diff options
author | Ross Burton <ross@burtonini.com> | 2021-11-15 12:53:28 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-11-16 22:20:33 +0000 |
commit | bbe0130c5c2099d81741dd12ec814bbc3d61e05d (patch) | |
tree | 42875256165617c0b213f93ccefc527c67d15d2c /meta | |
parent | fad54baeab24502a724e8f4f420f563baa4fe07d (diff) | |
download | poky-bbe0130c5c2099d81741dd12ec814bbc3d61e05d.tar.gz |
vim: fix CVE-2021-3927 and CVE-2021-3928
(From OE-Core rev: 2001631e7a6edb7adc40ee4357466cc54472db71)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
3 files changed, 127 insertions, 0 deletions
diff --git a/meta/recipes-support/vim/files/0001-patch-8.2.3581-reading-character-past-end-of-line.patch b/meta/recipes-support/vim/files/0001-patch-8.2.3581-reading-character-past-end-of-line.patch new file mode 100644 index 0000000000..28c61cd782 --- /dev/null +++ b/meta/recipes-support/vim/files/0001-patch-8.2.3581-reading-character-past-end-of-line.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | CVE: CVE-2021-3927 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From 93b427c6e729260d0700c3b2804ec153bc8284fa Mon Sep 17 00:00:00 2001 | ||
6 | From: Bram Moolenaar <Bram@vim.org> | ||
7 | Date: Thu, 4 Nov 2021 15:10:11 +0000 | ||
8 | Subject: [PATCH] patch 8.2.3581: reading character past end of line | ||
9 | |||
10 | Problem: Reading character past end of line. | ||
11 | Solution: Correct the cursor column. | ||
12 | --- | ||
13 | src/ex_docmd.c | 1 + | ||
14 | src/testdir/test_put.vim | 12 ++++++++++++ | ||
15 | src/version.c | 2 ++ | ||
16 | 3 files changed, 15 insertions(+) | ||
17 | |||
18 | diff --git a/src/ex_docmd.c b/src/ex_docmd.c | ||
19 | index fde726477..59e245bee 100644 | ||
20 | --- a/src/ex_docmd.c | ||
21 | +++ b/src/ex_docmd.c | ||
22 | @@ -6905,6 +6905,7 @@ ex_put(exarg_T *eap) | ||
23 | eap->forceit = TRUE; | ||
24 | } | ||
25 | curwin->w_cursor.lnum = eap->line2; | ||
26 | + check_cursor_col(); | ||
27 | do_put(eap->regname, eap->forceit ? BACKWARD : FORWARD, 1L, | ||
28 | PUT_LINE|PUT_CURSLINE); | ||
29 | } | ||
30 | diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim | ||
31 | index 225ebd1f3..922e5b269 100644 | ||
32 | --- a/src/testdir/test_put.vim | ||
33 | +++ b/src/testdir/test_put.vim | ||
34 | @@ -113,3 +113,15 @@ func Test_put_p_indent_visual() | ||
35 | call assert_equal('select that text', getline(2)) | ||
36 | bwipe! | ||
37 | endfunc | ||
38 | + | ||
39 | +func Test_put_above_first_line() | ||
40 | + new | ||
41 | + let @" = 'text' | ||
42 | + silent! normal 0o00 | ||
43 | + 0put | ||
44 | + call assert_equal('text', getline(1)) | ||
45 | + bwipe! | ||
46 | +endfunc | ||
47 | + | ||
48 | + | ||
49 | +" vim: shiftwidth=2 sts=2 expandtab | ||
50 | diff --git a/src/version.c b/src/version.c | ||
51 | index a9e8be0e7..df4ec9a47 100644 | ||
52 | --- a/src/version.c | ||
53 | +++ b/src/version.c | ||
54 | @@ -742,6 +742,8 @@ static char *(features[]) = | ||
55 | |||
56 | static int included_patches[] = | ||
57 | { /* Add new patch number below this line */ | ||
58 | +/**/ | ||
59 | + 3581, | ||
60 | /**/ | ||
61 | 3564, | ||
62 | /**/ | ||
diff --git a/meta/recipes-support/vim/files/0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch b/meta/recipes-support/vim/files/0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch new file mode 100644 index 0000000000..d117a98893 --- /dev/null +++ b/meta/recipes-support/vim/files/0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | CVE: CVE-2021-3928 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From ade0f0481969f1453c60e7c8354b00dfe4238739 Mon Sep 17 00:00:00 2001 | ||
6 | From: Bram Moolenaar <Bram@vim.org> | ||
7 | Date: Thu, 4 Nov 2021 15:46:05 +0000 | ||
8 | Subject: [PATCH] patch 8.2.3582: reading uninitialized memory when giving | ||
9 | spell suggestions | ||
10 | |||
11 | Problem: Reading uninitialized memory when giving spell suggestions. | ||
12 | Solution: Check that preword is not empty. | ||
13 | --- | ||
14 | src/spellsuggest.c | 2 +- | ||
15 | src/testdir/test_spell.vim | 8 ++++++++ | ||
16 | src/version.c | 2 ++ | ||
17 | 3 files changed, 11 insertions(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/src/spellsuggest.c b/src/spellsuggest.c | ||
20 | index 9d6df7930..8615d5280 100644 | ||
21 | --- a/src/spellsuggest.c | ||
22 | +++ b/src/spellsuggest.c | ||
23 | @@ -1600,7 +1600,7 @@ suggest_trie_walk( | ||
24 | // char, e.g., "thes," -> "these". | ||
25 | p = fword + sp->ts_fidx; | ||
26 | MB_PTR_BACK(fword, p); | ||
27 | - if (!spell_iswordp(p, curwin)) | ||
28 | + if (!spell_iswordp(p, curwin) && *preword != NUL) | ||
29 | { | ||
30 | p = preword + STRLEN(preword); | ||
31 | MB_PTR_BACK(preword, p); | ||
32 | diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim | ||
33 | index 79fb8927c..e435e9172 100644 | ||
34 | --- a/src/testdir/test_spell.vim | ||
35 | +++ b/src/testdir/test_spell.vim | ||
36 | @@ -498,6 +498,14 @@ func Test_spell_screendump() | ||
37 | call delete('XtestSpell') | ||
38 | endfunc | ||
39 | |||
40 | +func Test_spell_single_word() | ||
41 | + new | ||
42 | + silent! norm 0R00 | ||
43 | + spell! ß | ||
44 | + silent 0norm 0r$ Dvz= | ||
45 | + bwipe! | ||
46 | +endfunc | ||
47 | + | ||
48 | let g:test_data_aff1 = [ | ||
49 | \"SET ISO8859-1", | ||
50 | \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ", | ||
51 | diff --git a/src/version.c b/src/version.c | ||
52 | index df4ec9a47..e1bc0d09b 100644 | ||
53 | --- a/src/version.c | ||
54 | +++ b/src/version.c | ||
55 | @@ -742,6 +742,8 @@ static char *(features[]) = | ||
56 | |||
57 | static int included_patches[] = | ||
58 | { /* Add new patch number below this line */ | ||
59 | +/**/ | ||
60 | + 3582, | ||
61 | /**/ | ||
62 | 3581, | ||
63 | /**/ | ||
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 943856e07c..d0957bfeae 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc | |||
@@ -23,6 +23,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ | |||
23 | file://0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch \ | 23 | file://0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch \ |
24 | file://0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch \ | 24 | file://0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch \ |
25 | file://0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch \ | 25 | file://0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch \ |
26 | file://0001-patch-8.2.3581-reading-character-past-end-of-line.patch \ | ||
27 | file://0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch \ | ||
26 | " | 28 | " |
27 | 29 | ||
28 | SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44" | 30 | SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44" |