vim: fix CVE-2021-3927 and CVE-2021-3928

Backport patches to fix CVE-2021-3927 and CVE-2021-3928. (From OE-Core rev: 41ba5054fc4d014ab3a2af0cc7673e275aaecee0) Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Mingli Yu <mingli.yu@windriver.com> 2021-11-17 17:18:26 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-11-24 21:12:46 +0000
commit: 39ee281be1d3e155caf810123cedbf5833ce7045 (patch)
tree: 1850d1af9735e9a8108d8bbb8f41852a17325d8d
parent: 729693f0c250aec7dfdb91a9bb4dd5420c7efbee (diff)
download: poky-39ee281be1d3e155caf810123cedbf5833ce7045.tar.gz
3 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-support/vim/files/CVE-2021-3927.patch b/meta/recipes-support/vim/files/CVE-2021-3927.patch
new file mode 100644
index 0000000000..90b1b6b82e
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2021-3927.patch
@@ -0,0 +1,32 @@
+From f334a87204b4aab76536063b37b4d4a10be46a3a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 17 Nov 2021 11:09:48 +0800
+Subject: [PATCH] patch 8.2.3581: reading character past end of line
+Problem:    Reading character past end of line.
+Solution:   Correct the cursor column.
+CVE: CVE-2021-3927
+Upstream-Status: Backport [https://github.com/vim/vim/commit/0b5b06cb4777d1401fdf83e7d48d287662236e7e]
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/ex_docmd.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index 89d33ba90..54d7f4cb3 100644
+--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
+@@ -6905,6 +6905,7 @@ ex_put(exarg_T *eap)
+        eap->forceit = TRUE;
+     }
+     curwin->w_cursor.lnum = eap->line2;
+    check_cursor_col();
+     do_put(eap->regname, eap->forceit ? BACKWARD : FORWARD, 1L,
+                                                       PUT_LINE|PUT_CURSLINE);
+ }
+-- 
+2.17.1
diff --git a/meta/recipes-support/vim/files/CVE-2021-3928.patch b/meta/recipes-support/vim/files/CVE-2021-3928.patch
new file mode 100644
index 0000000000..8672367ab9
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2021-3928.patch
@@ -0,0 +1,34 @@
+From ad7f7a3f81077ddfac451acd33ca049b9f2a5178 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 17 Nov 2021 11:22:21 +0800
+Subject: [PATCH] patch 8.2.3582: reading uninitialized memory when giving
+ spell suggestions
+Problem:    Reading uninitialized memory when giving spell suggestions.
+Solution:   Check that preword is not empty.
+CVE: CVE-2021-3928
+Upstream-Status: Backport [https://github.com/vim/vim/commit/15d9890eee53afc61eb0a03b878a19cb5672f732]
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/spellsuggest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/spellsuggest.c b/src/spellsuggest.c
+index 9d6df7930..88307b203 100644
+--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c
+@@ -1600,7 +1600,7 @@ suggest_trie_walk(
+                    // char, e.g., "thes," -> "these".
+                    p = fword + sp->ts_fidx;
+                    MB_PTR_BACK(fword, p);
+-                   if (!spell_iswordp(p, curwin))
+                   if (!spell_iswordp(p, curwin) && *preword != NUL)
+                    {
+                        p = preword + STRLEN(preword);
+                        MB_PTR_BACK(preword, p);
+-- 
+2.17.1
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 65b0b2e330..864006192b 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -23,6 +23,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
           file://CVE-2021-3903.patch \
           file://CVE-2021-3872.patch \
           file://CVE-2021-3875.patch \
+           file://CVE-2021-3927.patch \
+           file://CVE-2021-3928.patch \
 "
 SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
author	Mingli Yu <mingli.yu@windriver.com>	2021-11-17 17:18:26 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-11-24 21:12:46 +0000
commit	39ee281be1d3e155caf810123cedbf5833ce7045 (patch)
tree	1850d1af9735e9a8108d8bbb8f41852a17325d8d
parent	729693f0c250aec7dfdb91a9bb4dd5420c7efbee (diff)
download	poky-39ee281be1d3e155caf810123cedbf5833ce7045.tar.gz

diff --git a/meta/recipes-support/vim/files/CVE-2021-3927.patch b/meta/recipes-support/vim/files/CVE-2021-3927.patch new file mode 100644 index 0000000000..90b1b6b82e --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2021-3927.patch
@@ -0,0 +1,32 @@
		1	From f334a87204b4aab76536063b37b4d4a10be46a3a Mon Sep 17 00:00:00 2001
		2	From: Bram Moolenaar <Bram@vim.org>
		3	Date: Wed, 17 Nov 2021 11:09:48 +0800
		4	Subject: [PATCH] patch 8.2.3581: reading character past end of line
		5
		6	Problem: Reading character past end of line.
		7	Solution: Correct the cursor column.
		8
		9	CVE: CVE-2021-3927
		10
		11	Upstream-Status: Backport [https://github.com/vim/vim/commit/0b5b06cb4777d1401fdf83e7d48d287662236e7e]
		12
		13	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		14	---
		15	src/ex_docmd.c \| 1 +
		16	1 file changed, 1 insertion(+)
		17
		18	diff --git a/src/ex_docmd.c b/src/ex_docmd.c
		19	index 89d33ba90..54d7f4cb3 100644
		20	--- a/src/ex_docmd.c
		21	+++ b/src/ex_docmd.c
		22	@@ -6905,6 +6905,7 @@ ex_put(exarg_T *eap)
		23	eap->forceit = TRUE;
		24	}
		25	curwin->w_cursor.lnum = eap->line2;
		26	+ check_cursor_col();
		27	do_put(eap->regname, eap->forceit ? BACKWARD : FORWARD, 1L,
		28	PUT_LINE\|PUT_CURSLINE);
		29	}
		30	--
		31	2.17.1
		32


diff --git a/meta/recipes-support/vim/files/CVE-2021-3928.patch b/meta/recipes-support/vim/files/CVE-2021-3928.patch new file mode 100644 index 0000000000..8672367ab9 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2021-3928.patch
@@ -0,0 +1,34 @@
		1	From ad7f7a3f81077ddfac451acd33ca049b9f2a5178 Mon Sep 17 00:00:00 2001
		2	From: Bram Moolenaar <Bram@vim.org>
		3	Date: Wed, 17 Nov 2021 11:22:21 +0800
		4	Subject: [PATCH] patch 8.2.3582: reading uninitialized memory when giving
		5	spell suggestions
		6
		7	Problem: Reading uninitialized memory when giving spell suggestions.
		8	Solution: Check that preword is not empty.
		9
		10	CVE: CVE-2021-3928
		11
		12	Upstream-Status: Backport [https://github.com/vim/vim/commit/15d9890eee53afc61eb0a03b878a19cb5672f732]
		13
		14	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		15	---
		16	src/spellsuggest.c \| 2 +-
		17	1 file changed, 1 insertion(+), 1 deletion(-)
		18
		19	diff --git a/src/spellsuggest.c b/src/spellsuggest.c
		20	index 9d6df7930..88307b203 100644
		21	--- a/src/spellsuggest.c
		22	+++ b/src/spellsuggest.c
		23	@@ -1600,7 +1600,7 @@ suggest_trie_walk(
		24	// char, e.g., "thes," -> "these".
		25	p = fword + sp->ts_fidx;
		26	MB_PTR_BACK(fword, p);
		27	- if (!spell_iswordp(p, curwin))
		28	+ if (!spell_iswordp(p, curwin) && *preword != NUL)
		29	{
		30	p = preword + STRLEN(preword);
		31	MB_PTR_BACK(preword, p);
		32	--
		33	2.17.1
		34


diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 65b0b2e330..864006192b 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc
@@ -23,6 +23,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
23	file://CVE-2021-3903.patch \	23	file://CVE-2021-3903.patch \
24	file://CVE-2021-3872.patch \	24	file://CVE-2021-3872.patch \
25	file://CVE-2021-3875.patch \	25	file://CVE-2021-3875.patch \
		26	file://CVE-2021-3927.patch \
		27	file://CVE-2021-3928.patch \
26	"	28	"
27		29
28	SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"	30	SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"