Backport patches from upstream to fix these CVEs.
Signed-off-by: Ross Burton <ross.bur...@arm.com>
---
...28-using-freed-memory-when-replacing.patch | 83 ++++++++++++++++
...llegal-memory-access-if-buffer-name-.patch | 86 ++++++++++++++++
...ml_get-error-after-search-with-range.patch | 72 ++++++++++++++
...nvalid-memory-access-when-scrolling-.patch | 97 +++++++++++++++++++
meta/recipes-support/vim/vim.inc | 8 +-
5 files changed, 344 insertions(+), 2 deletions(-)
create mode 100644
meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch
create mode 100644
meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
create mode 100644
meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch
create mode 100644
meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
diff --git
a/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch
b/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch
new file mode 100644
index 0000000000..ecfae0301e
--- /dev/null
+++
b/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch
@@ -0,0 +1,83 @@
+CVE: CVE-2021-3796
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.bur...@arm.com>
+
+From 1160e5f74b229336502fc376416f21108d36cfc2 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <b...@vim.org>
+Date: Sat, 11 Sep 2021 21:14:20 +0200
+Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
+
+Problem: Using freed memory when replacing. (Dhiraj Mishra)
+Solution: Get the line pointer after calling ins_copychar().
+---
+ src/normal.c | 10 +++++++---
+ src/testdir/test_edit.vim | 14 ++++++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index c4963e621..d6333b948 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
+ {
+ /*
+ * Get ptr again, because u_save and/or showmatch() will have
+- * released the line. At the same time we let know that the
+- * line will be changed.
++ * released the line. This may also happen in ins_copychar().
++ * At the same time we let know that the line will be changed.
+ */
+- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
+ {
+ int c = ins_copychar(curwin->w_cursor.lnum
+ + (cap->nchar == Ctrl_Y ? -1 : 1));
++
++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ if (c != NUL)
+ ptr[curwin->w_cursor.col] = c;
+ }
+ else
++ {
++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ ptr[curwin->w_cursor.col] = cap->nchar;
++ }
+ if (p_sm && msg_silent == 0)
+ showmatch(cap->nchar);
+ ++curwin->w_cursor.col;
+diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
+index 4e29e7fe1..f94e6c181 100644
+--- a/src/testdir/test_edit.vim
++++ b/src/testdir/test_edit.vim
+@@ -1519,3 +1519,17 @@ func Test_edit_noesckeys()
+ bwipe!
+ set esckeys
+ endfunc
++
++" Test for getting the character of the line below after "p"
++func Test_edit_put_CTRL_E()
++ set encoding=latin1
++ new
++ let @" = ''
++ sil! norm or�ggRx
++ sil! norm pr�
++ call assert_equal(['r', 'r'], getline(1, 2))
++ bwipe!
++ set encoding=utf-8
++endfunc
++
++" vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 85bdfc601..1046993d6 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -742,6 +742,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 3428,
+ /**/
+ 3409,
+ /**/
diff --git
a/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
new file mode 100644
index 0000000000..576664f436
--- /dev/null
+++
b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
@@ -0,0 +1,86 @@
+CVE: CVE-2021-3872
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.bur...@arm.com>
+
+From 61629ea24a2fff1f89c37479d3fb52f17c3480fc Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <b...@vim.org>
+Date: Fri, 8 Oct 2021 18:39:28 +0100
+Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
+ long
+
+Problem: Illegal memory access if buffer name is very long.
+Solution: Make sure not to go over the end of the buffer.
+---
+ src/drawscreen.c | 10 +++++-----
+ src/testdir/test_statusline.vim | 11 +++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/src/drawscreen.c b/src/drawscreen.c
+index 3a88ee979..9acb70552 100644
+--- a/src/drawscreen.c
++++ b/src/drawscreen.c
+@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
+ *(p + len++) = ' ';
+ if (bt_help(wp->w_buffer))
+ {
+- STRCPY(p + len, _("[Help]"));
++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
+ len += (int)STRLEN(p + len);
+ }
+ #ifdef FEAT_QUICKFIX
+ if (wp->w_p_pvw)
+ {
+- STRCPY(p + len, _("[Preview]"));
++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
+ len += (int)STRLEN(p + len);
+ }
+ #endif
+@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
+ #endif
+ )
+ {
+- STRCPY(p + len, "[+]");
+- len += 3;
++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
++ len += (int)STRLEN(p + len);
+ }
+ if (wp->w_buffer->b_p_ro)
+ {
+- STRCPY(p + len, _("[RO]"));
++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
+ len += (int)STRLEN(p + len);
+ }
+
+diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
+index 1f705b847..91bce1407 100644
+--- a/src/testdir/test_statusline.vim
++++ b/src/testdir/test_statusline.vim
+@@ -393,3 +393,14 @@ func Test_statusline_visual()
+ bwipe! x1
+ bwipe! x2
+ endfunc
++" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes.
++func Test_statusline_verylong_filename()
++ let fname = repeat('x', 4090)
++ exe "new " .. fname
++ set buftype=help
++ set previewwindow
++ redraw
++ bwipe!
++endfunc
++
++" vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 1046993d6..2b5de5ccf 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -742,6 +742,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 3487,
+ /**/
+ 3428,
+ /**/
diff --git
a/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch
b/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch
new file mode 100644
index 0000000000..045081579c
--- /dev/null
+++
b/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch
@@ -0,0 +1,72 @@
+CVE: CVE-2021-3875
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.bur...@arm.com>
+
+From b8968e26d7508e7d64bfc86808142818b0a9288c Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <b...@vim.org>
+Date: Sat, 9 Oct 2021 13:58:55 +0100
+Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
+
+Problem: ml_get error after search with range.
+Solution: Limit the line number to the buffer line count.
+---
+ src/ex_docmd.c | 6 ++++--
+ src/testdir/test_search.vim | 17 +++++++++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index fb07450f8..fde726477 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -3586,8 +3586,10 @@ get_address(
+
+ // When '/' or '?' follows another address, start from
+ // there.
+- if (lnum != MAXLNUM)
+- curwin->w_cursor.lnum = lnum;
++ if (lnum > 0 && lnum != MAXLNUM)
++ curwin->w_cursor.lnum =
++ lnum > curbuf->b_ml.ml_line_count
++ ? curbuf->b_ml.ml_line_count : lnum;
+
+ // Start a forward search at the end of the line (unless
+ // before the first line).
+diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim
+index 187671305..e142c3547 100644
+--- a/src/testdir/test_search.vim
++++ b/src/testdir/test_search.vim
+@@ -1366,3 +1366,20 @@ func Test_searchdecl()
+
+ bwipe!
+ endfunc
++
++func Test_search_with_invalid_range()
++ new
++ let lines =<< trim END
++ /\%.v
++ 5/
++ c
++ END
++ call writefile(lines, 'Xrangesearch')
++ source Xrangesearch
++
++ bwipe!
++ call delete('Xrangesearch')
++endfunc
++
++
++" vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 2b5de5ccf..092864bbb 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -742,6 +742,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 3489,
+ /**/
+ 3487,
+ /**/
diff --git
a/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
b/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
new file mode 100644
index 0000000000..7184b37cad
--- /dev/null
+++
b/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
@@ -0,0 +1,97 @@
+CVE: CVE-2021-3903
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.bur...@arm.com>
+
+From b15919c1fe0f7fc3d98ff5207ed2feb43c59009d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <b...@vim.org>
+Date: Mon, 25 Oct 2021 17:07:04 +0100
+Subject: [PATCH] patch 8.2.3564: invalid memory access when scrolling without
+ valid screen
+
+Problem: Invalid memory access when scrolling without a valid screen.
+Solution: Do not set VALID_BOTLINE in w_valid.
+---
+ src/move.c | 1 -
+ src/testdir/test_normal.vim | 23 ++++++++++++++++++++---
+ src/version.c | 2 ++
+ 3 files changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/src/move.c b/src/move.c
+index 8e53d8bcb..10165ef4d 100644
+--- a/src/move.c
++++ b/src/move.c
+@@ -198,7 +198,6 @@ update_topline(void)
+ {
+ curwin->w_topline = curwin->w_cursor.lnum;
+ curwin->w_botline = curwin->w_topline;
+- curwin->w_valid |= VALID_BOTLINE|VALID_BOTLINE_AP;
+ curwin->w_scbind_pos = 1;
+ return;
+ }
+diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
+index d45cf4159..ca87928f5 100644
+--- a/src/testdir/test_normal.vim
++++ b/src/testdir/test_normal.vim
+@@ -33,14 +33,14 @@ func CountSpaces(type, ...)
+ else
+ silent exe "normal! `[v`]y"
+ endif
+- let g:a=strlen(substitute(@@, '[^ ]', '', 'g'))
++ let g:a = strlen(substitute(@@, '[^ ]', '', 'g'))
+ let &selection = sel_save
+ let @@ = reg_save
+ endfunc
+
+ func OpfuncDummy(type, ...)
+ " for testing operatorfunc
+- let g:opt=&linebreak
++ let g:opt = &linebreak
+
+ if a:0 " Invoked from Visual mode, use gv command.
+ silent exe "normal! gvy"
+@@ -51,7 +51,7 @@ func OpfuncDummy(type, ...)
+ endif
+ " Create a new dummy window
+ new
+- let g:bufnr=bufnr('%')
++ let g:bufnr = bufnr('%')
+ endfunc
+
+ fun! Test_normal00_optrans()
+@@ -718,6 +718,23 @@ func Test_normal17_z_scroll_hor2()
+ bw!
+ endfunc
+
++
++func Test_scroll_in_ex_mode()
++ " This was using invalid memory because w_botline was invalid.
++ let lines =<< trim END
++ diffsplit
++ norm os0�0(�
++ call writefile(['done'], 'Xdone')
++ qa!
++ END
++ call writefile(lines, 'Xscript')
++ call assert_equal(1, RunVim([], [], '--clean -X -Z -e -s -S Xscript'))
++ call assert_equal(['done'], readfile('Xdone'))
++
++ call delete('Xscript')
++ call delete('Xdone')
++endfunc
++
+ func Test_normal18_z_fold()
+ " basic tests for foldopen/folddelete
+ if !has("folding")
+diff --git a/src/version.c b/src/version.c
+index 092864bbb..a9e8be0e7 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -742,6 +742,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 3564,
+ /**/
+ 3489,
+ /**/
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 50e215d20f..943856e07c 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -18,8 +18,12 @@ SRC_URI =
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
file://racefix.patch \
file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
- file://CVE-2021-3778.patch \
-"
+ file://CVE-2021-3778.patch \
+ file://0002-patch-8.2.3428-using-freed-memory-when-replacing.patch \
+
file://0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch \
+
file://0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch \
+
file://0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch \
+ "
SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#158060):
https://lists.openembedded.org/g/openembedded-core/message/158060
Mute This Topic: https://lists.openembedded.org/mt/86944835/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
