folkslinux
/
CBL-Mariner
mirror of https://github.com/microsoft/CBL-Mariner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[AUTO-CHERRYPICK] Patch vim to resolve CVE-2024-43802 - branch main (#10771) 

Co-authored-by: Sam Meluch <109628994+sameluch@users.noreply.github.com>
This commit is contained in:
CBL-Mariner-Bot 2024-10-18 15:31:55 -04:00 committed by GitHub
parent cdd7571aab
commit 95c646c8e7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 54 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
SPECS/vim/CVE-2024-43802.patch Normal file
View File

@ -0,0 +1,49 @@
From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Sun, 25 Aug 2024 21:33:03 +0200
Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in
ins_typebuf
Problem: heap-buffer-overflow in ins_typebuf
(SuyueGuo)
Solution: When flushing the typeahead buffer, validate that there
is enough space left
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
Signed-off-by: Christian Brabandt <cb@256bit.org>
Removed binary test file and test only changes for security fix
---
src/getchar.c | 15 ++++++++++++---
1 files changed, 12 insertions(+), 3 deletions(-)
create mode 100644 src/testdir/crash/heap_overflow3
diff --git a/src/getchar.c b/src/getchar.c
index 29323fa328bd1..96e180f4ae1a9 100644
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead)
if (flush_typeahead == FLUSH_MINIMAL)
{
- // remove mapped characters at the start only
- typebuf.tb_off += typebuf.tb_maplen;
- typebuf.tb_len -= typebuf.tb_maplen;
+ // remove mapped characters at the start only,
+ // but only when enough space left in typebuf
+ if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
+ {
+ typebuf.tb_off = MAXMAPLEN;
+ typebuf.tb_len = 0;
+ }
+ else
+ {
+ typebuf.tb_off += typebuf.tb_maplen;
+ typebuf.tb_len -= typebuf.tb_maplen;
+ }
#if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
if (typebuf.tb_len == 0)
typebuf_was_filled = FALSE;

7
SPECS/vim/vim.spec
View File

@ -2,7 +2,7 @@
Summary: Text editor
Name: vim
Version: 9.0.2121
Release: 4%{?dist}
Release: 5%{?dist}
License: Vim
Vendor: Microsoft Corporation
Distribution: Mariner
@ -13,7 +13,7 @@ Patch0: CVE-2024-22667.patch
Patch1: CVE-2024-43374.patch
Patch2: CVE-2024-41957.patch
Patch3: CVE-2024-41965.patch
Patch4: CVE-2024-43802.patch
BuildRequires: ncurses-devel
BuildRequires: python3-devel
Requires(post): sed
@ -201,6 +201,9 @@ fi
%{_bindir}/vimdiff
%changelog
* Tue Oct 08 2024 Sam Meluch <sammeluch@microsoft.com> - 9.0.2121-5
- Add patch to resolve CVE-2024-43802
* Wed Sep 18 2024 Sumedh Sharma <sumsharma@microsoft.com> - 9.0.2121-4
- Add patch to resolve CVE-2024-41957 & CVE-2024-41965