Projects
openEuler:24.03:SP1:Everything:64G
vim
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:vim.spec
Changed
@@ -14,7 +14,7 @@ Name: vim Epoch: 2 Version: %{baseversion}.%{patchlevel} -Release: 10 +Release: 13 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -49,8 +49,11 @@ Patch6015: backport-patch-9.1.0554-bw-leaves-jumplist-and-tagstack-data-.patch Patch6016: backport-CVE-2024-41957.patch Patch6017: backport-CVE-2024-43374.patch +Patch6018: backport-CVE-2024-43802.patch +Patch6019: backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch Patch9000: bugfix-rm-modify-info-version.patch +Patch9001: fix-CVE-2024-47814.patch BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file @@ -456,6 +459,24 @@ %{_mandir}/man1/evim.* %changelog +* Thu Oct 17 2024 wangjiang <app@cameyan.com> - 2:9.0.2092-13 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix coredump in prop_add() with id>INT_MAX + +* Tue Oct 08 2024 changtao <changtao@kylinos.cn> - 2:9.0.2092-12 +- Type:CVE +- ID:CVE-2024-47814 +- SUG:NA +- DESC:fix CVE-2024-47814 + +* Thu Aug 29 2024 wangjiang <app@cameyan.com> - 2:9.0.2092-11 +- Type:CVE +- ID:CVE-2024-43802 +- SUG:NA +- DESC:fix CVE-2024-43802 + * Wed Aug 21 2024 Funda Wang <fundawang@yeah.net> - 2:9.0.2092-10 - Type:enhacement - ID:NA
View file
_service:tar_scm:backport-CVE-2024-43802.patch
Added
@@ -0,0 +1,45 @@ +From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Sun, 25 Aug 2024 21:33:03 +0200 +Subject: PATCH patch 9.1.0697: security: heap-buffer-overflow in + ins_typebuf + +Problem: heap-buffer-overflow in ins_typebuf + (SuyueGuo) +Solution: When flushing the typeahead buffer, validate that there + is enough space left + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh + +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + src/getchar.c | 15 ++++++++++++--- + 1 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/getchar.c b/src/getchar.c +index 29323fa328bd1..96e180f4ae1a9 100644 +--- a/src/getchar.c ++++ b/src/getchar.c +@@ -438,9 +438,18 @@ flush_buffers(flush_buffers_T flush_typeahead) + + if (flush_typeahead == FLUSH_MINIMAL) + { +- // remove mapped characters at the start only +- typebuf.tb_off += typebuf.tb_maplen; +- typebuf.tb_len -= typebuf.tb_maplen; ++ // remove mapped characters at the start only, ++ // but only when enough space left in typebuf ++ if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen) ++ { ++ typebuf.tb_off = MAXMAPLEN; ++ typebuf.tb_len = 0; ++ } ++ else ++ { ++ typebuf.tb_off += typebuf.tb_maplen; ++ typebuf.tb_len -= typebuf.tb_maplen; ++ } + #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL) + if (typebuf.tb_len == 0) + typebuf_was_filled = FALSE;
View file
_service:tar_scm:backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch
Added
@@ -0,0 +1,116 @@ +From 701c863e68fa24847100beef3c9008024615a081 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Sun, 8 Sep 2024 20:05:23 +0200 +Subject: PATCH patch 9.1.0722: crash with large id in text_prop interface + +Problem: crash with large id in text_prop interface + prop_add()/prop_add_list() (cposture) +Solution: Error out if the id is > INT_MAX or <= INT_MIN + +fixes: #15637 +closes: #15638 + +Signed-off-by: Christian Brabandt <cb@256bit.org> +--- + runtime/doc/textprop.txt | 12 ++++++------ + src/testdir/test_textprop.vim | 4 ++++ + src/textprop.c | 22 ++++++++++++++++++++-- + 3 files changed, 30 insertions(+), 8 deletions(-) + +diff --git a/runtime/doc/textprop.txt b/runtime/doc/textprop.txt +index 6b46e06df9a20..0a04abbdb6d01 100644 +--- a/runtime/doc/textprop.txt ++++ b/runtime/doc/textprop.txt +@@ -1,4 +1,4 @@ +-*textprop.txt* For Vim version 9.0. Last change: 2023 Apr 23 ++*textprop.txt* For Vim version 9.1. Last change: 2024 Sep 08 + + + VIM REFERENCE MANUAL by Bram Moolenaar +@@ -138,10 +138,10 @@ prop_add({lnum}, {col}, {props}) + bufnr buffer to add the property to; when omitted + the current buffer is used + id user defined ID for the property; must be a +- number, should be positive; when using "text" +- then "id" must not be present and will be set +- automatically to a negative number; otherwise +- zero is used ++ number, should be positive |E1510|; ++ when using "text" then "id" must not be ++ present and will be set automatically to a ++ negative number; otherwise zero is used + *E1305* + text text to be displayed before {col}, or + above/below the line if {col} is zero; prepend +@@ -267,7 +267,7 @@ prop_add_list({props}, {item}, ...) + call prop_add_list(#{type: 'MyProp', id: 2}, + \ 1, 4, 1, 7, + \ 1, 15, 1, 20, +- \ 2, 30, 3, 30 ++ \ 2, 30, 3, 30) + < + Can also be used as a |method|: > + GetProp()->prop_add_list(1, 1, 1, 2, 1, 4, 1, 8) +diff --git a/src/testdir/test_textprop.vim b/src/testdir/test_textprop.vim +index 57277f79e2506..bbb911f959305 100644 +--- a/src/testdir/test_textprop.vim ++++ b/src/testdir/test_textprop.vim +@@ -393,6 +393,8 @@ func Test_prop_add_list() + call assert_fails('call prop_add_list(test_null_dict(), 2, 2, 2)', 'E965:') + call assert_fails('call prop_add_list(#{type: "one"}, test_null_list())', 'E1298:') + call assert_fails('call prop_add_list(#{type: "one"}, test_null_list())', 'E714:') ++ call assert_fails('call prop_add_list(#{type: "one", id: 2147483648}, 2, 2, 2, 2, 3, 20, 3, 22)', 'E1510:') ++ call assert_fails('call prop_add_list(#{type: "one", id: -2147483648}, 2, 2, 2, 2, 3, 20, 3, 22)', 'E1510:') + + " only one error for multiple wrong values + call assert_fails('call prop_add_list(#{type: "one"}, {}, , 0z00, 0.3)', 'E728:', 'E728:') +@@ -1743,6 +1745,8 @@ func Test_prop_func_invalid_args() + call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'length':-1})", 'E475:') + call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'end_col':0})", 'E475:') + call assert_fails("call prop_add(2, 3, {'length':1})", 'E965:') ++ call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': 2147483648})", 'E1510:') ++ call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': -2147483648})", 'E1510:') + + call prop_type_delete('xxx') + bwipe! +diff --git a/src/textprop.c b/src/textprop.c +index fe0c8d20cbd46..d16f8ecef3abe 100644 +--- a/src/textprop.c ++++ b/src/textprop.c +@@ -372,7 +372,16 @@ f_prop_add_list(typval_T *argvars, typval_T *rettv UNUSED) + type_name = dict_get_string(dict, "type", FALSE); + + if (dict_has_key(dict, "id")) +- id = dict_get_number(dict, "id"); ++ { ++ long long x; ++ x = dict_get_number(dict, "id"); ++ if (x > INT_MAX || x <= INT_MIN) ++ { ++ semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE)); ++ return; ++ } ++ id = (int)x; ++ } + + if (get_bufnr_from_arg(&argvars0, &buf) == FAIL) + return; +@@ -497,7 +506,16 @@ prop_add_common( + end_col = 1; + + if (dict_has_key(dict, "id")) +- id = dict_get_number(dict, "id"); ++ { ++ long long x; ++ x = dict_get_number(dict, "id"); ++ if (x > INT_MAX || x <= INT_MIN) ++ { ++ semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE)); ++ goto theend; ++ } ++ id = (int)x; ++ } + + if (dict_has_key(dict, "text")) + { +
View file
_service:tar_scm:fix-CVE-2024-47814.patch
Added
@@ -0,0 +1,117 @@ +From 51b62387be93c65fa56bbabe1c3c1ea5df187641 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Tue, 8 Oct 2024 09:24:30 +0800 +Subject: PATCH fix CVE-2024-47814 + +Problem: security: use-after-free when closing a buffer +Solution: When splitting the window and editing a new buffer, + check whether the newly to be edited buffer has been marked + for deletion and abort in this case + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg + +Signed-off-by: Christian Brabandt <cb@256bit.org> + +--- + src/buffer.c | 6 ++++++ + src/ex_cmds.c | 12 ++++++++++++ + src/proto/buffer.pro | 1 + + src/testdir/test_autocmd.vim | 19 +++++++++++++++++++ + src/version.c | 2 ++ + 5 files changed, 40 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index 260d22e..6bdb7a6 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -496,6 +496,12 @@ can_unload_buffer(buf_T *buf) + return can_unload; + } + ++ int ++buf_locked(buf_T *buf) ++{ ++ return buf->b_locked || buf->b_locked_split; ++} ++ + /* + * Close the link to a buffer. + * "action" is used when there is no longer a window for the buffer. +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index 46c4503..31cef2a 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -2740,6 +2740,18 @@ do_ecmd( + } + if (buf == NULL) + goto theend; ++ // autocommands try to edit a file that is goind to be removed, ++ // abort ++ if (buf_locked(buf)) ++ { ++ // window was split, but not editing the new buffer, ++ // reset b_nwindows again ++ if (oldwin == NULL ++ && curwin->w_buffer != NULL ++ && curwin->w_buffer->b_nwindows > 1) ++ --curwin->w_buffer->b_nwindows; ++ goto theend; ++ } + if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0) + // reusing the buffer, keep the old alternate file + curwin->w_alt_fnum = prev_alt_fnum; +diff --git a/src/proto/buffer.pro b/src/proto/buffer.pro +index 3a61027..dc68ca8 100644 +--- a/src/proto/buffer.pro ++++ b/src/proto/buffer.pro +@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf); + void set_buflisted(int on); + int buf_contents_changed(buf_T *buf); + void wipe_buffer(buf_T *buf, int aucmd); ++int buf_locked(buf_T *buf); + /* vim: set ft=c : */ +diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim +index 0652a6f..3abde1e 100644 +--- a/src/testdir/test_autocmd.vim ++++ b/src/testdir/test_autocmd.vim +@@ -4311,4 +4311,23 @@ func Test_autocmd_shortmess() + delfunc SetupVimTest_shm + endfunc + ++" This was using freed memory ++func Test_autocmd_BufWinLeave_with_vsp() ++ new ++ let fname = 'XXXBufWinLeaveUAF.txt' ++ let dummy = 'XXXDummy.txt' ++ call writefile(, fname) ++ call writefile(, dummy) ++ defer delete(fname) ++ defer delete(dummy) ++ exe "e " fname ++ vsp ++ augroup testing ++ exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname ++ augroup END ++ bw ++ call CleanUpTestAuGroup() ++ exe "bw! " .. dummy ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/version.c b/src/version.c +index 10916ed..286a45f 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -704,6 +704,8 @@ static char *(features) = + + static int included_patches = + { /* Add new patch number below this line */ ++/**/ ++ 679, + /**/ + 678, + /**/ +-- +2.43.0 +
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/vim.git</param> - <param name="revision">openEuler-24.03-LTS-Next</param> + <param name="revision">openEuler-24.03-LTS-SP1</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2