开源软件构建与测试

Changes of Revision 5

_service:tar_scm:vim.spec Changed

@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        24
+Release:        27
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -82,6 +82,12 @@
 Patch6052:      backport-CVE-2022-4292.patch
 Patch6053:      backport-patch-9.0.0712-wrong-column-when-calling-setcursorch-with-zero-lnum.patch
 Patch6054:      backport-CVE-2022-4293.patch
+Patch6055:      backport-CVE-2023-0049.patch
+Patch6056:      backport-CVE-2023-0051.patch
+Patch6057:      backport-CVE-2023-0054.patch
+Patch6058:      backport-CVE-2022-47024.patch
+Patch6059:      backport-CVE-2023-0288.patch
+Patch6060:      backport-CVE-2023-0433.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -489,6 +495,24 @@
 %{_mandir}/man1/evim.*
 
 %changelog
+* Mon Feb 06 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-27
+- Type:CVE
+- ID:CVE-2023-0433
+- SUG:NA
+- DESC:CVE-2023-0433
+
+* Sun Jan 29 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-26
+- Type:CVE
+- ID:CVE-2022-47024 CVE-2023-0288
+- SUG:NA
+- DESC:CVE-2022-47024 CVE-2023-0288
+
+* Mon Jan 09 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-25
+- Type:CVE
+- ID:CVE-2023-0049 CVE-2023-0051 CVE-2023-0054
+- SUG:NA
+- DESC:CVE-2023-0049 CVE-2023-0051 CVE-2023-0054
+
 * Mon Dec 12 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-24
 - Type:bugfix
 - ID:NA

_service:tar_scm:backport-CVE-2022-47024.patch Added

@@ -0,0 +1,34 @@
+From a63ad78ed31e36dbdf3a9cd28071dcdbefce7d19 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 31 Aug 2022 12:01:54 +0100
+Subject: PATCH patch 9.0.0339: no check if the return value of XChangeGC()
+ is NULL
+
+Problem:    No check if the return value of XChangeGC() is NULL.
+Solution:   Only use the return value when it is not NULL. (closes #11020)
+---
+ src/gui_x11.c | 10 +++++++---
+ 1 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/gui_x11.c b/src/gui_x11.c
+index 6e3e903be462..7293ac4900a6 100644
+--- a/src/gui_x11.c
++++ b/src/gui_x11.c
+@@ -2231,10 +2231,14 @@ gui_x11_create_blank_mouse(void)
+ {
+     Pixmap blank_pixmap = XCreatePixmap(gui.dpy, gui.wid, 1, 1, 1);
+     GC gc = XCreateGC(gui.dpy, blank_pixmap, (unsigned long)0, (XGCValues*)0);
+-    XDrawPoint(gui.dpy, blank_pixmap, gc, 0, 0);
+-    XFreeGC(gui.dpy, gc);
++
++    if (gc != NULL)
++    {
++	XDrawPoint(gui.dpy, blank_pixmap, gc, 0, 0);
++	XFreeGC(gui.dpy, gc);
++    }
+     return XCreatePixmapCursor(gui.dpy, blank_pixmap, blank_pixmap,
+-	    (XColor*)&gui.norm_pixel, (XColor*)&gui.norm_pixel, 0, 0);
++		     (XColor*)&gui.norm_pixel, (XColor*)&gui.norm_pixel, 0, 0);
+ }
+ 
+ /*

_service:tar_scm:backport-CVE-2023-0049.patch Added

@@ -0,0 +1,44 @@
+From 7b17eb4b063a234376c1ec909ee293e42cff290c Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 4 Jan 2023 14:31:49 +0000
+Subject: PATCH patch 9.0.1143: invalid memory access with bad 'statusline'
+ value
+
+Problem:    Invalid memory access with bad 'statusline' value.
+Solution:   Avoid going over the NUL at the end.
+---
+ src/buffer.c                    | 2 ++
+ src/testdir/test_statusline.vim | 7 +++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 98568987894e..40168226160c 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -4576,6 +4576,8 @@ build_stl_str_hl(
+ #endif
+ 	if (vim_strchr(STL_ALL, *s) == NULL)
+ 	{
++	    if (*s == NUL)  // can happen with "%0"
++		break;
+ 	    s++;
+ 	    continue;
+ 	}
+diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
+index a829597655bf..23613bfed37b 100644
+--- a/src/testdir/test_statusline.vim
++++ b/src/testdir/test_statusline.vim
+@@ -436,6 +436,13 @@ func Test_statusline()
+   set splitbelow&
+ endfunc
+ 
++func Test_statusline_trailing_percent_zero()
++  " this was causing illegal memory access
++  set laststatus=2 stl=%!%0
++  call assert_fails('redraw', 'E15: Invalid expression: "%0"')
++  set laststatus& stl&
++endfunc
++
+ func Test_statusline_visual()
+   func CallWordcount()
+     call wordcount()

_service:tar_scm:backport-CVE-2023-0051.patch Added

@@ -0,0 +1,98 @@
+From c32949b0779106ed5710ae3bffc5053e49083ab4 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 4 Jan 2023 15:56:51 +0000
+Subject: PATCH patch 9.0.1144: reading beyond text
+
+Problem:    Reading beyond text.
+Solution:   Add strlen_maxlen() and use it.
+---
+ src/message.c                |  3 ++-
+ src/proto/strings.pro        |  1 +
+ src/strings.c                | 15 ++++++++++++++-
+ src/testdir/test_cmdline.vim | 11 +++++++++++
+ 4 files changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/src/message.c b/src/message.c
+index becb280..c53c44f 100644
+--- a/src/message.c
++++ b/src/message.c
+@@ -2806,7 +2806,8 @@ msg_puts_printf(char_u *str, int maxlen)
+     {
+ 	char_u *tofree = NULL;
+ 
+-	if (maxlen > 0 && STRLEN(p) > (size_t)maxlen)
++	if (maxlen > 0 && vim_strlen_maxlen((char *)p, (size_t)maxlen)
++							     >= (size_t)maxlen)
+ 	{
+ 	    tofree = vim_strnsave(p, (size_t)maxlen);
+ 	    p = tofree;
+diff --git a/src/proto/strings.pro b/src/proto/strings.pro
+index 778ec90..1bd4dcb 100644
+--- a/src/proto/strings.pro
++++ b/src/proto/strings.pro
+@@ -12,6 +12,7 @@ char_u *strlow_save(char_u *orig);
+ void del_trailing_spaces(char_u *ptr);
+ void vim_strncpy(char_u *to, char_u *from, size_t len);
+ void vim_strcat(char_u *to, char_u *from, size_t tosize);
++size_t vim_strlen_maxlen(char *s, size_t maxlen);
+ int vim_stricmp(char *s1, char *s2);
+ int vim_strnicmp(char *s1, char *s2, size_t len);
+ char_u *vim_strchr(char_u *string, int c);
+diff --git a/src/strings.c b/src/strings.c
+index 0313e74..df06c3f 100644
+--- a/src/strings.c
++++ b/src/strings.c
+@@ -525,6 +525,19 @@ vim_strcat(char_u *to, char_u *from, size_t tosize)
+ 	mch_memmove(to + tolen, from, fromlen + 1);
+ }
+ 
++/*
++ * A version of strlen() that has a maximum length.
++ */
++    size_t
++vim_strlen_maxlen(char *s, size_t maxlen)
++{
++    size_t i;
++    for (i = 0; i < maxlen; ++i)
++	if (si == NUL)
++	    break;
++    return i;
++}
++
+ #if (!defined(HAVE_STRCASECMP) && !defined(HAVE_STRICMP)) || defined(PROTO)
+ /*
+  * Compare two strings, ignoring case, using current locale.
+@@ -582,7 +595,7 @@ vim_strnicmp(char *s1, char *s2, size_t len)
+  * 128 to 255 correctly.  It also doesn't return a pointer to the NUL at the
+  * end of the string.
+  */
+-    char_u  *
++    char_u *
+ vim_strchr(char_u *string, int c)
+ {
+     char_u	*p;
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index ab3bfdf..083f63e 100644
+--- a/src/testdir/test_cmdline.vim
++++ b/src/testdir/test_cmdline.vim
+@@ -574,6 +574,17 @@ func Test_getcompletion()
+   call assert_fails('call getcompletion("abc", )', 'E475:')
+ endfunc
+ 
++func Test_multibyte_expression()
++  " This was using uninitialized memory.
++  let lines =<< trim END
++      set verbose=6
++      norm @=ٷ
++      qall!
++  END
++  call writefile(lines, 'XmultiScript', 'D')
++  call RunVim('', '', '-u NONE -n -e -s -S XmultiScript')
++endfunc
++
+ " Test for getcompletion() with "fuzzy" in 'wildoptions'
+ func Test_getcompletion_wildoptions()
+   let save_wildoptions = &wildoptions
+-- 
+2.33.0
+

_service:tar_scm:backport-CVE-2023-0054.patch Added

@@ -0,0 +1,59 @@
+From 3ac1d97a1d9353490493d30088256360435f7731 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 4 Jan 2023 17:17:54 +0000
+Subject: PATCH patch 9.0.1145: invalid memory access with recursive
+ substitute expression
+
+Problem:    Invalid memory access with recursive substitute expression.
+Solution:   Check the return value of vim_regsub().
+---
+ src/eval.c                      |  5 +++++
+ src/testdir/test_substitute.vim | 16 ++++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/src/eval.c b/src/eval.c
+index 2fbd867ab..9ca805061 100644
+--- a/src/eval.c
++++ b/src/eval.c
+@@ -6969,6 +6969,11 @@ do_string_sub(
+ 	     * - The text after the match.
+ 	     */
+ 	    sublen = vim_regsub(&regmatch, sub, expr, tail, 0, REGSUB_MAGIC);
++	    if (sublen <= 0)
++	    {
++		ga_clear(&ga);
++		break;
++	    }
+ 	    if (ga_grow(&ga, (int)((end - tail) + sublen -
+ 			    (regmatch.endp0 - regmatch.startp0))) == FAIL)
+ 	    {
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index 251322337..4268aab03 100644
+--- a/src/testdir/test_substitute.vim
++++ b/src/testdir/test_substitute.vim
+@@ -1095,6 +1095,22 @@ func Test_sub_expr_goto_other_file()
+   bwipe!
+ endfunc
+ 
++func Test_recursive_expr_substitute()
++  " this was reading invalid memory
++  let lines =<< trim END
++      func Repl(g, n)
++        s
++        r%:s000
++      endfunc
++      next 0
++      let caught = 0
++      s/\%')/\=Repl(0, 0)
++      qall!
++  END
++  call writefile(lines, 'XexprSubst', 'D')
++  call RunVim(, , '--clean -S XexprSubst')
++endfunc
++
+ " Test for the 2-letter and 3-letter :substitute commands
+ func Test_substitute_short_cmd()
+   new
+-- 
+2.27.0
+

_service:tar_scm:backport-CVE-2023-0288.patch Added

@@ -0,0 +1,44 @@
+From 232bdaaca98c34a99ffadf27bf6ee08be6cc8f6a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 13 Jan 2023 14:17:58 +0000
+Subject: PATCH patch 9.0.1189: invalid memory access with folding and using
+ "L"
+
+Problem:    Invalid memory access with folding and using "L".
+Solution:   Prevent the cursor from moving to line zero.
+---
+ src/normal.c              | 3 ++-
+ src/testdir/test_fold.vim | 8 ++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index c319be599ad7..3d9f74dec558 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -3757,7 +3757,8 @@ nv_scroll(cmdarg_T *cap)
+ 		{
+ 		    (void)hasFolding(curwin->w_cursor.lnum,
+ 						&curwin->w_cursor.lnum, NULL);
+-		    --curwin->w_cursor.lnum;
++		    if (curwin->w_cursor.lnum > curwin->w_topline)
++			--curwin->w_cursor.lnum;
+ 		}
+ 	    }
+ 	    else
+diff --git a/src/testdir/test_fold.vim b/src/testdir/test_fold.vim
+index adf9e5207838..f915a661336b 100644
+--- a/src/testdir/test_fold.vim
++++ b/src/testdir/test_fold.vim
+@@ -1547,4 +1547,12 @@ func Test_sort_closed_fold()
+   bw!
+ endfunc
+ 
++func Test_indent_with_L_command()
++  " The "L" command moved the cursor to line zero, causing the text saved for
++  " undo to use line number -1, which caused trouble for undo later.
++  new
++  sil! norm 8R
&#x3;V{zf8=Lu
++  bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab

_service:tar_scm:backport-CVE-2023-0433.patch Added

@@ -0,0 +1,40 @@
+From 11977f917506d950b7e0cae558bd9189260b253b Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 21 Jan 2023 13:09:19 +0000
+Subject: PATCH patch 9.0.1225: reading past the end of a line when
+ formatting text
+
+Problem:    Reading past the end of a line when formatting text.
+Solution:   Check for not going over the end of the line.
+---
+ src/textformat.c | 10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/textformat.c b/src/textformat.c
+index 6a93890bd2c4..7ebbc8849a45 100644
+--- a/src/textformat.c
++++ b/src/textformat.c
+@@ -540,6 +540,9 @@ same_leader(
+     if (leader1_len == 0)
+ 	return (leader2_len == 0);
+ 
++    char_u  *lnum_line = NULL;
++    int	    line_len = 0;
++
+     // If first leader has 'f' flag, the lines can be joined only if the
+     // second line does not have a leader.
+     // If first leader has 'e' flag, the lines can never be joined.
+@@ -555,7 +558,12 @@ same_leader(
+ 		return FALSE;
+ 	    if (*p == COM_START)
+ 	    {
+-		if (*(ml_get(lnum) + leader1_len) == NUL)
++		if (lnum_line == NULL)
++		{
++		    lnum_line = ml_get(lnum);
++		    line_len = (int)STRLEN(lnum_line);
++		}
++		if (line_len <= leader1_len)
+ 		    return FALSE;
+ 		if (leader2_flags == NULL || leader2_len == 0)
+ 		    return FALSE;