Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch vim to resolve CVE-2024-43802 #10681

Merged
merged 3 commits into from
Oct 17, 2024
Merged

Patch vim to resolve CVE-2024-43802 #10681

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f7227e5
Patch vim to resolve CVE-2024-43802
sameluch Oct 8, 2024
a1da7d1
remove binary changes in test data from CVE patch
sameluch Oct 11, 2024
5588fb5
Merge branch 'fasttrack/3.0' into sammeluch/CVE-2024-43802
jslobodzian Oct 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions SPECS/vim/CVE-2024-43802.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001
From: Christian Brabandt <[email protected]>
Date: Sun, 25 Aug 2024 21:33:03 +0200
Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in
ins_typebuf

Problem: heap-buffer-overflow in ins_typebuf
(SuyueGuo)
Solution: When flushing the typeahead buffer, validate that there
is enough space left

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh

Signed-off-by: Christian Brabandt <[email protected]>

Removed binary test file and test only changes for security fix

---
src/getchar.c | 15 ++++++++++++---
1 files changed, 12 insertions(+), 3 deletions(-)
create mode 100644 src/testdir/crash/heap_overflow3

diff --git a/src/getchar.c b/src/getchar.c
index 29323fa328bd1..96e180f4ae1a9 100644
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead)

if (flush_typeahead == FLUSH_MINIMAL)
{
- // remove mapped characters at the start only
- typebuf.tb_off += typebuf.tb_maplen;
- typebuf.tb_len -= typebuf.tb_maplen;
+ // remove mapped characters at the start only,
+ // but only when enough space left in typebuf
+ if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
+ {
+ typebuf.tb_off = MAXMAPLEN;
+ typebuf.tb_len = 0;
+ }
+ else
+ {
+ typebuf.tb_off += typebuf.tb_maplen;
+ typebuf.tb_len -= typebuf.tb_maplen;
+ }
#if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
if (typebuf.tb_len == 0)
typebuf_was_filled = FALSE;
7 changes: 5 additions & 2 deletions SPECS/vim/vim.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Summary: Text editor
Name: vim
Version: 9.0.2190
Release: 5%{?dist}
Release: 6%{?dist}
License: Vim
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -14,7 +14,7 @@ Patch0: CVE-2024-41957.patch
Patch1: fix_save_unnamed_buffer_correctly.patch
Patch2: CVE-2024-41965.patch
Patch3: CVE-2024-43374.patch

Patch4: CVE-2024-43802.patch
BuildRequires: ncurses-devel
BuildRequires: python3-devel
Requires(post): sed
Expand Down Expand Up @@ -222,6 +222,9 @@ fi
%{_rpmconfigdir}/macros.d/macros.vim

%changelog
* Tue Oct 08 2024 Sam Meluch <[email protected]> - 9.0.2190-6
- Add patch to resolve CVE-2024-43802

* Tue Aug 20 2024 Brian Fjeldstad <[email protected]> - 9.0.2190-5
- Add patch to resolve CVE-2024-43374

Expand Down
Loading