[dunfell] vim: Fix CVE-2023-2609 and CVE-2023-2610

Message ID	20230710191545.28789-1-asharma@mvista.com
State	Accepted, archived
Headers	show Return-Path: <asharma@mvista.com> ip: 209.85.210.169, mailfrom: asharma@mvista.com) From: Ashish Sharma <asharma@mvista.com> To: openembedded-core@lists.openembedded.org Cc: Ashish Sharma <asharma@mvista.com> Subject: [OE-core][dunfell][PATCH] vim: Fix CVE-2023-2609 and CVE-2023-2610 Date: Tue, 11 Jul 2023 00:45:45 +0530 Message-Id: <20230710191545.28789-1-asharma@mvista.com> MIME-Version: 1.0 Content-Type: text/plain; charset=y Content-Transfer-Encoding: 8bit
Series	[dunfell] vim: Fix CVE-2023-2609 and CVE-2023-2610 \| expand [dunfell] vim: Fix CVE-2023-2609 and CVE-2023-2610

diff --git a/meta/recipes-support/vim/files/CVE-2023-2609.patch b/meta/recipes-support/vim/files/CVE-2023-2609.patch new file mode 100644 index 0000000000..c60d5efa25 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2023-2609.patch @@ -0,0 +1,59 @@ +From d1ae8366aff286d41e7f5bc513cc0a1af5130aad Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Tue, 9 May 2023 17:09:30 +0100 +Subject: [PATCH] patch 9.0.1531: crash when register contents ends up being + invalid + +Problem: Crash when register contents ends up being invalid. +Solution: Check "y_array" is not NULL. + ++Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/vim/tree/debian/patches?h=applied/ubuntu/devel&id=586a63887e677551384eea2ab03eb22bd1117338 ++Upstream commit https://git.launchpad.net/ubuntu/+source/vim/tree/debian/patches/CVE-2023-2609.patch?h=applied/ubuntu/devel&id=586a63887e677551384eea2ab03eb22bd1117338] ++CVE: CVE-2023-2609 ++Signed-off-by: Ashish Sharma <asharma@mvista.com> +--- + src/register.c | 2 +- + src/testdir/test_registers.vim | 17 +++++++++++++++++ + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/src/register.c b/src/register.c +index f3df79cfd642..e481d843c249 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -301,7 +301,7 @@ get_register( + if (copy) + { + // If we run out of memory some or all of the lines are empty. +- if (reg->y_size == 0) ++ if (reg->y_size == 0 || y_current->y_array == NULL) + reg->y_array = NULL; + else + reg->y_array = ALLOC_MULT(char_u *, reg->y_size); +diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim +index e966932478d8..33ea0f4bd3e6 100644 +--- a/src/testdir/test_registers.vim ++++ b/src/testdir/test_registers.vim +@@ -835,6 +835,23 @@ func Test_end_reg_executing() + bwipe! + endfunc + ++" This was causing a crash because y_append was ending up being NULL ++func Test_zero_y_append() ++ " Run in a separate Vim instance because changing 'encoding' may cause ++ " trouble for later tests. ++ let lines =<< trim END ++ d ++ silent ?n ++ next <sfile> ++ so ++ sil! norm 0VPSP ++ set enc=latin1 ++ ++ END ++ call writefile(lines, 'XTest_zero_y_append', 'D') ++ call RunVim([], [], '-u NONE -i NONE -e -s -S XTest_zero_y_append -c qa\!') ++endfunc ++ + " Make sure that y_append is correctly reset + " and the previous register is working as expected + func Test_register_y_append_reset() diff --git a/meta/recipes-support/vim/files/CVE-2023-2610.patch b/meta/recipes-support/vim/files/CVE-2023-2610.patch new file mode 100644 index 0000000000..99fd58cd4f --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2023-2610.patch @@ -0,0 +1,106 @@ +From ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar <Bram@vim.org> +Date: Tue, 9 May 2023 21:15:30 +0100 +Subject: [PATCH] patch 9.0.1532: crash when expanding "~" in substitute causes + very long text + +Problem: Crash when expanding "~" in substitute causes very long text. +Solution: Limit the text length to MAXCOL. +--- ++Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/vim/tree/debian/patches?h=applied/ubuntu/devel&id=586a63887e677551384eea2ab03eb22bd1117338 ++Upstream commit https://git.launchpad.net/ubuntu/+source/vim/tree/debian/patches/CVE-2023-2610.patch?h=applied/ubuntu/devel&id=586a63887e677551384eea2ab03eb22bd1117338] ++CVE: CVE-2023-2610 ++Signed-off-by: Ashish Sharma <asharma@mvista.com> + + src/regexp.c | 30 +++++++++++++++++++----------- + src/testdir/test_substitute.vim | 14 ++++++++++++++ + 2 files changed, 35 insertions(+), 11 deletions(-) + +diff --git a/src/regexp.c b/src/regexp.c +index 33b36d11a8be..0e6c746df819 100644 +--- a/src/regexp.c ++++ b/src/regexp.c +@@ -1767,10 +1767,7 @@ do_Lower(int *d, int c) + regtilde(char_u *source, int magic) + { + char_u *newsub = source; +- char_u *tmpsub; + char_u *p; +- int len; +- int prevlen; + + for (p = newsub; *p; ++p) + { +@@ -1779,24 +1776,35 @@ regtilde(char_u *source, int magic) + if (reg_prev_sub != NULL) + { + // length = len(newsub) - 1 + len(prev_sub) + 1 +- prevlen = (int)STRLEN(reg_prev_sub); +- tmpsub = alloc(STRLEN(newsub) + prevlen); ++ // Avoid making the text longer than MAXCOL, it will cause ++ // trouble at some point. ++ size_t prevsublen = STRLEN(reg_prev_sub); ++ size_t newsublen = STRLEN(newsub); ++ if (prevsublen > MAXCOL || newsublen > MAXCOL ++ || newsublen + prevsublen > MAXCOL) ++ { ++ emsg(_(e_resulting_text_too_long)); ++ break; ++ } ++ ++ char_u *tmpsub = alloc(newsublen + prevsublen); + if (tmpsub != NULL) + { + // copy prefix +- len = (int)(p - newsub); // not including ~ +- mch_memmove(tmpsub, newsub, (size_t)len); ++ size_t prefixlen = p - newsub; // not including ~ ++ mch_memmove(tmpsub, newsub, prefixlen); + // interpret tilde +- mch_memmove(tmpsub + len, reg_prev_sub, (size_t)prevlen); ++ mch_memmove(tmpsub + prefixlen, reg_prev_sub, ++ prevsublen); + // copy postfix + if (!magic) + ++p; // back off backslash +- STRCPY(tmpsub + len + prevlen, p + 1); ++ STRCPY(tmpsub + prefixlen + prevsublen, p + 1); + +- if (newsub != source) // already allocated newsub ++ if (newsub != source) // allocated newsub before + vim_free(newsub); + newsub = tmpsub; +- p = newsub + len + prevlen; ++ p = newsub + prefixlen + prevsublen; + } + } + else if (magic) +diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim +index 7491b6163dc8..32e2f2785479 100644 +--- a/src/testdir/test_substitute.vim ++++ b/src/testdir/test_substitute.vim +@@ -1414,6 +1414,24 @@ func Test_substitute_short_cmd() + bw! + endfunc + ++" Check handling expanding "~" resulting in extremely long text. ++func Test_substitute_tilde_too_long() ++ if v:sizeoflong < 8 ++ throw 'Skipped: only works with 64 bit long ints' ++ endif ++ ++ enew! ++ ++ s/.*/ixxx ++ s//~~~~~~~~~AAAAAAA@( ++ ++ " Either fails with "out of memory" or "text too long". ++ " This can take a long time. ++ call assert_fails('sil! norm &&&&&&&&&', ['E1240:\|E342:']) ++ ++ bwipe! ++endfunc ++ + " This should be done last to reveal a memory leak when vim_regsub_both() is + " called to evaluate an expression but it is not used in a second call. + func Test_z_substitute_expr_leak() diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 309c91848d..59f3183f3e 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -18,6 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://vim-add-knob-whether-elf.h-are-checked.patch \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ + file://CVE-2023-2609..patch \ + file://CVE-2023-2610..patch \ " PV .= ".1527"

[dunfell] vim: Fix CVE-2023-2609 and CVE-2023-2610

Commit Message

Patch