-
Notifications
You must be signed in to change notification settings - Fork 540
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[AUTO-CHERRYPICK] Patch vim to resolve CVE-2024-43802 - branch 3.0-dev (
#10772) Co-authored-by: Sam Meluch <[email protected]>
- Loading branch information
1 parent
b855fd5
commit a12d27d
Showing
2 changed files
with
54 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001 | ||
| From: Christian Brabandt <[email protected]> | ||
| Date: Sun, 25 Aug 2024 21:33:03 +0200 | ||
| Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in | ||
| ins_typebuf | ||
|
|
||
| Problem: heap-buffer-overflow in ins_typebuf | ||
| (SuyueGuo) | ||
| Solution: When flushing the typeahead buffer, validate that there | ||
| is enough space left | ||
|
|
||
| Github Advisory: | ||
| https:/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh | ||
|
|
||
| Signed-off-by: Christian Brabandt <[email protected]> | ||
|
|
||
| Removed binary test file and test only changes for security fix | ||
|
|
||
| --- | ||
| src/getchar.c | 15 ++++++++++++--- | ||
| 1 files changed, 12 insertions(+), 3 deletions(-) | ||
| create mode 100644 src/testdir/crash/heap_overflow3 | ||
|
|
||
| diff --git a/src/getchar.c b/src/getchar.c | ||
| index 29323fa328bd1..96e180f4ae1a9 100644 | ||
| --- a/src/getchar.c | ||
| +++ b/src/getchar.c | ||
| @@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead) | ||
|
|
||
| if (flush_typeahead == FLUSH_MINIMAL) | ||
| { | ||
| - // remove mapped characters at the start only | ||
| - typebuf.tb_off += typebuf.tb_maplen; | ||
| - typebuf.tb_len -= typebuf.tb_maplen; | ||
| + // remove mapped characters at the start only, | ||
| + // but only when enough space left in typebuf | ||
| + if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen) | ||
| + { | ||
| + typebuf.tb_off = MAXMAPLEN; | ||
| + typebuf.tb_len = 0; | ||
| + } | ||
| + else | ||
| + { | ||
| + typebuf.tb_off += typebuf.tb_maplen; | ||
| + typebuf.tb_len -= typebuf.tb_maplen; | ||
| + } | ||
| #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL) | ||
| if (typebuf.tb_len == 0) | ||
| typebuf_was_filled = FALSE; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,7 @@ | |
| Summary: Text editor | ||
| Name: vim | ||
| Version: 9.0.2190 | ||
| Release: 5%{?dist} | ||
| Release: 6%{?dist} | ||
| License: Vim | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Azure Linux | ||
|
|
@@ -14,7 +14,7 @@ Patch0: CVE-2024-41957.patch | |
| Patch1: fix_save_unnamed_buffer_correctly.patch | ||
| Patch2: CVE-2024-41965.patch | ||
| Patch3: CVE-2024-43374.patch | ||
|
|
||
| Patch4: CVE-2024-43802.patch | ||
| BuildRequires: ncurses-devel | ||
| BuildRequires: python3-devel | ||
| Requires(post): sed | ||
|
|
@@ -222,6 +222,9 @@ fi | |
| %{_rpmconfigdir}/macros.d/macros.vim | ||
|
|
||
| %changelog | ||
| * Tue Oct 08 2024 Sam Meluch <[email protected]> - 9.0.2190-6 | ||
| - Add patch to resolve CVE-2024-43802 | ||
|
|
||
| * Tue Aug 20 2024 Brian Fjeldstad <[email protected]> - 9.0.2190-5 | ||
| - Add patch to resolve CVE-2024-43374 | ||
|
|
||
|
|
||