Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[AUTO-CHERRYPICK] Patch vim to resolve CVE-2024-43802 - branch 3.0-dev #10772

Merged
merged 1 commit into from
Oct 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions SPECS/vim/CVE-2024-43802.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001
From: Christian Brabandt <[email protected]>
Date: Sun, 25 Aug 2024 21:33:03 +0200
Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in
ins_typebuf

Problem: heap-buffer-overflow in ins_typebuf
(SuyueGuo)
Solution: When flushing the typeahead buffer, validate that there
is enough space left

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh

Signed-off-by: Christian Brabandt <[email protected]>

Removed binary test file and test only changes for security fix

---
src/getchar.c | 15 ++++++++++++---
1 files changed, 12 insertions(+), 3 deletions(-)
create mode 100644 src/testdir/crash/heap_overflow3

diff --git a/src/getchar.c b/src/getchar.c
index 29323fa328bd1..96e180f4ae1a9 100644
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead)

if (flush_typeahead == FLUSH_MINIMAL)
{
- // remove mapped characters at the start only
- typebuf.tb_off += typebuf.tb_maplen;
- typebuf.tb_len -= typebuf.tb_maplen;
+ // remove mapped characters at the start only,
+ // but only when enough space left in typebuf
+ if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
+ {
+ typebuf.tb_off = MAXMAPLEN;
+ typebuf.tb_len = 0;
+ }
+ else
+ {
+ typebuf.tb_off += typebuf.tb_maplen;
+ typebuf.tb_len -= typebuf.tb_maplen;
+ }
#if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
if (typebuf.tb_len == 0)
typebuf_was_filled = FALSE;
7 changes: 5 additions & 2 deletions SPECS/vim/vim.spec
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Summary: Text editor
Name: vim
Version: 9.0.2190
Release: 5%{?dist}
Release: 6%{?dist}
License: Vim
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -14,7 +14,7 @@ Patch0: CVE-2024-41957.patch
Patch1: fix_save_unnamed_buffer_correctly.patch
Patch2: CVE-2024-41965.patch
Patch3: CVE-2024-43374.patch

Patch4: CVE-2024-43802.patch
BuildRequires: ncurses-devel
BuildRequires: python3-devel
Requires(post): sed
Expand Down Expand Up @@ -222,6 +222,9 @@ fi
%{_rpmconfigdir}/macros.d/macros.vim

%changelog
* Tue Oct 08 2024 Sam Meluch <[email protected]> - 9.0.2190-6
- Add patch to resolve CVE-2024-43802

* Tue Aug 20 2024 Brian Fjeldstad <[email protected]> - 9.0.2190-5
- Add patch to resolve CVE-2024-43374

Expand Down
Loading