vim: fix CVE-2021-3872 and CVE-2021-3903

Backport 2 patches to fix below CVEs: - CVE-2021-3872 - CVE-2021-3903 (From OE-Core rev: baa351293ed036e63d0e3253f58ad4f2e448852c) Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Mingli Yu <mingli.yu@windriver.com> 2021-11-17 17:18:23 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-11-24 21:12:46 +0000
commit: 4c5d6076492cebd5d56403e2f74dd51d58555e53 (patch)
tree: 39b5a59415d87c030dfffa94bd2b2cad020d4461
parent: 097c86071eabaec9db55781ada99c3d011e6ff3f (diff)
download: poky-4c5d6076492cebd5d56403e2f74dd51d58555e53.tar.gz
3 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-support/vim/files/CVE-2021-3872.patch b/meta/recipes-support/vim/files/CVE-2021-3872.patch
new file mode 100644
index 0000000000..f0f30933fa
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2021-3872.patch
@@ -0,0 +1,57 @@
+From 132d060ffbb9651f0d79bd0b6d80cab460235a99 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 12 Nov 2021 02:56:51 +0000
+Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
+ long
+Problem:    Illegal memory access if buffer name is very long.
+Solution:   Make sure not to go over the end of the buffer.
+CVE: CVE-2021-3872
+Upstream-Status: Backport [https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b]
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/drawscreen.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+diff --git a/src/drawscreen.c b/src/drawscreen.c
+index 3a88ee979..9acb70552 100644
+--- a/src/drawscreen.c
+++ b/src/drawscreen.c
+@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
+            *(p + len++) = ' ';
+        if (bt_help(wp->w_buffer))
+        {
+-           STRCPY(p + len, _("[Help]"));
+           vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
+            len += (int)STRLEN(p + len);
+        }
+ #ifdef FEAT_QUICKFIX
+        if (wp->w_p_pvw)
+        {
+-           STRCPY(p + len, _("[Preview]"));
+           vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
+            len += (int)STRLEN(p + len);
+        }
+ #endif
+@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
+ #endif
+                )
+        {
+-           STRCPY(p + len, "[+]");
+-           len += 3;
+           vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
+           len += (int)STRLEN(p + len);
+        }
+        if (wp->w_buffer->b_p_ro)
+        {
+-           STRCPY(p + len, _("[RO]"));
+           vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
+            len += (int)STRLEN(p + len);
+        }
+ 
+-- 
+2.31.1
diff --git a/meta/recipes-support/vim/files/CVE-2021-3903.patch b/meta/recipes-support/vim/files/CVE-2021-3903.patch
new file mode 100644
index 0000000000..fb45857de8
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2021-3903.patch
@@ -0,0 +1,38 @@
+From a366598006f4d7bf9b4fbcd334a2e5078dcb6ad8 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 12 Nov 2021 02:23:38 +0000
+Subject: [PATCH] =?UTF-8?q?patch=208.2.3564:=20invalid=20memory=20access?=
+ =?UTF-8?q?=20when=20scrolling=20without=20valid=20sc=E2=80=A6?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+…reen
+Problem:    Invalid memory access when scrolling without a valid screen.
+Solution:   Do not set VALID_BOTLINE in w_valid.
+CVE: CVE-2021-3903
+Upstream-Status: Backport [https://github.com/vim/vim/commit/777e7c21b7627be80961848ac560cb0a9978ff43]
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/move.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/src/move.c b/src/move.c
+index 8e53d8bcb..10165ef4d 100644
+--- a/src/move.c
+++ b/src/move.c
+@@ -198,7 +198,6 @@ update_topline(void)
+     {
+        curwin->w_topline = curwin->w_cursor.lnum;
+        curwin->w_botline = curwin->w_topline;
+-       curwin->w_valid |= VALID_BOTLINE|VALID_BOTLINE_AP;
+        curwin->w_scbind_pos = 1;
+        return;
+     }
+-- 
+2.31.1
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index db4741ba4f..1841498b74 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -20,6 +20,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
           file://CVE-2021-3778.patch \
           file://CVE-2021-3796.patch \
           file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
+           file://CVE-2021-3903.patch \
+           file://CVE-2021-3872.patch \
 "
 SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
author	Mingli Yu <mingli.yu@windriver.com>	2021-11-17 17:18:23 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-11-24 21:12:46 +0000
commit	4c5d6076492cebd5d56403e2f74dd51d58555e53 (patch)
tree	39b5a59415d87c030dfffa94bd2b2cad020d4461
parent	097c86071eabaec9db55781ada99c3d011e6ff3f (diff)
download	poky-4c5d6076492cebd5d56403e2f74dd51d58555e53.tar.gz

diff --git a/meta/recipes-support/vim/files/CVE-2021-3872.patch b/meta/recipes-support/vim/files/CVE-2021-3872.patch new file mode 100644 index 0000000000..f0f30933fa --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2021-3872.patch
@@ -0,0 +1,57 @@
		1	From 132d060ffbb9651f0d79bd0b6d80cab460235a99 Mon Sep 17 00:00:00 2001
		2	From: Bram Moolenaar <Bram@vim.org>
		3	Date: Fri, 12 Nov 2021 02:56:51 +0000
		4	Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
		5	long
		6
		7	Problem: Illegal memory access if buffer name is very long.
		8	Solution: Make sure not to go over the end of the buffer.
		9
		10	CVE: CVE-2021-3872
		11
		12	Upstream-Status: Backport [https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b]
		13
		14	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		15	---
		16	src/drawscreen.c \| 10 +++++-----
		17	1 file changed, 5 insertions(+), 5 deletions(-)
		18
		19	diff --git a/src/drawscreen.c b/src/drawscreen.c
		20	index 3a88ee979..9acb70552 100644
		21	--- a/src/drawscreen.c
		22	+++ b/src/drawscreen.c
		23	@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
		24	*(p + len++) = ' ';
		25	if (bt_help(wp->w_buffer))
		26	{
		27	- STRCPY(p + len, _("[Help]"));
		28	+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
		29	len += (int)STRLEN(p + len);
		30	}
		31	#ifdef FEAT_QUICKFIX
		32	if (wp->w_p_pvw)
		33	{
		34	- STRCPY(p + len, _("[Preview]"));
		35	+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
		36	len += (int)STRLEN(p + len);
		37	}
		38	#endif
		39	@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
		40	#endif
		41	)
		42	{
		43	- STRCPY(p + len, "[+]");
		44	- len += 3;
		45	+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
		46	+ len += (int)STRLEN(p + len);
		47	}
		48	if (wp->w_buffer->b_p_ro)
		49	{
		50	- STRCPY(p + len, _("[RO]"));
		51	+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
		52	len += (int)STRLEN(p + len);
		53	}
		54
		55	--
		56	2.31.1
		57


diff --git a/meta/recipes-support/vim/files/CVE-2021-3903.patch b/meta/recipes-support/vim/files/CVE-2021-3903.patch new file mode 100644 index 0000000000..fb45857de8 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2021-3903.patch
@@ -0,0 +1,38 @@
		1	From a366598006f4d7bf9b4fbcd334a2e5078dcb6ad8 Mon Sep 17 00:00:00 2001
		2	From: Bram Moolenaar <Bram@vim.org>
		3	Date: Fri, 12 Nov 2021 02:23:38 +0000
		4	Subject: [PATCH] =?UTF-8?q?patch=208.2.3564:=20invalid=20memory=20access?=
		5	=?UTF-8?q?=20when=20scrolling=20without=20valid=20sc=E2=80=A6?=
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	…reen
		11
		12	Problem: Invalid memory access when scrolling without a valid screen.
		13	Solution: Do not set VALID_BOTLINE in w_valid.
		14
		15	CVE: CVE-2021-3903
		16
		17	Upstream-Status: Backport [https://github.com/vim/vim/commit/777e7c21b7627be80961848ac560cb0a9978ff43]
		18
		19	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		20	---
		21	src/move.c \| 1 -
		22	1 file changed, 1 deletion(-)
		23
		24	diff --git a/src/move.c b/src/move.c
		25	index 8e53d8bcb..10165ef4d 100644
		26	--- a/src/move.c
		27	+++ b/src/move.c
		28	@@ -198,7 +198,6 @@ update_topline(void)
		29	{
		30	curwin->w_topline = curwin->w_cursor.lnum;
		31	curwin->w_botline = curwin->w_topline;
		32	- curwin->w_valid \|= VALID_BOTLINE\|VALID_BOTLINE_AP;
		33	curwin->w_scbind_pos = 1;
		34	return;
		35	}
		36	--
		37	2.31.1
		38


diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index db4741ba4f..1841498b74 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc
@@ -20,6 +20,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
20	file://CVE-2021-3778.patch \	20	file://CVE-2021-3778.patch \
21	file://CVE-2021-3796.patch \	21	file://CVE-2021-3796.patch \
22	file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \	22	file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
		23	file://CVE-2021-3903.patch \
		24	file://CVE-2021-3872.patch \
23	"	25	"
24		26
25	SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"	27	SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"