diff --git a/0009-fix-CVE-2024-43802.patch b/0009-fix-CVE-2024-43802.patch new file mode 100644 index 0000000000000000000000000000000000000000..84a3989e6db6a99bc5b5b81bf1c51388dd332189 --- /dev/null +++ b/0009-fix-CVE-2024-43802.patch @@ -0,0 +1,46 @@ +From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 25 Aug 2024 21:33:03 +0200 +Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in + ins_typebuf + +Problem: heap-buffer-overflow in ins_typebuf + (SuyueGuo) +Solution: When flushing the typeahead buffer, validate that there + is enough space left + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh + +Signed-off-by: Christian Brabandt +--- + src/getchar.c | 15 ++++++++++++--- + 1 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/getchar.c b/src/getchar.c +index 29323fa328bd1..96e180f4ae1a9 100644 +--- a/src/getchar.c ++++ b/src/getchar.c +@@ -438,9 +438,18 @@ flush_buffers(flush_buffers_T flush_typeahead) + + if (flush_typeahead == FLUSH_MINIMAL) + { +- // remove mapped characters at the start only +- typebuf.tb_off += typebuf.tb_maplen; +- typebuf.tb_len -= typebuf.tb_maplen; ++ // remove mapped characters at the start only, ++ // but only when enough space left in typebuf ++ if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen) ++ { ++ typebuf.tb_off = MAXMAPLEN; ++ typebuf.tb_len = 0; ++ } ++ else ++ { ++ typebuf.tb_off += typebuf.tb_maplen; ++ typebuf.tb_len -= typebuf.tb_maplen; ++ } + #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL) + if (typebuf.tb_len == 0) + typebuf_was_filled = FALSE; + diff --git a/1004-fix-CVE-2024-43374.patch b/1004-fix-CVE-2024-43374.patch new file mode 100644 index 0000000000000000000000000000000000000000..4add6e197a3ea8eaa892bfab983db49e1cddad05 --- /dev/null +++ b/1004-fix-CVE-2024-43374.patch @@ -0,0 +1,299 @@ +From 0a6e57b09bc8c76691b367a5babfb79b31b770e8 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Thu, 15 Aug 2024 22:15:28 +0200 +Subject: [PATCH] patch 9.1.0678: [security]: use-after-free in alist_add() +https://github.com/vim/vim/commit/0a6e57b09bc8c76691b367a5babfb79b31b770e8 + +Problem: [security]: use-after-free in alist_add() + (SuyueGuo) +Solution: Lock the current window, so that the reference to + the argument list remains valid. + +This fixes CVE-2024-43374 + +Signed-off-by: Christian Brabandt +--- + src/arglist.c | 6 ++++++ + src/buffer.c | 4 ++-- + src/ex_cmds.c | 4 ++-- + src/proto/window.pro | 1 + + src/structs.h | 2 +- + src/terminal.c | 4 ++-- + src/testdir/test_arglist.vim | 23 +++++++++++++++++++++++ + src/version.c | 2 ++ + src/window.c | 29 +++++++++++++++++++---------- + 9 files changed, 58 insertions(+), 17 deletions(-) + +diff --git a/src/arglist.c b/src/arglist.c +index a63f6c7..050f96f 100644 +--- a/src/arglist.c ++++ b/src/arglist.c +@@ -184,6 +184,8 @@ alist_set( + /* + * Add file "fname" to argument list "al". + * "fname" must have been allocated and "al" must have been checked for room. ++ * ++ * May trigger Buf* autocommands + */ + void + alist_add( +@@ -196,6 +198,7 @@ alist_add( + if (check_arglist_locked() == FAIL) + return; + arglist_locked = TRUE; ++ curwin->w_locked = TRUE; + + #ifdef BACKSLASH_IN_FILENAME + slash_adjust(fname); +@@ -207,6 +210,7 @@ alist_add( + ++al->al_ga.ga_len; + + arglist_locked = FALSE; ++ curwin->w_locked = FALSE; + } + + #if defined(BACKSLASH_IN_FILENAME) || defined(PROTO) +@@ -365,6 +369,7 @@ alist_add_list( + mch_memmove(&(ARGLIST[after + count]), &(ARGLIST[after]), + (ARGCOUNT - after) * sizeof(aentry_T)); + arglist_locked = TRUE; ++ curwin->w_locked = TRUE; + for (i = 0; i < count; ++i) + { + int flags = BLN_LISTED | (will_edit ? BLN_CURBUF : 0); +@@ -373,6 +378,7 @@ alist_add_list( + ARGLIST[after + i].ae_fnum = buflist_add(files[i], flags); + } + arglist_locked = FALSE; ++ curwin->w_locked = FALSE; + ALIST(curwin)->al_ga.ga_len += count; + if (old_argcount > 0 && curwin->w_arg_idx >= after) + curwin->w_arg_idx += count; +diff --git a/src/buffer.c b/src/buffer.c +index ccd095b..260d22e 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -1456,7 +1456,7 @@ do_buffer_ext( + // (unless it's the only window). Repeat this so long as we end up in + // a window with this buffer. + while (buf == curbuf +- && !(curwin->w_closing || curwin->w_buffer->b_locked > 0) ++ && !(win_locked(curwin) || curwin->w_buffer->b_locked > 0) + && (!ONE_WINDOW || first_tabpage->tp_next != NULL)) + { + if (win_close(curwin, FALSE) == FAIL) +@@ -5443,7 +5443,7 @@ ex_buffer_all(exarg_T *eap) + : wp->w_width != Columns) + || (had_tab > 0 && wp != firstwin)) + && !ONE_WINDOW +- && !(wp->w_closing || wp->w_buffer->b_locked > 0) ++ && !(win_locked(wp) || wp->w_buffer->b_locked > 0) + && !win_unlisted(wp)) + { + if (win_close(wp, FALSE) == FAIL) +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index a08682b..46c4503 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -2827,7 +2827,7 @@ do_ecmd( + + // Set the w_closing flag to avoid that autocommands close the + // window. And set b_locked for the same reason. +- the_curwin->w_closing = TRUE; ++ the_curwin->w_locked = TRUE; + ++buf->b_locked; + + if (curbuf == old_curbuf.br_buf) +@@ -2841,7 +2841,7 @@ do_ecmd( + + // Autocommands may have closed the window. + if (win_valid(the_curwin)) +- the_curwin->w_closing = FALSE; ++ the_curwin->w_locked = FALSE; + --buf->b_locked; + + #ifdef FEAT_EVAL +diff --git a/src/proto/window.pro b/src/proto/window.pro +index cfb771d..12edf0b 100644 +--- a/src/proto/window.pro ++++ b/src/proto/window.pro +@@ -93,4 +93,5 @@ int win_hasvertsplit(void); + int get_win_number(win_T *wp, win_T *first_win); + int get_tab_number(tabpage_T *tp); + char *check_colorcolumn(win_T *wp); ++int win_locked(win_T *wp); + /* vim: set ft=c : */ +diff --git a/src/structs.h b/src/structs.h +index 6d9dcbb..1f4742b 100644 +--- a/src/structs.h ++++ b/src/structs.h +@@ -3740,7 +3740,7 @@ struct window_S + synblock_T *w_s; // for :ownsyntax + #endif + +- int w_closing; // window is being closed, don't let ++ int w_locked; // window is being closed, don't let + // autocommands close it too. + + frame_T *w_frame; // frame containing this window +diff --git a/src/terminal.c b/src/terminal.c +index f79d102..37cd0f2 100644 +--- a/src/terminal.c ++++ b/src/terminal.c +@@ -3669,10 +3669,10 @@ term_after_channel_closed(term_T *term) + if (is_aucmd_win(curwin)) + do_set_w_closing = TRUE; + if (do_set_w_closing) +- curwin->w_closing = TRUE; ++ curwin->w_locked = TRUE; + do_bufdel(DOBUF_WIPE, (char_u *)"", 1, fnum, fnum, FALSE); + if (do_set_w_closing) +- curwin->w_closing = FALSE; ++ curwin->w_locked = FALSE; + aucmd_restbuf(&aco); + } + #ifdef FEAT_PROP_POPUP +diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim +index edc8b77..8d81a82 100644 +--- a/src/testdir/test_arglist.vim ++++ b/src/testdir/test_arglist.vim +@@ -359,6 +359,7 @@ func Test_argv() + call assert_equal('', argv(1, 100)) + call assert_equal([], argv(-1, 100)) + call assert_equal('', argv(10, -1)) ++ %argdelete + endfunc + + " Test for the :argedit command +@@ -744,4 +745,26 @@ func Test_all_command() + %bw! + endfunc + ++" Test for deleting buffer when creating an arglist. This was accessing freed ++" memory ++func Test_crash_arglist_uaf() ++ "%argdelete ++ new one ++ au BufAdd XUAFlocal :bw ++ "call assert_fails(':arglocal XUAFlocal', 'E163:') ++ arglocal XUAFlocal ++ au! BufAdd ++ bw! XUAFlocal ++ ++ au BufAdd XUAFlocal2 :bw ++ new two ++ new three ++ arglocal ++ argadd XUAFlocal2 Xfoobar ++ bw! XUAFlocal2 ++ bw! two ++ ++ au! BufAdd ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/version.c b/src/version.c +index 555ef9f..10916ed 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -704,6 +704,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 678, + /**/ + 2142, + /**/ +diff --git a/src/window.c b/src/window.c +index 2afa28d..e2a7393 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -2441,7 +2441,7 @@ close_windows( + for (wp = firstwin; wp != NULL && !ONE_WINDOW; ) + { + if (wp->w_buffer == buf && (!keep_curwin || wp != curwin) +- && !(wp->w_closing || wp->w_buffer->b_locked > 0)) ++ && !(win_locked(wp) || wp->w_buffer->b_locked > 0)) + { + if (win_close(wp, FALSE) == FAIL) + // If closing the window fails give up, to avoid looping +@@ -2462,7 +2462,7 @@ close_windows( + if (tp != curtab) + FOR_ALL_WINDOWS_IN_TAB(tp, wp) + if (wp->w_buffer == buf +- && !(wp->w_closing || wp->w_buffer->b_locked > 0)) ++ && !(win_locked(wp) || wp->w_buffer->b_locked > 0)) + { + win_close_othertab(wp, FALSE, tp); + +@@ -2584,10 +2584,10 @@ win_close_buffer(win_T *win, int action, int abort_if_last) + bufref_T bufref; + + set_bufref(&bufref, curbuf); +- win->w_closing = TRUE; ++ win->w_locked = TRUE; + close_buffer(win, win->w_buffer, action, abort_if_last, TRUE); + if (win_valid_any_tab(win)) +- win->w_closing = FALSE; ++ win->w_locked = FALSE; + // Make sure curbuf is valid. It can become invalid if 'bufhidden' is + // "wipe". + if (!bufref_valid(&bufref)) +@@ -2635,7 +2635,7 @@ win_close(win_T *win, int free_buf) + if (window_layout_locked(CMD_close)) + return FAIL; + +- if (win->w_closing || (win->w_buffer != NULL ++ if (win_locked(win) || (win->w_buffer != NULL + && win->w_buffer->b_locked > 0)) + return FAIL; // window is already being closed + if (win_unlisted(win)) +@@ -2684,19 +2684,19 @@ win_close(win_T *win, int free_buf) + other_buffer = TRUE; + if (!win_valid(win)) + return FAIL; +- win->w_closing = TRUE; ++ win->w_locked = TRUE; + apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf); + if (!win_valid(win)) + return FAIL; +- win->w_closing = FALSE; ++ win->w_locked = FALSE; + if (last_window()) + return FAIL; + } +- win->w_closing = TRUE; ++ win->w_locked = TRUE; + apply_autocmds(EVENT_WINLEAVE, NULL, NULL, FALSE, curbuf); + if (!win_valid(win)) + return FAIL; +- win->w_closing = FALSE; ++ win->w_locked = FALSE; + if (last_window()) + return FAIL; + #ifdef FEAT_EVAL +@@ -3269,7 +3269,7 @@ win_close_othertab(win_T *win, int free_buf, tabpage_T *tp) + + // Get here with win->w_buffer == NULL when win_close() detects the tab + // page changed. +- if (win->w_closing || (win->w_buffer != NULL ++ if (win_locked(win) || (win->w_buffer != NULL + && win->w_buffer->b_locked > 0)) + return; // window is already being closed + +@@ -7792,3 +7792,12 @@ skip: + return NULL; // no error + } + #endif ++ ++/* ++ * Don't let autocommands close the given window ++ */ ++ int ++win_locked(win_T *wp) ++{ ++ return wp->w_locked; ++} +-- +2.43.0 diff --git a/vim.spec b/vim.spec index 5fa603f90e2a452763f33d240f496d3b71e5770d..84e64924cb7e29f07a2b4e5c5960223202c990e5 100644 --- a/vim.spec +++ b/vim.spec @@ -1,4 +1,4 @@ -%define anolis_release 5 +%define anolis_release 6 %bcond_without gui %bcond_with default_editor @@ -64,6 +64,8 @@ Patch0005: 0005-fix-CVE-2023-48235.patch Patch0006: 0006-fix-CVE-2023-48236.patch Patch0007: 0007-fix-CVE-2023-48237.patch Patch0008: 0008-fix-CVE-2023-48706.patch +# https://github.com/vim/vim/commit/322ba9108612bead5eb7731ccb66763dec69ef1b +Patch0010: 0009-fix-CVE-2024-43802.patch Patch1001: 1001-vim-8.0-copy-paste.patch #CVE-2024-22667 @@ -71,6 +73,8 @@ Patch1001: 1001-vim-8.0-copy-paste.patch Patch1002: 1002-stack-buffer-overflow-in-option-callback-functions.patch #https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919 Patch1003: 1003-fix-cve-2025-24014.patch +# https://github.com/vim/vim/commit/0a6e57b09bc8c76691b367a5babfb79b31b770e8 +Patch1004: 1004-fix-CVE-2024-43374.patch BuildRequires: autoconf gcc glibc-gconv-extra make BuildRequires: gettext gpm-devel libacl-devel @@ -815,6 +819,9 @@ touch %{buildroot}/%{data_dir}/vimfiles/doc/tags %endif %changelog +* Mon Jul 07 2025 wenxin - 3:9.0.2092-6 +- Add patch to Fix CVE-2024-43802, CVE-2024-43374 + * Mon Mar 3 2025 Chang Gao - 3:9.0.2092-5 - Fix cve regression: - CVE-2023-48231~CVE-2023-48237 and CVE-2023-48706