On Mon, Oct 25, 2021 at 6:43 AM Steve Sakoman via lists.openembedded.org <steve=sakoman....@lists.openembedded.org> wrote: > > On Sun, Oct 24, 2021 at 9:29 PM Minjae Kim <flower...@gmail.com> wrote: > > > > vim is vulnerable to Use After Free > > Problem: Checking first character of url twice. > > > > reference: > > https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3 > > > > Signed-off-by: Minjae Kim <flower...@gmail.com> > > --- > > .../vim/files/CVE-2021-3796.patch | 50 +++++++++++++++++++ > > 1 file changed, 50 insertions(+) > > create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch > > You don't seem to be adding the patch to the SRC_URI in the recipe!
I fixed that issue, but now once again the patch file fails to apply: stdio: ERROR: vim-8.2-r0 do_patch: Applying patch 'CVE-2021-3796.patch' on target directory '/home/pokybuild/yocto-worker/no-x11/build/build/tmp/work/core2-64-poky-linux/vim/8.2-r0/git' stdio: ERROR: Logfile of failure stored in: /home/pokybuild/yocto-worker/no-x11/build/build/tmp/work/core2-64-poky-linux/vim/8.2-r0/temp/log.do_patch.7612 stdio: ERROR: Task (/home/pokybuild/yocto-worker/no-x11/build/meta/recipes-support/vim/vim_8.2.bb:do_patch) failed with exit code '1' Steve > > Steve > > > > > diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch > > b/meta/recipes-support/vim/files/CVE-2021-3796.patch > > new file mode 100644 > > index 0000000000..666bd5c48b > > --- /dev/null > > +++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch > > @@ -0,0 +1,50 @@ > > +From 6d02e1429771c00046b48f26e53ca4123c3ce4e1 Mon Sep 17 00:00:00 2001 > > +From: Bram Moolenaar <b...@vim.org> > > +Date: Fri, 24 Sep 2021 16:01:09 +0800 > > +Subject: [PATCH] patch 8.2.3428: using freed memory when replacing > > + > > +Problem: Using freed memory when replacing. (Dhiraj Mishra) > > +Solution: Get the line pointer after calling ins_copychar(). > > + > > +Upstream-Status: Backport > > [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3] > > +CVE: CVE-2021-3796 > > + > > +Signed-off-by: Minjae Kim <flower...@gmail.com> > > +--- > > + src/normal.c | 10 +++++++--- > > + 1 file changed, 7 insertions(+), 3 deletions(-) > > + > > +diff --git a/src/normal.c b/src/normal.c > > +index c4963e621..305b514bc 100644 > > +--- a/src/normal.c > > ++++ b/src/normal.c > > +@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap) > > + { > > + /* > > + * Get ptr again, because u_save and/or showmatch() will > > have > > +- * released the line. At the same time we let know that the > > +- * line will be changed. > > ++ * released the line. This may also happen in > > ins_copychar(). > > ++ * At the same time we let know that the line will be > > changed. > > + */ > > +- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); > > + if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y) > > + { > > + int c = ins_copychar(curwin->w_cursor.lnum > > + + (cap->nchar == Ctrl_Y ? -1 : > > 1)); > > ++ > > ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); > > + if (c != NUL) > > + ptr[curwin->w_cursor.col] = c; > > + } > > + else > > ++ { > > ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); > > + ptr[curwin->w_cursor.col] = cap->nchar; > > ++ } > > + if (p_sm && msg_silent == 0) > > + showmatch(cap->nchar); > > + ++curwin->w_cursor.col; > > +-- > > +2.17.1 > > + > > -- > > 2.30.1 (Apple Git-130) > > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#157353): https://lists.openembedded.org/g/openembedded-core/message/157353 Mute This Topic: https://lists.openembedded.org/mt/86572003/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
