Sat Aug 20 20:04:15 UTC 202220220820200415_15.0

patches/packages/vim-8.2.4649-x86_64-3_slack15.0.txz: Rebuilt. Fix use after free. Thanks to marav for the heads-up. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2889 (* Security fix *) patches/packages/vim-gvim-8.2.4649-x86_64-3_slack15.0.txz: Rebuilt.
author: Patrick J Volkerding <volkerdi@slackware.com> 2022-08-20 20:04:15 +0000
committer: Eric Hameleers <alien@slackware.com> 2022-08-21 13:30:26 +0200
commit: 44e993e8025a5ef04e4b5096e272caeaa814a3c9 (patch)
tree: a59eed735632d3a5c1118364d60618534a1546ce /patches
parent: 77a67ac4653a6e8b315f7a162c878e5b7d107f57 (diff)
download: current-44e993e8025a5ef04e4b5096e272caeaa814a3c9.tar.gz
current-44e993e8025a5ef04e4b5096e272caeaa814a3c9.tar.xz
5 files changed, 240 insertions, 2 deletions
diff --git a/patches/packages/vim-8.2.4649-x86_64-2_slack15.0.txt b/patches/packages/vim-8.2.4649-x86_64-3_slack15.0.txt
index 4a843388d..4a843388d 100644
--- a/patches/packages/vim-8.2.4649-x86_64-2_slack15.0.txt
+++ b/patches/packages/vim-8.2.4649-x86_64-3_slack15.0.txt
diff --git a/patches/packages/vim-gvim-8.2.4649-x86_64-2_slack15.0.txt b/patches/packages/vim-gvim-8.2.4649-x86_64-3_slack15.0.txt
index 3b81553b1..3b81553b1 100644
--- a/patches/packages/vim-gvim-8.2.4649-x86_64-2_slack15.0.txt
+++ b/patches/packages/vim-gvim-8.2.4649-x86_64-3_slack15.0.txt
diff --git a/patches/source/vim/CVE-2022-2889.patch b/patches/source/vim/CVE-2022-2889.patch
new file mode 100644
index 000000000..a5153eaa2
--- /dev/null
+++ b/patches/source/vim/CVE-2022-2889.patch
@@ -0,0 +1,236 @@
+From 91c7cbfe31bbef57d5fcf7d76989fc159f73ef15 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 18 Aug 2022 13:28:31 +0100
+Subject: [PATCH] patch 9.0.0225: using freed memory with multiple line breaks
+ in expression
+
+Problem:    Using freed memory with multiple line breaks in expression.
+Solution:   Free eval_tofree later.
+
+diff --git a/src/eval.c b/src/eval.c
+index 42b883e9b00b..60daca51ce9d 100644
+--- a/src/eval.c
++++ b/src/eval.c
+@@ -353,6 +353,63 @@ eval_to_string_skip(
+     return retval;
+ }
+ 
++/*
++ * Initialize "evalarg" for use.
++ */
++    void
++init_evalarg(evalarg_T *evalarg)
++{
++    CLEAR_POINTER(evalarg);
++    ga_init2(&evalarg->eval_tofree_ga, sizeof(char_u *), 20);
++}
++
++/*
++ * If "evalarg->eval_tofree" is not NULL free it later.
++ * Caller is expected to overwrite "evalarg->eval_tofree" next.
++ */
++    static void
++free_eval_tofree_later(evalarg_T *evalarg)
++{
++    if (evalarg->eval_tofree != NULL)
++    {
++	if (ga_grow(&evalarg->eval_tofree_ga, 1) == OK)
++	    ((char_u **)evalarg->eval_tofree_ga.ga_data)
++		[evalarg->eval_tofree_ga.ga_len++]
++		= evalarg->eval_tofree;
++	else
++	    vim_free(evalarg->eval_tofree);
++    }
++}
++
++/*
++ * After using "evalarg" filled from "eap": free the memory.
++ */
++    void
++clear_evalarg(evalarg_T *evalarg, exarg_T *eap)
++{
++    if (evalarg != NULL)
++    {
++	if (evalarg->eval_tofree != NULL)
++	{
++	    if (eap != NULL)
++	    {
++		// We may need to keep the original command line, e.g. for
++		// ":let" it has the variable names.  But we may also need the
++		// new one, "nextcmd" points into it.  Keep both.
++		vim_free(eap->cmdline_tofree);
++		eap->cmdline_tofree = *eap->cmdlinep;
++		*eap->cmdlinep = evalarg->eval_tofree;
++	    }
++	    else
++		vim_free(evalarg->eval_tofree);
++	    evalarg->eval_tofree = NULL;
++	}
++
++	ga_clear_strings(&evalarg->eval_tofree_ga);
++	VIM_CLEAR(evalarg->eval_tofree_lambda);
++    }
++}
++
+ /*
+  * Skip over an expression at "*pp".
+  * Return FAIL for an error, OK otherwise.
+@@ -435,8 +492,8 @@ skip_expr_concatenate(
+ 		// Do not free the first line, the caller can still use it.
+ 		*((char_u **)gap->ga_data) = NULL;
+ 		// Do not free the last line, "arg" points into it, free it
+-		// later.
+-		vim_free(evalarg->eval_tofree);
++		// later.  Also free "eval_tofree" later if needed.
++		free_eval_tofree_later(evalarg);
+ 		evalarg->eval_tofree =
+ 				    ((char_u **)gap->ga_data)[gap->ga_len - 1];
+ 		((char_u **)gap->ga_data)[gap->ga_len - 1] = NULL;
+@@ -2274,7 +2331,7 @@ eval_next_line(char_u *arg, evalarg_T *evalarg)
+     }
+     else if (evalarg->eval_cookie != NULL)
+     {
+-	vim_free(evalarg->eval_tofree);
++	free_eval_tofree_later(evalarg);
+ 	evalarg->eval_tofree = line;
+     }
+ 
+@@ -2301,45 +2358,6 @@ skipwhite_and_linebreak(char_u *arg, evalarg_T *evalarg)
+     return p;
+ }
+ 
+-/*
+- * Initialize "evalarg" for use.
+- */
+-    void
+-init_evalarg(evalarg_T *evalarg)
+-{
+-    CLEAR_POINTER(evalarg);
+-    ga_init2(&evalarg->eval_tofree_ga, sizeof(char_u *), 20);
+-}
+-
+-/*
+- * After using "evalarg" filled from "eap": free the memory.
+- */
+-    void
+-clear_evalarg(evalarg_T *evalarg, exarg_T *eap)
+-{
+-    if (evalarg != NULL)
+-    {
+-	if (evalarg->eval_tofree != NULL)
+-	{
+-	    if (eap != NULL)
+-	    {
+-		// We may need to keep the original command line, e.g. for
+-		// ":let" it has the variable names.  But we may also need the
+-		// new one, "nextcmd" points into it.  Keep both.
+-		vim_free(eap->cmdline_tofree);
+-		eap->cmdline_tofree = *eap->cmdlinep;
+-		*eap->cmdlinep = evalarg->eval_tofree;
+-	    }
+-	    else
+-		vim_free(evalarg->eval_tofree);
+-	    evalarg->eval_tofree = NULL;
+-	}
+-
+-	ga_clear_strings(&evalarg->eval_tofree_ga);
+-	VIM_CLEAR(evalarg->eval_tofree_lambda);
+-    }
+-}
+-
+ /*
+  * The "evaluate" argument: When FALSE, the argument is only parsed but not
+  * executed.  The function may return OK, but the rettv will be of type
+diff --git a/src/proto/eval.pro b/src/proto/eval.pro
+index e6cd8928d19c..27a13c9498ba 100644
+--- a/src/proto/eval.pro
++++ b/src/proto/eval.pro
+@@ -9,6 +9,8 @@ int eval_expr_valid_arg(typval_T *tv);
+ int eval_expr_typval(typval_T *expr, typval_T *argv, int argc, typval_T *rettv);
+ int eval_expr_to_bool(typval_T *expr, int *error);
+ char_u *eval_to_string_skip(char_u *arg, exarg_T *eap, int skip);
++void init_evalarg(evalarg_T *evalarg);
++void clear_evalarg(evalarg_T *evalarg, exarg_T *eap);
+ int skip_expr(char_u **pp, evalarg_T *evalarg);
+ int skip_expr_concatenate(char_u **arg, char_u **start, char_u **end, evalarg_T *evalarg);
+ char_u *typval2string(typval_T *tv, int convert);
+@@ -34,8 +36,6 @@ int pattern_match(char_u *pat, char_u *text, int ic);
+ char_u *eval_next_non_blank(char_u *arg, evalarg_T *evalarg, int *getnext);
+ char_u *eval_next_line(char_u *arg, evalarg_T *evalarg);
+ char_u *skipwhite_and_linebreak(char_u *arg, evalarg_T *evalarg);
+-void init_evalarg(evalarg_T *evalarg);
+-void clear_evalarg(evalarg_T *evalarg, exarg_T *eap);
+ int eval0(char_u *arg, typval_T *rettv, exarg_T *eap, evalarg_T *evalarg);
+ int eval0_retarg(char_u *arg, typval_T *rettv, exarg_T *eap, evalarg_T *evalarg, char_u **retarg);
+ int eval1(char_u **arg, typval_T *rettv, evalarg_T *evalarg);
+diff --git a/src/testdir/test_vim9_script.vim b/src/testdir/test_vim9_script.vim
+index 56a39efcf79b..597e31ec1c26 100644
+--- a/src/testdir/test_vim9_script.vim
++++ b/src/testdir/test_vim9_script.vim
+@@ -1560,6 +1560,19 @@ def Test_func_redefine_fails()
+   v9.CheckScriptFailure(lines, 'E1073:')
+ enddef
+ 
++def Test_lambda_split()
++  # this was using freed memory, because of the split expression
++  var lines =<< trim END
++      vim9script
++      try
++      0
++      0->(0
++        ->a.0(
++        ->u
++  END
++  v9.CheckScriptFailure(lines, 'E1050:')
++enddef
++
+ def Test_fixed_size_list()
+   # will be allocated as one piece of memory, check that changes work
+   var l = [1, 2, 3, 4]
+diff --git a/src/userfunc.c b/src/userfunc.c
+index f612160fc872..e0bdc3fda911 100644
+--- a/src/userfunc.c
++++ b/src/userfunc.c
+@@ -1372,7 +1372,6 @@ get_lambda_tv(
+     char_u	*start, *end;
+     int		*old_eval_lavars = eval_lavars_used;
+     int		eval_lavars = FALSE;
+-    char_u	*tofree1 = NULL;
+     char_u	*tofree2 = NULL;
+     int		equal_arrow = **arg == '(';
+     int		white_error = FALSE;
+@@ -1457,12 +1456,6 @@ get_lambda_tv(
+     ret = skip_expr_concatenate(arg, &start, &end, evalarg);
+     if (ret == FAIL)
+ 	goto errret;
+-    if (evalarg != NULL)
+-    {
+-	// avoid that the expression gets freed when another line break follows
+-	tofree1 = evalarg->eval_tofree;
+-	evalarg->eval_tofree = NULL;
+-    }
+ 
+     if (!equal_arrow)
+     {
+@@ -1585,10 +1578,6 @@ get_lambda_tv(
+ 
+ theend:
+     eval_lavars_used = old_eval_lavars;
+-    if (evalarg != NULL && evalarg->eval_tofree == NULL)
+-	evalarg->eval_tofree = tofree1;
+-    else
+-	vim_free(tofree1);
+     vim_free(tofree2);
+     if (types_optional)
+ 	ga_clear_strings(&argtypes);
+@@ -1607,10 +1596,6 @@ get_lambda_tv(
+     }
+     vim_free(fp);
+     vim_free(pt);
+-    if (evalarg != NULL && evalarg->eval_tofree == NULL)
+-	evalarg->eval_tofree = tofree1;
+-    else
+-	vim_free(tofree1);
+     vim_free(tofree2);
+     eval_lavars_used = old_eval_lavars;
+     return FAIL;
diff --git a/patches/source/vim/vim-gvim.SlackBuild b/patches/source/vim/vim-gvim.SlackBuild
index 175391c1c..53f2686f3 100755
--- a/patches/source/vim/vim-gvim.SlackBuild
+++ b/patches/source/vim/vim-gvim.SlackBuild
@@ -32,7 +32,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 PKGNAM=vim-gvim
 VIMBRANCH=8.2
 VERSION=$(echo vim-${VIMBRANCH}*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)
-BUILD=${BUILD:-2_slack15.0}
+BUILD=${BUILD:-3_slack15.0}
 
 # The possible settings for this are yes/no/dynamic.
 PERLINTERP=${PERLINTERP:-dynamic}
@@ -115,6 +115,7 @@ find . \
 zcat $CWD/CVE-2022-2816.patch.gz | patch -p1 --verbose || exit 1
 zcat $CWD/CVE-2022-2817.patch.gz | patch -p1 --verbose || exit 1
 zcat $CWD/CVE-2022-2819.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/CVE-2022-2889.patch.gz | patch -p1 --verbose || exit 1
 
 config_vim --with-x --enable-gui=gtk3 || exit 1
 make $NUMJOBS || make || exit 1
diff --git a/patches/source/vim/vim.SlackBuild b/patches/source/vim/vim.SlackBuild
index 6b20386d2..b628315ce 100755
--- a/patches/source/vim/vim.SlackBuild
+++ b/patches/source/vim/vim.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 PKGNAM=vim
 VIMBRANCH=8.2
 CTAGSVER=5.8
-BUILD=${BUILD:-2_slack15.0}
+BUILD=${BUILD:-3_slack15.0}
 
 # The possible settings for this are yes/no/dynamic.
 PERLINTERP=${PERLINTERP:-dynamic}
@@ -156,6 +156,7 @@ find . \
 zcat $CWD/CVE-2022-2816.patch.gz | patch -p1 --verbose || exit 1
 zcat $CWD/CVE-2022-2817.patch.gz | patch -p1 --verbose || exit 1
 zcat $CWD/CVE-2022-2819.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/CVE-2022-2889.patch.gz | patch -p1 --verbose || exit 1
 
 config_vim --without-x --disable-gui || exit 1
 make $NUMJOBS || make || exit 1
author	Patrick J Volkerding <volkerdi@slackware.com>	2022-08-20 20:04:15 +0000
committer	Eric Hameleers <alien@slackware.com>	2022-08-21 13:30:26 +0200
commit	44e993e8025a5ef04e4b5096e272caeaa814a3c9 (patch)
tree	a59eed735632d3a5c1118364d60618534a1546ce /patches
parent	77a67ac4653a6e8b315f7a162c878e5b7d107f57 (diff)
download	current-44e993e8025a5ef04e4b5096e272caeaa814a3c9.tar.gz current-44e993e8025a5ef04e4b5096e272caeaa814a3c9.tar.xz