[AUTO-CHERRYPICK] Patch vim to resolve CVE-2024-43802 - branch main (#10771)
Co-authored-by: Sam Meluch <109628994+sameluch@users.noreply.github.com>
This commit is contained in:
Родитель
cdd7571aab
Коммит
95c646c8e7
|
@ -0,0 +1,49 @@
|
|||
From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001
|
||||
From: Christian Brabandt <cb@256bit.org>
|
||||
Date: Sun, 25 Aug 2024 21:33:03 +0200
|
||||
Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in
|
||||
ins_typebuf
|
||||
|
||||
Problem: heap-buffer-overflow in ins_typebuf
|
||||
(SuyueGuo)
|
||||
Solution: When flushing the typeahead buffer, validate that there
|
||||
is enough space left
|
||||
|
||||
Github Advisory:
|
||||
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
|
||||
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
|
||||
Removed binary test file and test only changes for security fix
|
||||
|
||||
---
|
||||
src/getchar.c | 15 ++++++++++++---
|
||||
1 files changed, 12 insertions(+), 3 deletions(-)
|
||||
create mode 100644 src/testdir/crash/heap_overflow3
|
||||
|
||||
diff --git a/src/getchar.c b/src/getchar.c
|
||||
index 29323fa328bd1..96e180f4ae1a9 100644
|
||||
--- a/src/getchar.c
|
||||
+++ b/src/getchar.c
|
||||
@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead)
|
||||
|
||||
if (flush_typeahead == FLUSH_MINIMAL)
|
||||
{
|
||||
- // remove mapped characters at the start only
|
||||
- typebuf.tb_off += typebuf.tb_maplen;
|
||||
- typebuf.tb_len -= typebuf.tb_maplen;
|
||||
+ // remove mapped characters at the start only,
|
||||
+ // but only when enough space left in typebuf
|
||||
+ if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
|
||||
+ {
|
||||
+ typebuf.tb_off = MAXMAPLEN;
|
||||
+ typebuf.tb_len = 0;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ typebuf.tb_off += typebuf.tb_maplen;
|
||||
+ typebuf.tb_len -= typebuf.tb_maplen;
|
||||
+ }
|
||||
#if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
|
||||
if (typebuf.tb_len == 0)
|
||||
typebuf_was_filled = FALSE;
|
|
@ -2,7 +2,7 @@
|
|||
Summary: Text editor
|
||||
Name: vim
|
||||
Version: 9.0.2121
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: Vim
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -13,7 +13,7 @@ Patch0: CVE-2024-22667.patch
|
|||
Patch1: CVE-2024-43374.patch
|
||||
Patch2: CVE-2024-41957.patch
|
||||
Patch3: CVE-2024-41965.patch
|
||||
|
||||
Patch4: CVE-2024-43802.patch
|
||||
BuildRequires: ncurses-devel
|
||||
BuildRequires: python3-devel
|
||||
Requires(post): sed
|
||||
|
@ -201,6 +201,9 @@ fi
|
|||
%{_bindir}/vimdiff
|
||||
|
||||
%changelog
|
||||
* Tue Oct 08 2024 Sam Meluch <sammeluch@microsoft.com> - 9.0.2121-5
|
||||
- Add patch to resolve CVE-2024-43802
|
||||
|
||||
* Wed Sep 18 2024 Sumedh Sharma <sumsharma@microsoft.com> - 9.0.2121-4
|
||||
- Add patch to resolve CVE-2024-41957 & CVE-2024-41965
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче