diff --git a/SPECS/vim/CVE-2024-22667.patch b/SPECS/vim/CVE-2024-22667.patch deleted file mode 100644 index b6fb074f910..00000000000 --- a/SPECS/vim/CVE-2024-22667.patch +++ /dev/null @@ -1,400 +0,0 @@ -From c1c94475a13790d420c03d67d336dfb171ab3aec Mon Sep 17 00:00:00 2001 -From: Christian Brabandt -Date: Wed, 29 Nov 2023 11:34:05 +0100 -Subject: [PATCH] patch 9.0.2142: [security]: stack-buffer-overflow in option - callback functions - -Problem: [security]: stack-buffer-overflow in option callback functions -Solution: pass size of errbuf down the call stack, use snprintf() - instead of sprintf() - -We pass the error buffer down to the option callback functions, but in -some parts of the code, we simply use sprintf(buf) to write into the error -buffer, which can overflow. - -So let's pass down the length of the error buffer and use sprintf(buf, size) -instead. - -Reported by @henices, thanks! - -Signed-off-by: Christian Brabandt ---- - src/map.c | 2 +- - src/option.c | 14 +++++---- - src/option.h | 2 ++ - src/optionstr.c | 59 ++++++++++++++++++++++++-------------- - src/proto/optionstr.pro | 4 +-- - src/structs.h | 2 ++ - src/testdir/test_crash.vim | 8 ++++++ - 7 files changed, 60 insertions(+), 31 deletions(-) - -diff --git a/src/map.c b/src/map.c -index 5988445..98785e7 100644 ---- a/src/map.c -+++ b/src/map.c -@@ -3114,7 +3114,7 @@ did_set_langmap(optset_T *args UNUSED) - { - if (p[0] != ',') - { -- sprintf(args->os_errbuf, -+ snprintf(args->os_errbuf, args->os_errbuflen, - _(e_langmap_extra_characters_after_semicolon_str), - p); - return args->os_errbuf; -diff --git a/src/option.c b/src/option.c -index d5d20d7..5727885 100644 ---- a/src/option.c -+++ b/src/option.c -@@ -1932,6 +1932,7 @@ do_set_option_string( - int cp_val, - char_u *varp_arg, - char *errbuf, -+ int errbuflen, - int *value_checked, - char **errmsg) - { -@@ -2030,7 +2031,7 @@ do_set_option_string( - // be triggered that can cause havoc. - *errmsg = did_set_string_option( - opt_idx, (char_u **)varp, oldval, newval, errbuf, -- opt_flags, op, value_checked); -+ errbuflen, opt_flags, op, value_checked); - - secure = secure_saved; - } -@@ -2287,7 +2288,7 @@ do_set_option_value( - { - // string option - if (do_set_option_string(opt_idx, opt_flags, &arg, nextchar, op, -- flags, cp_val, varp, errbuf, -+ flags, cp_val, varp, errbuf, errbuflen, - &value_checked, &errmsg) == FAIL) - { - if (errmsg != NULL) -@@ -2579,12 +2580,12 @@ do_set( - { - int stopopteval = FALSE; - char *errmsg = NULL; -- char errbuf[80]; -+ char errbuf[ERR_BUFLEN]; - char_u *startarg = arg; - - errmsg = do_set_option(opt_flags, &arg, arg_start, &startarg, - &did_show, &stopopteval, errbuf, -- sizeof(errbuf)); -+ ERR_BUFLEN); - if (stopopteval) - break; - -@@ -5347,7 +5348,8 @@ set_option_value( - int opt_idx; - char_u *varp; - long_u flags; -- static char errbuf[80]; -+ static char errbuf[ERR_BUFLEN]; -+ int errbuflen = ERR_BUFLEN; - - opt_idx = findoption(name); - if (opt_idx < 0) -@@ -5390,7 +5392,7 @@ set_option_value( - } - #endif - if (flags & P_STRING) -- return set_string_option(opt_idx, string, opt_flags, errbuf); -+ return set_string_option(opt_idx, string, opt_flags, errbuf, errbuflen); - - varp = get_varp_scope(&(options[opt_idx]), opt_flags); - if (varp != NULL) // hidden option is not changed -diff --git a/src/option.h b/src/option.h -index 396c568..f620e13 100644 ---- a/src/option.h -+++ b/src/option.h -@@ -1321,4 +1321,6 @@ enum - // Value for b_p_ul indicating the global value must be used. - #define NO_LOCAL_UNDOLEVEL (-123456) - -+#define ERR_BUFLEN 80 -+ - #endif // _OPTION_H_ -diff --git a/src/optionstr.c b/src/optionstr.c -index b7cdcc4..84c77cb 100644 ---- a/src/optionstr.c -+++ b/src/optionstr.c -@@ -229,11 +229,12 @@ trigger_optionset_string( - #endif - - static char * --illegal_char(char *errbuf, int c) -+illegal_char(char *errbuf, int errbuflen, int c) - { - if (errbuf == NULL) - return ""; -- sprintf((char *)errbuf, _(e_illegal_character_str), (char *)transchar(c)); -+ snprintf((char *)errbuf, errbuflen, _(e_illegal_character_str), -+ (char *)transchar(c)); - return errbuf; - } - -@@ -525,7 +526,8 @@ set_string_option( - int opt_idx, - char_u *value, - int opt_flags, // OPT_LOCAL and/or OPT_GLOBAL -- char *errbuf) -+ char *errbuf, -+ int errbuflen) - { - char_u *s; - char_u **varp; -@@ -579,7 +581,7 @@ set_string_option( - } - #endif - if ((errmsg = did_set_string_option(opt_idx, varp, oldval, value, errbuf, -- opt_flags, OP_NONE, &value_checked)) == NULL) -+ errbuflen, opt_flags, OP_NONE, &value_checked)) == NULL) - did_set_option(opt_idx, opt_flags, TRUE, value_checked); - - #if defined(FEAT_EVAL) -@@ -615,7 +617,8 @@ valid_filetype(char_u *val) - check_stl_option(char_u *s) - { - int groupdepth = 0; -- static char errbuf[80]; -+ static char errbuf[ERR_BUFLEN]; -+ int errbuflen = ERR_BUFLEN; - - while (*s) - { -@@ -656,7 +659,7 @@ check_stl_option(char_u *s) - } - if (vim_strchr(STL_ALL, *s) == NULL) - { -- return illegal_char(errbuf, *s); -+ return illegal_char(errbuf, errbuflen, *s); - } - if (*s == '{') - { -@@ -664,7 +667,7 @@ check_stl_option(char_u *s) - - if (reevaluate && *++s == '}') - // "}" is not allowed immediately after "%{%" -- return illegal_char(errbuf, '}'); -+ return illegal_char(errbuf, errbuflen, '}'); - while ((*s != '}' || (reevaluate && s[-1] != '%')) && *s) - s++; - if (*s != '}') -@@ -719,13 +722,17 @@ did_set_opt_strings(char_u *val, char **values, int list) - * An option which is a list of flags is set. Valid values are in 'flags'. - */ - static char * --did_set_option_listflag(char_u *val, char_u *flags, char *errbuf) -+did_set_option_listflag( -+ char_u *val, -+ char_u *flags, -+ char *errbuf, -+ int errbuflen) - { - char_u *s; - - for (s = val; *s; ++s) - if (vim_strchr(flags, *s) == NULL) -- return illegal_char(errbuf, *s); -+ return illegal_char(errbuf, errbuflen, *s); - - return NULL; - } -@@ -1461,7 +1468,7 @@ did_set_comments(optset_T *args) - if (vim_strchr((char_u *)COM_ALL, *s) == NULL - && !VIM_ISDIGIT(*s) && *s != '-') - { -- errmsg = illegal_char(args->os_errbuf, *s); -+ errmsg = illegal_char(args->os_errbuf, args->os_errbuflen, *s); - break; - } - ++s; -@@ -1517,7 +1524,7 @@ did_set_complete(optset_T *args) - if (!*s) - break; - if (vim_strchr((char_u *)".wbuksid]tU", *s) == NULL) -- return illegal_char(args->os_errbuf, *s); -+ return illegal_char(args->os_errbuf, args->os_errbuflen, *s); - if (*++s != NUL && *s != ',' && *s != ' ') - { - if (s[-1] == 'k' || s[-1] == 's') -@@ -1534,7 +1541,7 @@ did_set_complete(optset_T *args) - { - if (args->os_errbuf != NULL) - { -- sprintf((char *)args->os_errbuf, -+ snprintf((char *)args->os_errbuf, args->os_errbuflen, - _(e_illegal_character_after_chr), *--s); - return args->os_errbuf; - } -@@ -1634,7 +1641,8 @@ did_set_concealcursor(optset_T *args) - { - char_u **varp = (char_u **)args->os_varp; - -- return did_set_option_listflag(*varp, (char_u *)COCU_ALL, args->os_errbuf); -+ return did_set_option_listflag(*varp, (char_u *)COCU_ALL, args->os_errbuf, -+ args->os_errbuflen); - } - - int -@@ -1652,7 +1660,8 @@ did_set_cpoptions(optset_T *args) - { - char_u **varp = (char_u **)args->os_varp; - -- return did_set_option_listflag(*varp, (char_u *)CPO_ALL, args->os_errbuf); -+ return did_set_option_listflag(*varp, (char_u *)CPO_ALL, args->os_errbuf, -+ args->os_errbuflen); - } - - int -@@ -2281,7 +2290,8 @@ did_set_formatoptions(optset_T *args) - { - char_u **varp = (char_u **)args->os_varp; - -- return did_set_option_listflag(*varp, (char_u *)FO_ALL, args->os_errbuf); -+ return did_set_option_listflag(*varp, (char_u *)FO_ALL, args->os_errbuf, -+ args->os_errbuflen); - } - - int -@@ -2422,7 +2432,8 @@ did_set_guioptions(optset_T *args) - char_u **varp = (char_u **)args->os_varp; - char *errmsg; - -- errmsg = did_set_option_listflag(*varp, (char_u *)GO_ALL, args->os_errbuf); -+ errmsg = did_set_option_listflag(*varp, (char_u *)GO_ALL, args->os_errbuf, -+ args->os_errbuflen); - if (errmsg != NULL) - return errmsg; - -@@ -2926,8 +2937,8 @@ did_set_mouse(optset_T *args) - { - char_u **varp = (char_u **)args->os_varp; - -- return did_set_option_listflag(*varp, (char_u *)MOUSE_ALL, -- args->os_errbuf); -+ return did_set_option_listflag(*varp, (char_u *)MOUSE_ALL, args->os_errbuf, -+ args->os_errbuflen); - } - - int -@@ -3364,7 +3375,8 @@ did_set_shortmess(optset_T *args) - { - char_u **varp = (char_u **)args->os_varp; - -- return did_set_option_listflag(*varp, (char_u *)SHM_ALL, args->os_errbuf); -+ return did_set_option_listflag(*varp, (char_u *)SHM_ALL, args->os_errbuf, -+ args->os_errbuflen); - } - - int -@@ -4030,7 +4042,7 @@ did_set_viminfo(optset_T *args) - // Check it's a valid character - if (vim_strchr((char_u *)"!\"%'/:<@cfhnrs", *s) == NULL) - { -- errmsg = illegal_char(args->os_errbuf, *s); -+ errmsg = illegal_char(args->os_errbuf, args->os_errbuflen, *s); - break; - } - if (*s == 'n') // name is always last one -@@ -4057,7 +4069,7 @@ did_set_viminfo(optset_T *args) - { - if (args->os_errbuf != NULL) - { -- sprintf(args->os_errbuf, -+ snprintf(args->os_errbuf, args->os_errbuflen, - _(e_missing_number_after_angle_str_angle), - transchar_byte(*(s - 1))); - errmsg = args->os_errbuf; -@@ -4140,7 +4152,8 @@ did_set_whichwrap(optset_T *args) - - // Add ',' to the list flags because 'whichwrap' is a flag - // list that is comma-separated. -- return did_set_option_listflag(*varp, (char_u *)(WW_ALL ","), args->os_errbuf); -+ return did_set_option_listflag(*varp, (char_u *)(WW_ALL ","), -+ args->os_errbuf, args->os_errbuflen); - } - - int -@@ -4341,6 +4354,7 @@ did_set_string_option( - char_u *oldval, // previous value of the option - char_u *value, // new value of the option - char *errbuf, // buffer for errors, or NULL -+ int errbuflen, // length of error buffer - int opt_flags, // OPT_LOCAL and/or OPT_GLOBAL - set_op_T op, // OP_ADDING/OP_PREPENDING/OP_REMOVING - int *value_checked) // value was checked to be safe, no -@@ -4385,6 +4399,7 @@ did_set_string_option( - args.os_oldval.string = oldval; - args.os_newval.string = value; - args.os_errbuf = errbuf; -+ args.os_errbuflen = errbuflen; - // Invoke the option specific callback function to validate and apply - // the new option value. - errmsg = did_set_cb(&args); -diff --git a/src/proto/optionstr.pro b/src/proto/optionstr.pro -index 22601ba..4ce9321 100644 ---- a/src/proto/optionstr.pro -+++ b/src/proto/optionstr.pro -@@ -8,7 +8,7 @@ void check_string_option(char_u **pp); - void set_string_option_direct(char_u *name, int opt_idx, char_u *val, int opt_flags, int set_sid); - void set_string_option_direct_in_win(win_T *wp, char_u *name, int opt_idx, char_u *val, int opt_flags, int set_sid); - void set_string_option_direct_in_buf(buf_T *buf, char_u *name, int opt_idx, char_u *val, int opt_flags, int set_sid); --char *set_string_option(int opt_idx, char_u *value, int opt_flags, char *errbuf); -+char *set_string_option(int opt_idx, char_u *value, int opt_flags, char *errbuf, int errbuflen); - char *did_set_ambiwidth(optset_T *args); - char *did_set_background(optset_T *args); - char *did_set_backspace(optset_T *args); -@@ -121,7 +121,7 @@ char *did_set_wildmode(optset_T *args); - char *did_set_wildoptions(optset_T *args); - char *did_set_winaltkeys(optset_T *args); - char *did_set_wincolor(optset_T *args); --char *did_set_string_option(int opt_idx, char_u **varp, char_u *oldval, char_u *value, char *errbuf, int opt_flags, set_op_T op, int *value_checked); -+char *did_set_string_option(int opt_idx, char_u **varp, char_u *oldval, char_u *value, char *errbuf, int errbuflen, int opt_flags, set_op_T op, int *value_checked); - int expand_set_ambiwidth(optexpand_T *args, int *numMatches, char_u ***matches); - int expand_set_background(optexpand_T *args, int *numMatches, char_u ***matches); - int expand_set_backspace(optexpand_T *args, int *numMatches, char_u ***matches); -diff --git a/src/structs.h b/src/structs.h -index 4e081b8..6d9dcbb 100644 ---- a/src/structs.h -+++ b/src/structs.h -@@ -4968,6 +4968,8 @@ typedef struct - // is parameterized, then the "os_errbuf" buffer is used to store the error - // message (when it is not NULL). - char *os_errbuf; -+ // length of the error buffer -+ int os_errbuflen; - } optset_T; - - /* -diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim -index b093b05..ff0898f 100644 ---- a/src/testdir/test_crash.vim -+++ b/src/testdir/test_crash.vim -@@ -86,6 +86,13 @@ func Test_crash1() - call delete('Xerr') - call delete('@') - -+ let file = 'crash/poc_did_set_langmap' -+ let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'" -+ let args = printf(cmn_args, vim, file) -+ call term_sendkeys(buf, args .. -+ \ ' ; echo "crash 11: [OK]" >> '.. result .. "\") -+ call TermWait(buf, 150) -+ - " clean up - exe buf .. "bw!" - -@@ -102,6 +109,7 @@ func Test_crash1() - \ 'crash 8: [OK]', - \ 'crash 9: [OK]', - \ 'crash 10: [OK]', -+ \ 'crash 11: [OK]', - \ ] - - call assert_equal(expected, getline(1, '$')) --- -2.34.1 - diff --git a/SPECS/vim/CVE-2024-41957.patch b/SPECS/vim/CVE-2024-41957.patch deleted file mode 100644 index 40d9bd2c298..00000000000 --- a/SPECS/vim/CVE-2024-41957.patch +++ /dev/null @@ -1,81 +0,0 @@ -Modified patch to apply to older version -Modifed by: sumsharma@microsoft.com - -From 8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5 Mon Sep 17 00:00:00 2001 -From: Christian Brabandt -Date: Thu, 1 Aug 2024 20:16:51 +0200 -Subject: [PATCH] patch 9.1.0647: [security] use-after-free in - tagstack_clear_entry - -Problem: [security] use-after-free in tagstack_clear_entry - (Suyue Guo ) -Solution: Instead of manually calling vim_free() on each of the tagstack - entries, let's use tagstack_clear_entry(), which will - also free the stack, but using the VIM_CLEAR macro, - which prevents a use-after-free by setting those pointers - to NULL - -This addresses CVE-2024-41957 - -Github advisory: -https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4 - -Signed-off-by: Christian Brabandt ---- - src/proto/tag.pro | 1 + - src/tag.c | 4 ++-- - src/window.c | 6 ++---- - 3 files changed, 5 insertions(+), 6 deletions(-) - -diff --git a/src/proto/tag.pro b/src/proto/tag.pro -index 6de463e..eec7c24 100644 ---- a/src/proto/tag.pro -+++ b/src/proto/tag.pro -@@ -14,4 +14,5 @@ int expand_tags(int tagnames, char_u *pat, int *num_file, char_u ***file); - int get_tags(list_T *list, char_u *pat, char_u *buf_fname); - void get_tagstack(win_T *wp, dict_T *retdict); - int set_tagstack(win_T *wp, dict_T *d, int action); -+void tagstack_clear_entry(taggy_T *item); - /* vim: set ft=c : */ -diff --git a/src/tag.c b/src/tag.c -index 8003156..31b89e7 100644 ---- a/src/tag.c -+++ b/src/tag.c -@@ -144,7 +144,7 @@ static void print_tag_list(int new_tag, int use_tagstack, int num_matches, char_ - #if defined(FEAT_QUICKFIX) && defined(FEAT_EVAL) - static int add_llist_tags(char_u *tag, int num_matches, char_u **matches); - #endif --static void tagstack_clear_entry(taggy_T *item); -+void tagstack_clear_entry(taggy_T *item); - - static char_u *tagmatchname = NULL; // name of last used tag - -@@ -4225,7 +4225,7 @@ find_extra(char_u **pp) - /* - * Free a single entry in a tag stack - */ -- static void -+void - tagstack_clear_entry(taggy_T *item) - { - VIM_CLEAR(item->tagname); -diff --git a/src/window.c b/src/window.c -index 55ce31c..ffffde8 100644 ---- a/src/window.c -+++ b/src/window.c -@@ -5661,10 +5661,8 @@ win_free( - win_free_lsize(wp); - - for (i = 0; i < wp->w_tagstacklen; ++i) -- { -- vim_free(wp->w_tagstack[i].tagname); -- vim_free(wp->w_tagstack[i].user_data); -- } -+ tagstack_clear_entry(&wp->w_tagstack[i]); -+ - vim_free(wp->w_localdir); - vim_free(wp->w_prevdir); - --- -2.25.1 - diff --git a/SPECS/vim/CVE-2024-41965.patch b/SPECS/vim/CVE-2024-41965.patch deleted file mode 100644 index ed2e0a7b62b..00000000000 --- a/SPECS/vim/CVE-2024-41965.patch +++ /dev/null @@ -1,69 +0,0 @@ -Modified patch to apply to older version of vim -Modified by: sumsharma@microsoft.com - -From b29f4abcd4b3382fa746edd1d0562b7b48c9de60 Mon Sep 17 00:00:00 2001 -From: Christian Brabandt -Date: Thu, 1 Aug 2024 22:10:28 +0200 -Subject: [PATCH] patch 9.1.0648: [security] double-free in dialog_changed() - -Problem: [security] double-free in dialog_changed() - (SuyueGuo) -Solution: Only clear pointer b_sfname pointer, if it is different - than the b_ffname pointer. Don't try to free b_fname, - set it to NULL instead. - -fixes: #15403 - -Github Advisory: -https://github.com/vim/vim/security/advisories/GHSA-46pw-v7qw-xc2f - -Signed-off-by: Christian Brabandt ---- ---- - src/ex_cmds2.c | 25 ++++++++++++++++++++++--- - 1 file changed, 22 insertions(+), 3 deletions(-) - -diff --git a/src/ex_cmds2.c b/src/ex_cmds2.c -index 45ccb52..ede403a 100644 ---- a/src/ex_cmds2.c -+++ b/src/ex_cmds2.c -@@ -177,14 +177,33 @@ dialog_changed( - - if (ret == VIM_YES) - { -+ int empty_bufname; -+ - #ifdef FEAT_BROWSE - // May get file name, when there is none - browse_save_fname(buf); - #endif -- if (buf->b_fname != NULL && check_overwrite(&ea, buf, -- buf->b_fname, buf->b_ffname, FALSE) == OK) -+ empty_bufname = buf->b_fname == NULL ? TRUE : FALSE; -+ if (empty_bufname) -+ buf_set_name(buf->b_fnum, (char_u *)"Untitled"); -+ -+ if (check_overwrite(&ea, buf, buf->b_fname, buf->b_ffname, FALSE) == OK) -+ { - // didn't hit Cancel -- (void)buf_write_all(buf, FALSE); -+ if (buf_write_all(buf, FALSE) == OK) -+ return; -+ } -+ -+ // restore to empty when write failed -+ if (empty_bufname) -+ { -+ // prevent double free -+ if (buf->b_sfname != buf->b_ffname) -+ VIM_CLEAR(buf->b_sfname); -+ buf->b_fname = NULL; -+ VIM_CLEAR(buf->b_ffname); -+ unchanged(buf, TRUE, FALSE); -+ } - } - else if (ret == VIM_NO) - { --- -2.25.1 - diff --git a/SPECS/vim/CVE-2024-43374.patch b/SPECS/vim/CVE-2024-43374.patch deleted file mode 100644 index 0687ccf6788..00000000000 --- a/SPECS/vim/CVE-2024-43374.patch +++ /dev/null @@ -1,282 +0,0 @@ -From 0a6e57b09bc8c76691b367a5babfb79b31b770e8 Mon Sep 17 00:00:00 2001 -From: Christian Brabandt -Date: Thu, 15 Aug 2024 22:15:28 +0200 -Subject: [PATCH] patch 9.1.0678: [security]: use-after-free in alist_add() - -Problem: [security]: use-after-free in alist_add() - (SuyueGuo) -Solution: Lock the current window, so that the reference to - the argument list remains valid. - -This fixes CVE-2024-43374 - -Signed-off-by: Christian Brabandt ---- - src/arglist.c | 6 ++++++ - src/buffer.c | 4 ++-- - src/ex_cmds.c | 4 ++-- - src/proto/window.pro | 1 + - src/structs.h | 2 +- - src/terminal.c | 4 ++-- - src/testdir/test_arglist.vim | 23 +++++++++++++++++++++++ - src/version.c | 2 ++ - src/window.c | 29 +++++++++++++++++++---------- - 9 files changed, 58 insertions(+), 17 deletions(-) - -diff --git a/src/arglist.c b/src/arglist.c -index 187e16e8354b1..8825c8e252ccc 100644 ---- a/src/arglist.c -+++ b/src/arglist.c -@@ -184,6 +184,8 @@ alist_set( - /* - * Add file "fname" to argument list "al". - * "fname" must have been allocated and "al" must have been checked for room. -+ * -+ * May trigger Buf* autocommands - */ - void - alist_add( -@@ -196,6 +198,7 @@ alist_add( - if (check_arglist_locked() == FAIL) - return; - arglist_locked = TRUE; -+ curwin->w_locked = TRUE; - - #ifdef BACKSLASH_IN_FILENAME - slash_adjust(fname); -@@ -207,6 +210,7 @@ alist_add( - ++al->al_ga.ga_len; - - arglist_locked = FALSE; -+ curwin->w_locked = FALSE; - } - - #if defined(BACKSLASH_IN_FILENAME) || defined(PROTO) -@@ -365,6 +369,7 @@ alist_add_list( - mch_memmove(&(ARGLIST[after + count]), &(ARGLIST[after]), - (ARGCOUNT - after) * sizeof(aentry_T)); - arglist_locked = TRUE; -+ curwin->w_locked = TRUE; - for (i = 0; i < count; ++i) - { - int flags = BLN_LISTED | (will_edit ? BLN_CURBUF : 0); -@@ -373,6 +378,7 @@ alist_add_list( - ARGLIST[after + i].ae_fnum = buflist_add(files[i], flags); - } - arglist_locked = FALSE; -+ curwin->w_locked = FALSE; - ALIST(curwin)->al_ga.ga_len += count; - if (old_argcount > 0 && curwin->w_arg_idx >= after) - curwin->w_arg_idx += count; -diff --git a/src/buffer.c b/src/buffer.c -index 447ce76d49a32..34500e4abc282 100644 ---- a/src/buffer.c -+++ b/src/buffer.c -@@ -1484,7 +1484,7 @@ do_buffer_ext( - // (unless it's the only window). Repeat this so long as we end up in - // a window with this buffer. - while (buf == curbuf -- && !(curwin->w_closing || curwin->w_buffer->b_locked > 0) -+ && !(win_locked(curwin) || curwin->w_buffer->b_locked > 0) - && (!ONE_WINDOW || first_tabpage->tp_next != NULL)) - { - if (win_close(curwin, FALSE) == FAIL) -@@ -5470,7 +5470,7 @@ ex_buffer_all(exarg_T *eap) - : wp->w_width != Columns) - || (had_tab > 0 && wp != firstwin)) - && !ONE_WINDOW -- && !(wp->w_closing || wp->w_buffer->b_locked > 0) -+ && !(win_locked(wp) || wp->w_buffer->b_locked > 0) - && !win_unlisted(wp)) - { - if (win_close(wp, FALSE) == FAIL) -diff --git a/src/ex_cmds.c b/src/ex_cmds.c -index 05778c8fd8b9c..349269a2bb8b6 100644 ---- a/src/ex_cmds.c -+++ b/src/ex_cmds.c -@@ -2840,7 +2840,7 @@ do_ecmd( - - // Set the w_closing flag to avoid that autocommands close the - // window. And set b_locked for the same reason. -- the_curwin->w_closing = TRUE; -+ the_curwin->w_locked = TRUE; - ++buf->b_locked; - - if (curbuf == old_curbuf.br_buf) -@@ -2854,7 +2854,7 @@ do_ecmd( - - // Autocommands may have closed the window. - if (win_valid(the_curwin)) -- the_curwin->w_closing = FALSE; -+ the_curwin->w_locked = FALSE; - --buf->b_locked; - - #ifdef FEAT_EVAL -diff --git a/src/proto/window.pro b/src/proto/window.pro -index 26c7040b8a1b4..441070ebfcb8e 100644 ---- a/src/proto/window.pro -+++ b/src/proto/window.pro -@@ -93,3 +93,4 @@ int get_win_number(win_T *wp, win_T *first_win); - int get_tab_number(tabpage_T *tp); - char *check_colorcolumn(win_T *wp); -+int win_locked(win_T *wp); - /* vim: set ft=c : */ -diff --git a/src/structs.h b/src/structs.h -index fe4704a367949..abda3a0c38b4e 100644 ---- a/src/structs.h -+++ b/src/structs.h -@@ -3785,7 +3785,7 @@ struct window_S - synblock_T *w_s; // for :ownsyntax - #endif - -- int w_closing; // window is being closed, don't let -+ int w_locked; // window is being closed, don't let - // autocommands close it too. - - frame_T *w_frame; // frame containing this window -diff --git a/src/terminal.c b/src/terminal.c -index 1fc0ef96881f9..f80196096df49 100644 ---- a/src/terminal.c -+++ b/src/terminal.c -@@ -3680,10 +3680,10 @@ term_after_channel_closed(term_T *term) - if (is_aucmd_win(curwin)) - do_set_w_closing = TRUE; - if (do_set_w_closing) -- curwin->w_closing = TRUE; -+ curwin->w_locked = TRUE; - do_bufdel(DOBUF_WIPE, (char_u *)"", 1, fnum, fnum, FALSE); - if (do_set_w_closing) -- curwin->w_closing = FALSE; -+ curwin->w_locked = FALSE; - aucmd_restbuf(&aco); - } - #ifdef FEAT_PROP_POPUP -diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim -index edc8b77429e20..8d81a828b3e03 100644 ---- a/src/testdir/test_arglist.vim -+++ b/src/testdir/test_arglist.vim -@@ -359,6 +359,7 @@ func Test_argv() - call assert_equal('', argv(1, 100)) - call assert_equal([], argv(-1, 100)) - call assert_equal('', argv(10, -1)) -+ %argdelete - endfunc - - " Test for the :argedit command -@@ -744,4 +745,26 @@ func Test_all_command() - %bw! - endfunc - -+" Test for deleting buffer when creating an arglist. This was accessing freed -+" memory -+func Test_crash_arglist_uaf() -+ "%argdelete -+ new one -+ au BufAdd XUAFlocal :bw -+ "call assert_fails(':arglocal XUAFlocal', 'E163:') -+ arglocal XUAFlocal -+ au! BufAdd -+ bw! XUAFlocal -+ -+ au BufAdd XUAFlocal2 :bw -+ new two -+ new three -+ arglocal -+ argadd XUAFlocal2 Xfoobar -+ bw! XUAFlocal2 -+ bw! two -+ -+ au! BufAdd -+endfunc -+ - " vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/window.c b/src/window.c -index 43a15e0561f2c..b2c90c7d64114 100644 ---- a/src/window.c -+++ b/src/window.c -@@ -2511,7 +2511,7 @@ close_windows( - for (wp = firstwin; wp != NULL && !ONE_WINDOW; ) - { - if (wp->w_buffer == buf && (!keep_curwin || wp != curwin) -- && !(wp->w_closing || wp->w_buffer->b_locked > 0)) -+ && !(win_locked(wp) || wp->w_buffer->b_locked > 0)) - { - if (win_close(wp, FALSE) == FAIL) - // If closing the window fails give up, to avoid looping -@@ -2532,7 +2532,7 @@ close_windows( - if (tp != curtab) - FOR_ALL_WINDOWS_IN_TAB(tp, wp) - if (wp->w_buffer == buf -- && !(wp->w_closing || wp->w_buffer->b_locked > 0)) -+ && !(win_locked(wp) || wp->w_buffer->b_locked > 0)) - { - win_close_othertab(wp, FALSE, tp); - -@@ -2654,10 +2654,10 @@ win_close_buffer(win_T *win, int action, int abort_if_last) - bufref_T bufref; - - set_bufref(&bufref, curbuf); -- win->w_closing = TRUE; -+ win->w_locked = TRUE; - close_buffer(win, win->w_buffer, action, abort_if_last, TRUE); - if (win_valid_any_tab(win)) -- win->w_closing = FALSE; -+ win->w_locked = FALSE; - // Make sure curbuf is valid. It can become invalid if 'bufhidden' is - // "wipe". - if (!bufref_valid(&bufref)) -@@ -2705,7 +2705,7 @@ win_close(win_T *win, int free_buf) - if (window_layout_locked(CMD_close)) - return FAIL; - -- if (win->w_closing || (win->w_buffer != NULL -+ if (win_locked(win) || (win->w_buffer != NULL - && win->w_buffer->b_locked > 0)) - return FAIL; // window is already being closed - if (win_unlisted(win)) -@@ -2754,19 +2754,19 @@ win_close(win_T *win, int free_buf) - other_buffer = TRUE; - if (!win_valid(win)) - return FAIL; -- win->w_closing = TRUE; -+ win->w_locked = TRUE; - apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf); - if (!win_valid(win)) - return FAIL; -- win->w_closing = FALSE; -+ win->w_locked = FALSE; - if (last_window()) - return FAIL; - } -- win->w_closing = TRUE; -+ win->w_locked = TRUE; - apply_autocmds(EVENT_WINLEAVE, NULL, NULL, FALSE, curbuf); - if (!win_valid(win)) - return FAIL; -- win->w_closing = FALSE; -+ win->w_locked = FALSE; - if (last_window()) - return FAIL; - #ifdef FEAT_EVAL -@@ -3346,7 +3346,7 @@ win_close_othertab(win_T *win, int free_buf, tabpage_T *tp) - - // Get here with win->w_buffer == NULL when win_close() detects the tab - // page changed. -- if (win->w_closing || (win->w_buffer != NULL -+ if (win_locked(win) || (win->w_buffer != NULL - && win->w_buffer->b_locked > 0)) - return; // window is already being closed - -@@ -7808,3 +7808,12 @@ skip: - return NULL; // no error - } - #endif -+ -+/* -+ * Don't let autocommands close the given window -+ */ -+ int -+win_locked(win_T *wp) -+{ -+ return wp->w_locked; -+} diff --git a/SPECS/vim/CVE-2024-43802.patch b/SPECS/vim/CVE-2024-43802.patch deleted file mode 100644 index 0962098c743..00000000000 --- a/SPECS/vim/CVE-2024-43802.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001 -From: Christian Brabandt -Date: Sun, 25 Aug 2024 21:33:03 +0200 -Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in - ins_typebuf - -Problem: heap-buffer-overflow in ins_typebuf - (SuyueGuo) -Solution: When flushing the typeahead buffer, validate that there - is enough space left - -Github Advisory: -https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh - -Signed-off-by: Christian Brabandt - -Removed binary test file and test only changes for security fix - ---- - src/getchar.c | 15 ++++++++++++--- - 1 files changed, 12 insertions(+), 3 deletions(-) - create mode 100644 src/testdir/crash/heap_overflow3 - -diff --git a/src/getchar.c b/src/getchar.c -index 29323fa328bd1..96e180f4ae1a9 100644 ---- a/src/getchar.c -+++ b/src/getchar.c -@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead) - - if (flush_typeahead == FLUSH_MINIMAL) - { -- // remove mapped characters at the start only -- typebuf.tb_off += typebuf.tb_maplen; -- typebuf.tb_len -= typebuf.tb_maplen; -+ // remove mapped characters at the start only, -+ // but only when enough space left in typebuf -+ if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen) -+ { -+ typebuf.tb_off = MAXMAPLEN; -+ typebuf.tb_len = 0; -+ } -+ else -+ { -+ typebuf.tb_off += typebuf.tb_maplen; -+ typebuf.tb_len -= typebuf.tb_maplen; -+ } - #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL) - if (typebuf.tb_len == 0) - typebuf_was_filled = FALSE; diff --git a/SPECS/vim/vim.signatures.json b/SPECS/vim/vim.signatures.json index 16baeda3355..9e9392d00ef 100644 --- a/SPECS/vim/vim.signatures.json +++ b/SPECS/vim/vim.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "vim-9.0.2121.tar.gz": "8d04737e71f529b37f18ec26a16a11ef183bb83b214f4e6ddddf20136c5813ea" + "vim-9.1.0791.tar.gz": "ce6dcd15d4e7e7406315eecf1b7d6610a6b9e71efeb98646648a3008b7cea6b7" } -} \ No newline at end of file +} diff --git a/SPECS/vim/vim.spec b/SPECS/vim/vim.spec index a6107efc049..7cf48d16dc7 100644 --- a/SPECS/vim/vim.spec +++ b/SPECS/vim/vim.spec @@ -1,19 +1,15 @@ %define debug_package %{nil} Summary: Text editor Name: vim -Version: 9.0.2121 -Release: 5%{?dist} +Version: 9.1.0791 +Release: 1%{?dist} License: Vim Vendor: Microsoft Corporation Distribution: Mariner Group: Applications/Editors URL: https://www.vim.org Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -Patch0: CVE-2024-22667.patch -Patch1: CVE-2024-43374.patch -Patch2: CVE-2024-41957.patch -Patch3: CVE-2024-41965.patch -Patch4: CVE-2024-43802.patch + BuildRequires: ncurses-devel BuildRequires: python3-devel Requires(post): sed @@ -132,14 +128,15 @@ fi %{_datarootdir}/vim/vim*/scripts.vim %{_datarootdir}/vim/vim*/spell/* %{_datarootdir}/vim/vim*/syntax/* -%exclude %{_datarootdir}/vim/vim90/syntax/nosyntax.vim -%exclude %{_datarootdir}/vim/vim90/syntax/syntax.vim -%exclude %{_datarootdir}/vim/vim90/autoload/dist/ft.vim +%exclude %{_datarootdir}/vim/vim*/syntax/nosyntax.vim +%exclude %{_datarootdir}/vim/vim*/syntax/syntax.vim +%exclude %{_datarootdir}/vim/vim*/autoload/dist/ft.vim %{_datarootdir}/vim/vim*/tools/* %{_datarootdir}/vim/vim*/tutor/* %{_datarootdir}/vim/vim*/lang/*.vim %doc %{_datarootdir}/vim/vim*/lang/*.txt %lang(af) %{_datarootdir}/vim/vim*/lang/af/LC_MESSAGES/vim.mo +%lang(am) %{_datarootdir}/vim/vim*/lang/am/LC_MESSAGES/vim.mo %lang(ca) %{_datarootdir}/vim/vim*/lang/ca/LC_MESSAGES/vim.mo %lang(cs) %{_datarootdir}/vim/vim*/lang/cs/LC_MESSAGES/vim.mo %lang(de) %{_datarootdir}/vim/vim*/lang/de/LC_MESSAGES/vim.mo @@ -149,6 +146,7 @@ fi %lang(fi) %{_datarootdir}/vim/vim*/lang/fi/LC_MESSAGES/vim.mo %lang(fr) %{_datarootdir}/vim/vim*/lang/fr/LC_MESSAGES/vim.mo %lang(ga) %{_datarootdir}/vim/vim*/lang/ga/LC_MESSAGES/vim.mo +%lang(hu) %{_datarootdir}/vim/vim*/lang/hu/LC_MESSAGES/vim.mo %lang(it) %{_datarootdir}/vim/vim*/lang/it/LC_MESSAGES/vim.mo %lang(ja) %{_datarootdir}/vim/vim*/lang/ja/LC_MESSAGES/vim.mo %lang(ko.UTF-8) %{_datarootdir}/vim/vim*/lang/ko.UTF-8/LC_MESSAGES/vim.mo @@ -190,8 +188,8 @@ fi %{_datarootdir}/vim/vim*/colors/lists/default.vim %{_datarootdir}/vim/vim*/defaults.vim %{_datarootdir}/vim/vim*/filetype.vim -%{_datarootdir}/vim/vim90/syntax/nosyntax.vim -%{_datarootdir}/vim/vim90/autoload/dist/ft.vim +%{_datarootdir}/vim/vim*/syntax/nosyntax.vim +%{_datarootdir}/vim/vim*/autoload/dist/ft.vim %{_bindir}/ex %{_bindir}/vi %{_bindir}/view @@ -201,6 +199,10 @@ fi %{_bindir}/vimdiff %changelog +* Thu Oct 17 2024 Nick Samson - 9.1.0791-1 +- Upgrade to 9.1.0791 to fix CVE-2024-47814, CVE-2024-43802 +- Added language configurations for Amharic and Hungarian + * Tue Oct 08 2024 Sam Meluch - 9.0.2121-5 - Add patch to resolve CVE-2024-43802 diff --git a/cgmanifest.json b/cgmanifest.json index ed336fc0ad7..a9161afa4a5 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -29497,8 +29497,8 @@ "type": "other", "other": { "name": "vim", - "version": "9.0.2121", - "downloadUrl": "https://github.com/vim/vim/archive/v9.0.2121.tar.gz" + "version": "9.1.0791", + "downloadUrl": "https://github.com/vim/vim/archive/v9.1.0791.tar.gz" } } },