mode 100644 index 0000000000..0ab472189b --- /dev/null +++ b/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch @@ -0,0 +1,92 @@ +CVE: CVE-2021-3973 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From b6154e9f530544ddc3130d981caae0dabc053757 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Wed, 17 Nov 2021 18:00:31 +0000 +Subject: [PATCH] patch 8.2.3611: crash when using CTRL-W f without finding a + file name Problem: Crash when using CTRL-W f without finding + a file name. Solution: Bail out when the file name length is zero. + +--- + src/findfile.c | 8 ++++++++ + src/normal.c | 6 ++++-- + src/testdir/test_visual.vim | 8 ++++++++ + src/version.c | 2 ++ + 4 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/src/findfile.c b/src/findfile.c +index dba547da1..5764fd7b8 100644 +--- a/src/findfile.c ++++ b/src/findfile.c +@@ -1727,6 +1727,9 @@ find_file_in_path_option( + proc->pr_WindowPtr = (APTR)-1L; + # endif + ++ if (len == 0) ++ return NULL; ++ + if (first == TRUE) + { + // copy file name into NameBuff, expanding environment variables +@@ -2094,7 +2097,12 @@ find_file_name_in_path( + int c; + # if defined(FEAT_FIND_ID) && defined(FEAT_EVAL) + char_u *tofree = NULL; ++# endif + ++ if (len == 0) ++ return NULL; ++ ++# if defined(FEAT_FIND_ID) && defined(FEAT_EVAL) + if ((options & FNAME_INCL) && *curbuf->b_p_inex != NUL) + { + tofree = eval_includeexpr(ptr, len); +diff --git a/src/normal.c b/src/normal.c +index 7cb959257..f0084f2ac 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -3778,8 +3778,10 @@ get_visual_text( + *pp = ml_get_pos(&VIsual); + *lenp = curwin->w_cursor.col - VIsual.col + 1; + } +- if (has_mbyte) +- // Correct the length to include the whole last character. ++ if (**pp == NUL) ++ *lenp = 0; ++ if (has_mbyte && *lenp > 0) ++ // Correct the length to include all bytes of the last character. + *lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1; + } + reset_VIsual_and_resel(); +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index ae281238e..0705fdb57 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -894,4 +894,12 @@ func Test_block_insert_replace_tabs() + bwipe! + endfunc + ++func Test_visual_block_ctrl_w_f() ++ " Emtpy block selected in new buffer should not result in an error. ++ au! BufNew foo sil norm f ++ edit foo ++ ++ au! BufNew ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/version.c b/src/version.c +index 52be3c39d..59a314b3a 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -742,6 +742,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 3611, + /**/ + 3610, + /**/ diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index d0957bfeae..7b2928675d 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -25,6 +25,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch \ file://0001-patch-8.2.3581-reading-character-past-end-of-line.patch \ file://0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch \ + file://0001-patch-8.2.3610-crash-when-ModeChanged-triggered-too-.patch \ + file://0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch \ " SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"

vim: fix CVE-2021-3968 and CVE-2021-3973

Commit Message

Patch