vim is vulnerable to Use After Free Problem: Checking first character of url twice.
reference: https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3 --- .../vim/files/CVE-2021-3796.patch | 70 +++++++++++++++++++ meta/recipes-support/vim/vim.inc | 1 + 2 files changed, 71 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch b/meta/recipes-support/vim/files/CVE-2021-3796.patch new file mode 100644 index 0000000000..08becb4d9a --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch @@ -0,0 +1,70 @@ +From 296bf20889e66e3235e199838c6e360db2c4166d Mon Sep 17 00:00:00 2001 +From: Minjae Kim <flower...@gmail.com> +Date: Fri, 22 Oct 2021 02:24:32 +0000 +Subject: [PATCH] patch 8.2.3428: using freed memory when replacing + +Problem: Using freed memory when replacing. (Dhiraj Mishra) +Solution: Get the line pointer after calling ins_copychar(). + +Upstream-Status: Accepted [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3] +CVE: CVE-2021-3796 +Signed-off-by: Minjae Kim <flower...@gmail.com> +--- + src/normal.c | 11 +++++++---- + src/testdir/test_edit.vim | 12 ++++++++++++ + 2 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/src/normal.c b/src/normal.c +index c4963e621..277c92595 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -5009,19 +5009,22 @@ nv_replace(cmdarg_T *cap) + { + /* + * Get ptr again, because u_save and/or showmatch() will have +- * released the line. At the same time we let know that the ++ * released the line. This may also happen in ins_copychar(). ++ * At the same time we let know that the + * line will be changed. + */ +- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y) + { + int c = ins_copychar(curwin->w_cursor.lnum + + (cap->nchar == Ctrl_Y ? -1 : 1)); ++ ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + if (c != NUL) + ptr[curwin->w_cursor.col] = c; +- } +- else ++ } else { + ptr[curwin->w_cursor.col] = cap->nchar; ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); ++ } + if (p_sm && msg_silent == 0) + showmatch(cap->nchar); + ++curwin->w_cursor.col; +diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim +index 4e29e7fe1..d7565e1ea 100644 +--- a/src/testdir/test_edit.vim ++++ b/src/testdir/test_edit.vim +@@ -1519,3 +1519,15 @@ func Test_edit_noesckeys() + bwipe! + set esckeys + endfunc ++ ++" Test for getting the character of the line below after "p" ++func Test_edit_put_CTRL_E() ++ set encoding=latin1 ++ new ++ let @" = '' ++ sil! norm orggRx ++ sil! norm pr ++ call assert_equal(['r', 'r'], getline(1, 2)) ++ bwipe! ++ set encoding=utf-8 ++endfunc +-- +2.17.1 + diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index fc4e205b74..0973a368c0 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,6 +19,7 @@ SRC_URI = "git://github.com/vim/vim.git \ file://racefix.patch \ file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \ file://CVE-2021-3778.patch \ + file://CVE-2021-3796.patch \ " SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44" -- 2.30.1 (Apple Git-130)
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#157293): https://lists.openembedded.org/g/openembedded-core/message/157293 Mute This Topic: https://lists.openembedded.org/mt/86506415/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
