-
Notifications
You must be signed in to change notification settings - Fork 563
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
105 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,100 @@ | ||
| From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001 | ||
| From: Christian Brabandt <[email protected]> | ||
| Date: Sun, 25 Aug 2024 21:33:03 +0200 | ||
| Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in | ||
| ins_typebuf | ||
|
|
||
| Problem: heap-buffer-overflow in ins_typebuf | ||
| (SuyueGuo) | ||
| Solution: When flushing the typeahead buffer, validate that there | ||
| is enough space left | ||
|
|
||
| Github Advisory: | ||
| https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh | ||
|
|
||
| Signed-off-by: Christian Brabandt <[email protected]> | ||
| --- | ||
| src/getchar.c | 15 ++++++++++++--- | ||
| src/testdir/crash/heap_overflow3 | Bin 0 -> 700 bytes | ||
| src/testdir/test_crash.vim | 7 +++++++ | ||
| src/version.c | 2 ++ | ||
| 4 files changed, 21 insertions(+), 3 deletions(-) | ||
| create mode 100644 src/testdir/crash/heap_overflow3 | ||
|
|
||
| diff --git a/src/getchar.c b/src/getchar.c | ||
| index 29323fa328bd1..96e180f4ae1a9 100644 | ||
| --- a/src/getchar.c | ||
| +++ b/src/getchar.c | ||
| @@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead) | ||
|
|
||
| if (flush_typeahead == FLUSH_MINIMAL) | ||
| { | ||
| - // remove mapped characters at the start only | ||
| - typebuf.tb_off += typebuf.tb_maplen; | ||
| - typebuf.tb_len -= typebuf.tb_maplen; | ||
| + // remove mapped characters at the start only, | ||
| + // but only when enough space left in typebuf | ||
| + if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen) | ||
| + { | ||
| + typebuf.tb_off = MAXMAPLEN; | ||
| + typebuf.tb_len = 0; | ||
| + } | ||
| + else | ||
| + { | ||
| + typebuf.tb_off += typebuf.tb_maplen; | ||
| + typebuf.tb_len -= typebuf.tb_maplen; | ||
| + } | ||
| #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL) | ||
| if (typebuf.tb_len == 0) | ||
| typebuf_was_filled = FALSE; | ||
| diff --git a/src/testdir/crash/heap_overflow3 b/src/testdir/crash/heap_overflow3 | ||
| new file mode 100644 | ||
| index 0000000000000000000000000000000000000000..c40adbec4d07a66bcc9aa51e40dbbb90fdc36623 | ||
| GIT binary patch | ||
| literal 700 | ||
| zcmZ{hO=}ZD7{@174?bQz$Wq8<gm_8Fn-(=~NE8jF#rP5`N;9UN%}kmlo7uWE2{zd^ | ||
| zff_tk=uM~;^wx{Vo&-OEpoiZ2B_zkX&ZaLY;*WWGn0aRY&-}-{?D=qG`hmkNksw|* | ||
| zo6Nm9A6dQ)!g1TQHp`m6VcZOiXfA3P#3QVqt#gh|f@dy8^g@5Xe?mY&QGZPzgg5Xb | ||
| z2Gq^VhGp}DcP+f@G_9XqoMn!0M61_t&CSf^a<2_dbQlCd*<s3h>~blwYI0mDEj_I~ | ||
| z#4Wyom4oY!P?qTMHvg-P`?`z?XefMGSG^v1AIK`kUr&%+VYMPErTK+N)J-JP>G^aT | ||
| zAZ{Y$4E~`YaRD~2pecm*%CU(Fe%tiJC@&{d=*n|%Iir2jcC<KOZ&P81)@3ZyrlPf| | ||
| z-rvC(5yW4~RVo!p3{gu>0(~G8oP(})q<t(%fMYq2S#KMmu*9j9S<RRv>g5n(t`-d4 | ||
| zkb2NTN-_lOVrS`Y1Znh89(*pxrqJZ4dI$ffVRxx=12p{UwvU2fK<ye%2BS!gAO--> | ||
| zL=pVy065g2)SJ{@p<Qa(4NlgMnYelqpH0Gzn*^kz+u^_?o?s=`*98}gMH4{MU-vEm | ||
| zjI>g|BdnJlURZ#nqNaXvTnpKCo#R~9`EqA#^V7G{Xf)9MjP&=9<L#XY+J3jSIs9|= | ||
| PaCh&^{;u8|j}LwWP8A7n | ||
|
|
||
| literal 0 | ||
| HcmV?d00001 | ||
|
|
||
| diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim | ||
| index f1843c426611d..5ec103f6dba26 100644 | ||
| --- a/src/testdir/test_crash.vim | ||
| +++ b/src/testdir/test_crash.vim | ||
| @@ -216,6 +216,13 @@ func Test_crash1_3() | ||
| call term_sendkeys(buf, args) | ||
| call TermWait(buf, 50) | ||
|
|
||
| + let file = 'crash/heap_overflow3' | ||
| + let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'" | ||
| + let args = printf(cmn_args, vim, file) | ||
| + call term_sendkeys(buf, args) | ||
| + call TermWait(buf, 150) | ||
| + | ||
| + | ||
| " clean up | ||
| exe buf .. "bw!" | ||
| bw! | ||
| diff --git a/src/version.c b/src/version.c | ||
| index b07964e2d7d6c..7f88c8c6836bf 100644 | ||
| --- a/src/version.c | ||
| +++ b/src/version.c | ||
| @@ -704,6 +704,8 @@ static char *(features[]) = | ||
|
|
||
| static int included_patches[] = | ||
| { /* Add new patch number below this line */ | ||
| +/**/ | ||
| + 697, | ||
| /**/ | ||
| 696, | ||
| /**/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,7 @@ | |
| Summary: Text editor | ||
| Name: vim | ||
| Version: 9.0.2190 | ||
| Release: 5%{?dist} | ||
| Release: 6%{?dist} | ||
| License: Vim | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Azure Linux | ||
|
|
@@ -14,7 +14,7 @@ Patch0: CVE-2024-41957.patch | |
| Patch1: fix_save_unnamed_buffer_correctly.patch | ||
| Patch2: CVE-2024-41965.patch | ||
| Patch3: CVE-2024-43374.patch | ||
|
|
||
| Patch4: CVE-2024-43802.patch | ||
| BuildRequires: ncurses-devel | ||
| BuildRequires: python3-devel | ||
| Requires(post): sed | ||
|
|
@@ -222,6 +222,9 @@ fi | |
| %{_rpmconfigdir}/macros.d/macros.vim | ||
|
|
||
| %changelog | ||
| * Tue Oct 08 2024 Sam Meluch <[email protected]> - 9.0.2190-6 | ||
| - Add patch to resolve CVE-2024-43802 | ||
|
|
||
| * Tue Aug 20 2024 Brian Fjeldstad <[email protected]> - 9.0.2190-5 | ||
| - Add patch to resolve CVE-2024-43374 | ||
|
|
||
|
|
||