Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch vim to resolve CVE-2024-43802 #10681

Merged
merged 3 commits into from
Oct 17, 2024
Merged

Patch vim to resolve CVE-2024-43802 #10681

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f7227e5
Patch vim to resolve CVE-2024-43802
sameluch Oct 8, 2024
a1da7d1
remove binary changes in test data from CVE patch
sameluch Oct 11, 2024
5588fb5
Merge branch 'fasttrack/3.0' into sammeluch/CVE-2024-43802
jslobodzian Oct 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 100 additions & 0 deletions SPECS/vim/CVE-2024-43802.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001
From: Christian Brabandt <[email protected]>
Date: Sun, 25 Aug 2024 21:33:03 +0200
Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in
ins_typebuf

Problem: heap-buffer-overflow in ins_typebuf
(SuyueGuo)
Solution: When flushing the typeahead buffer, validate that there
is enough space left

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh

Signed-off-by: Christian Brabandt <[email protected]>
---
src/getchar.c | 15 ++++++++++++---
src/testdir/crash/heap_overflow3 | Bin 0 -> 700 bytes
src/testdir/test_crash.vim | 7 +++++++
src/version.c | 2 ++
4 files changed, 21 insertions(+), 3 deletions(-)
create mode 100644 src/testdir/crash/heap_overflow3

diff --git a/src/getchar.c b/src/getchar.c
index 29323fa328bd1..96e180f4ae1a9 100644
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead)

if (flush_typeahead == FLUSH_MINIMAL)
{
- // remove mapped characters at the start only
- typebuf.tb_off += typebuf.tb_maplen;
- typebuf.tb_len -= typebuf.tb_maplen;
+ // remove mapped characters at the start only,
+ // but only when enough space left in typebuf
+ if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
+ {
+ typebuf.tb_off = MAXMAPLEN;
+ typebuf.tb_len = 0;
+ }
+ else
+ {
+ typebuf.tb_off += typebuf.tb_maplen;
+ typebuf.tb_len -= typebuf.tb_maplen;
+ }
#if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
if (typebuf.tb_len == 0)
typebuf_was_filled = FALSE;
diff --git a/src/testdir/crash/heap_overflow3 b/src/testdir/crash/heap_overflow3
new file mode 100644
index 0000000000000000000000000000000000000000..c40adbec4d07a66bcc9aa51e40dbbb90fdc36623
christopherco marked this conversation as resolved.
Show resolved Hide resolved
GIT binary patch
literal 700
zcmZ{hO=}ZD7{@174?bQz$Wq8<gm_8Fn-(=~NE8jF#rP5`N;9UN%}kmlo7uWE2{zd^
zff_tk=uM~;^wx{Vo&-OEpoiZ2B_zkX&ZaLY;*WWGn0aRY&-}-{?D=qG`hmkNksw|*
zo6Nm9A6dQ)!g1TQHp`m6VcZOiXfA3P#3QVqt#gh|f@dy8^g@5Xe?mY&QGZPzgg5Xb
z2Gq^VhGp}DcP+f@G_9XqoMn!0M61_t&CSf^a<2_dbQlCd*<s3h>~blwYI0mDEj_I~
z#4Wyom4oY!P?qTMHvg-P`?`z?XefMGSG^v1AIK`kUr&%+VYMPErTK+N)J-JP>G^aT
zAZ{Y$4E~`YaRD~2pecm*%CU(Fe%tiJC@&{d=*n|%Iir2jcC<KOZ&P81)@3ZyrlPf|
z-rvC(5yW4~RVo!p3{gu>0(~G8oP(})q<t(%fMYq2S#KMmu*9j9S<RRv>g5n(t`-d4
zkb2NTN-_lOVrS`Y1Znh89(*pxrqJZ4dI$ffVRxx=12p{UwvU2fK<ye%2BS!gAO-->
zL=pVy065g2)SJ{@p<Qa(4NlgMnYelqpH0Gzn*^kz+u^_?o?s=`*98}gMH4{MU-vEm
zjI>g|BdnJlURZ#nqNaXvTnpKCo#R~9`EqA#^V7G{Xf)9MjP&=9<L#XY+J3jSIs9|=
PaCh&^{;u8|j}LwWP8A7n

literal 0
HcmV?d00001

diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index f1843c426611d..5ec103f6dba26 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -216,6 +216,13 @@ func Test_crash1_3()
call term_sendkeys(buf, args)
call TermWait(buf, 50)

+ let file = 'crash/heap_overflow3'
+ let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'"
+ let args = printf(cmn_args, vim, file)
+ call term_sendkeys(buf, args)
+ call TermWait(buf, 150)
+
+
" clean up
exe buf .. "bw!"
bw!
diff --git a/src/version.c b/src/version.c
index b07964e2d7d6c..7f88c8c6836bf 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =

static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 697,
/**/
696,
/**/
7 changes: 5 additions & 2 deletions SPECS/vim/vim.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Summary: Text editor
Name: vim
Version: 9.0.2190
Release: 5%{?dist}
Release: 6%{?dist}
License: Vim
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -14,7 +14,7 @@ Patch0: CVE-2024-41957.patch
Patch1: fix_save_unnamed_buffer_correctly.patch
Patch2: CVE-2024-41965.patch
Patch3: CVE-2024-43374.patch

Patch4: CVE-2024-43802.patch
BuildRequires: ncurses-devel
BuildRequires: python3-devel
Requires(post): sed
Expand Down Expand Up @@ -222,6 +222,9 @@ fi
%{_rpmconfigdir}/macros.d/macros.vim

%changelog
* Tue Oct 08 2024 Sam Meluch <[email protected]> - 9.0.2190-6
- Add patch to resolve CVE-2024-43802

* Tue Aug 20 2024 Brian Fjeldstad <[email protected]> - 9.0.2190-5
- Add patch to resolve CVE-2024-43374

Expand Down
Loading