diff options
Diffstat (limited to 'patches/source')
-rw-r--r-- | patches/source/vim/CVE-2022-2816.patch | 26 | ||||
-rw-r--r-- | patches/source/vim/CVE-2022-2817.patch | 69 | ||||
-rw-r--r-- | patches/source/vim/CVE-2022-2819.patch | 40 | ||||
-rw-r--r-- | patches/source/vim/CVE-2022-2889.patch | 236 | ||||
-rwxr-xr-x | patches/source/vim/vim-gvim.SlackBuild | 10 | ||||
-rwxr-xr-x | patches/source/vim/vim.SlackBuild | 10 |
6 files changed, 4 insertions, 387 deletions
diff --git a/patches/source/vim/CVE-2022-2816.patch b/patches/source/vim/CVE-2022-2816.patch deleted file mode 100644 index da790fb6d..000000000 --- a/patches/source/vim/CVE-2022-2816.patch +++ /dev/null @@ -1,26 +0,0 @@ -From dbdd16b62560413abcc3c8e893cc3010ccf31666 Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar <Bram@vim.org> -Date: Sun, 14 Aug 2022 21:46:07 +0100 -Subject: [PATCH] patch 9.0.0212: invalid memory access when compiling :unlet - -Problem: Invalid memory access when compiling :unlet. -Solution: Don't read past the end of the line. ---- - -diff --git a/src/vim9cmds.c b/src/vim9cmds.c -index 35a382138bf3..93032d6bf154 100644 ---- a/src/vim9cmds.c -+++ b/src/vim9cmds.c -@@ -92,6 +92,12 @@ free_locals(cctx_T *cctx) - int - check_vim9_unlet(char_u *name) - { -+ if (*name == NUL) -+ { -+ semsg(_(e_argument_required_for_str), "unlet"); -+ return FAIL; -+ } -+ - if (name[1] != ':' || vim_strchr((char_u *)"gwtb", *name) == NULL) - { - // "unlet s:var" is allowed in legacy script. diff --git a/patches/source/vim/CVE-2022-2817.patch b/patches/source/vim/CVE-2022-2817.patch deleted file mode 100644 index d9bfc1a66..000000000 --- a/patches/source/vim/CVE-2022-2817.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar <Bram@vim.org> -Date: Sun, 14 Aug 2022 22:23:02 +0100 -Subject: [PATCH] patch 9.0.0213: using freed memory with error in assert - argument - -Problem: Using freed memory with error in assert argument. -Solution: Make a copy of the error. ---- - -diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim -index 27b2d73fbfc8..7c9d090b39df 100644 ---- a/src/testdir/test_assert.vim -+++ b/src/testdir/test_assert.vim -@@ -291,6 +291,10 @@ func Test_assert_fail_fails() - let exp = v:exception - endtry - call assert_match("E1174: String required for argument 5", exp) -+ -+ call assert_equal(1, assert_fails('c0', ['', '\1'])) -+ call assert_match("Expected '\\\\\\\\1' but got 'E939: Positive count required: c0': c0", v:errors[0]) -+ call remove(v:errors, 0) - endfunc - - func Test_assert_fails_in_try_block() -diff --git a/src/testing.c b/src/testing.c -index f2355f5dac13..21eb9c18e6e2 100644 ---- a/src/testing.c -+++ b/src/testing.c -@@ -597,6 +597,7 @@ f_assert_fails(typval_T *argvars, typval_T *rettv) - int save_trylevel = trylevel; - int called_emsg_before = called_emsg; - char *wrong_arg_msg = NULL; -+ char_u *tofree = NULL; - - if (check_for_string_or_number_arg(argvars, 0) == FAIL - || check_for_opt_string_or_list_arg(argvars, 1) == FAIL -@@ -660,13 +661,17 @@ f_assert_fails(typval_T *argvars, typval_T *rettv) - } - else if (list->lv_len == 2) - { -- tv = &list->lv_u.mat.lv_last->li_tv; -- actual = get_vim_var_str(VV_ERRMSG); -- expected = tv_get_string_buf_chk(tv, buf); -- if (!pattern_match(expected, actual, FALSE)) -+ // make a copy, an error in pattern_match() may free it -+ tofree = actual = vim_strsave(get_vim_var_str(VV_ERRMSG)); -+ if (actual != NULL) - { -- error_found = TRUE; -- expected_str = expected; -+ tv = &list->lv_u.mat.lv_last->li_tv; -+ expected = tv_get_string_buf_chk(tv, buf); -+ if (!pattern_match(expected, actual, FALSE)) -+ { -+ error_found = TRUE; -+ expected_str = expected; -+ } - } - } - } -@@ -749,6 +754,7 @@ f_assert_fails(typval_T *argvars, typval_T *rettv) - msg_scrolled = 0; - lines_left = Rows; - VIM_CLEAR(emsg_assert_fails_msg); -+ vim_free(tofree); - set_vim_var_string(VV_ERRMSG, NULL, 0); - if (wrong_arg_msg != NULL) - emsg(_(wrong_arg_msg)); diff --git a/patches/source/vim/CVE-2022-2819.patch b/patches/source/vim/CVE-2022-2819.patch deleted file mode 100644 index 59c25d8c3..000000000 --- a/patches/source/vim/CVE-2022-2819.patch +++ /dev/null @@ -1,40 +0,0 @@ -From d1d8f6bacb489036d0fd479c9dd3c0102c988889 Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar <Bram@vim.org> -Date: Sun, 14 Aug 2022 21:28:32 +0100 -Subject: [PATCH] patch 9.0.0211: invalid memory access when compiling :lockvar - -Problem: Invalid memory access when compiling :lockvar. -Solution: Don't read past the end of the line. ---- - -diff --git a/src/vim9cmds.c b/src/vim9cmds.c -index ad32c32ff7cb..35a382138bf3 100644 ---- a/src/vim9cmds.c -+++ b/src/vim9cmds.c -@@ -188,10 +188,17 @@ compile_lock_unlock( - size_t len; - char_u *buf; - isntype_T isn = ISN_EXEC; -+ char *cmd = eap->cmdidx == CMD_lockvar ? "lockvar" : "unlockvar"; - - if (cctx->ctx_skip == SKIP_YES) - return OK; - -+ if (*p == NUL) -+ { -+ semsg(_(e_argument_required_for_str), cmd); -+ return FAIL; -+ } -+ - // Cannot use :lockvar and :unlockvar on local variables. - if (p[1] != ':') - { -@@ -223,8 +230,6 @@ compile_lock_unlock( - ret = FAIL; - else - { -- char *cmd = eap->cmdidx == CMD_lockvar ? "lockvar" : "unlockvar"; -- - if (deep < 0) - vim_snprintf((char *)buf, len, "%s! %s", cmd, p); - else diff --git a/patches/source/vim/CVE-2022-2889.patch b/patches/source/vim/CVE-2022-2889.patch deleted file mode 100644 index a5153eaa2..000000000 --- a/patches/source/vim/CVE-2022-2889.patch +++ /dev/null @@ -1,236 +0,0 @@ -From 91c7cbfe31bbef57d5fcf7d76989fc159f73ef15 Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar <Bram@vim.org> -Date: Thu, 18 Aug 2022 13:28:31 +0100 -Subject: [PATCH] patch 9.0.0225: using freed memory with multiple line breaks - in expression - -Problem: Using freed memory with multiple line breaks in expression. -Solution: Free eval_tofree later. - -diff --git a/src/eval.c b/src/eval.c -index 42b883e9b00b..60daca51ce9d 100644 ---- a/src/eval.c -+++ b/src/eval.c -@@ -353,6 +353,63 @@ eval_to_string_skip( - return retval; - } - -+/* -+ * Initialize "evalarg" for use. -+ */ -+ void -+init_evalarg(evalarg_T *evalarg) -+{ -+ CLEAR_POINTER(evalarg); -+ ga_init2(&evalarg->eval_tofree_ga, sizeof(char_u *), 20); -+} -+ -+/* -+ * If "evalarg->eval_tofree" is not NULL free it later. -+ * Caller is expected to overwrite "evalarg->eval_tofree" next. -+ */ -+ static void -+free_eval_tofree_later(evalarg_T *evalarg) -+{ -+ if (evalarg->eval_tofree != NULL) -+ { -+ if (ga_grow(&evalarg->eval_tofree_ga, 1) == OK) -+ ((char_u **)evalarg->eval_tofree_ga.ga_data) -+ [evalarg->eval_tofree_ga.ga_len++] -+ = evalarg->eval_tofree; -+ else -+ vim_free(evalarg->eval_tofree); -+ } -+} -+ -+/* -+ * After using "evalarg" filled from "eap": free the memory. -+ */ -+ void -+clear_evalarg(evalarg_T *evalarg, exarg_T *eap) -+{ -+ if (evalarg != NULL) -+ { -+ if (evalarg->eval_tofree != NULL) -+ { -+ if (eap != NULL) -+ { -+ // We may need to keep the original command line, e.g. for -+ // ":let" it has the variable names. But we may also need the -+ // new one, "nextcmd" points into it. Keep both. -+ vim_free(eap->cmdline_tofree); -+ eap->cmdline_tofree = *eap->cmdlinep; -+ *eap->cmdlinep = evalarg->eval_tofree; -+ } -+ else -+ vim_free(evalarg->eval_tofree); -+ evalarg->eval_tofree = NULL; -+ } -+ -+ ga_clear_strings(&evalarg->eval_tofree_ga); -+ VIM_CLEAR(evalarg->eval_tofree_lambda); -+ } -+} -+ - /* - * Skip over an expression at "*pp". - * Return FAIL for an error, OK otherwise. -@@ -435,8 +492,8 @@ skip_expr_concatenate( - // Do not free the first line, the caller can still use it. - *((char_u **)gap->ga_data) = NULL; - // Do not free the last line, "arg" points into it, free it -- // later. -- vim_free(evalarg->eval_tofree); -+ // later. Also free "eval_tofree" later if needed. -+ free_eval_tofree_later(evalarg); - evalarg->eval_tofree = - ((char_u **)gap->ga_data)[gap->ga_len - 1]; - ((char_u **)gap->ga_data)[gap->ga_len - 1] = NULL; -@@ -2274,7 +2331,7 @@ eval_next_line(char_u *arg, evalarg_T *evalarg) - } - else if (evalarg->eval_cookie != NULL) - { -- vim_free(evalarg->eval_tofree); -+ free_eval_tofree_later(evalarg); - evalarg->eval_tofree = line; - } - -@@ -2301,45 +2358,6 @@ skipwhite_and_linebreak(char_u *arg, evalarg_T *evalarg) - return p; - } - --/* -- * Initialize "evalarg" for use. -- */ -- void --init_evalarg(evalarg_T *evalarg) --{ -- CLEAR_POINTER(evalarg); -- ga_init2(&evalarg->eval_tofree_ga, sizeof(char_u *), 20); --} -- --/* -- * After using "evalarg" filled from "eap": free the memory. -- */ -- void --clear_evalarg(evalarg_T *evalarg, exarg_T *eap) --{ -- if (evalarg != NULL) -- { -- if (evalarg->eval_tofree != NULL) -- { -- if (eap != NULL) -- { -- // We may need to keep the original command line, e.g. for -- // ":let" it has the variable names. But we may also need the -- // new one, "nextcmd" points into it. Keep both. -- vim_free(eap->cmdline_tofree); -- eap->cmdline_tofree = *eap->cmdlinep; -- *eap->cmdlinep = evalarg->eval_tofree; -- } -- else -- vim_free(evalarg->eval_tofree); -- evalarg->eval_tofree = NULL; -- } -- -- ga_clear_strings(&evalarg->eval_tofree_ga); -- VIM_CLEAR(evalarg->eval_tofree_lambda); -- } --} -- - /* - * The "evaluate" argument: When FALSE, the argument is only parsed but not - * executed. The function may return OK, but the rettv will be of type -diff --git a/src/proto/eval.pro b/src/proto/eval.pro -index e6cd8928d19c..27a13c9498ba 100644 ---- a/src/proto/eval.pro -+++ b/src/proto/eval.pro -@@ -9,6 +9,8 @@ int eval_expr_valid_arg(typval_T *tv); - int eval_expr_typval(typval_T *expr, typval_T *argv, int argc, typval_T *rettv); - int eval_expr_to_bool(typval_T *expr, int *error); - char_u *eval_to_string_skip(char_u *arg, exarg_T *eap, int skip); -+void init_evalarg(evalarg_T *evalarg); -+void clear_evalarg(evalarg_T *evalarg, exarg_T *eap); - int skip_expr(char_u **pp, evalarg_T *evalarg); - int skip_expr_concatenate(char_u **arg, char_u **start, char_u **end, evalarg_T *evalarg); - char_u *typval2string(typval_T *tv, int convert); -@@ -34,8 +36,6 @@ int pattern_match(char_u *pat, char_u *text, int ic); - char_u *eval_next_non_blank(char_u *arg, evalarg_T *evalarg, int *getnext); - char_u *eval_next_line(char_u *arg, evalarg_T *evalarg); - char_u *skipwhite_and_linebreak(char_u *arg, evalarg_T *evalarg); --void init_evalarg(evalarg_T *evalarg); --void clear_evalarg(evalarg_T *evalarg, exarg_T *eap); - int eval0(char_u *arg, typval_T *rettv, exarg_T *eap, evalarg_T *evalarg); - int eval0_retarg(char_u *arg, typval_T *rettv, exarg_T *eap, evalarg_T *evalarg, char_u **retarg); - int eval1(char_u **arg, typval_T *rettv, evalarg_T *evalarg); -diff --git a/src/testdir/test_vim9_script.vim b/src/testdir/test_vim9_script.vim -index 56a39efcf79b..597e31ec1c26 100644 ---- a/src/testdir/test_vim9_script.vim -+++ b/src/testdir/test_vim9_script.vim -@@ -1560,6 +1560,19 @@ def Test_func_redefine_fails() - v9.CheckScriptFailure(lines, 'E1073:') - enddef - -+def Test_lambda_split() -+ # this was using freed memory, because of the split expression -+ var lines =<< trim END -+ vim9script -+ try -+ 0 -+ 0->(0 -+ ->a.0( -+ ->u -+ END -+ v9.CheckScriptFailure(lines, 'E1050:') -+enddef -+ - def Test_fixed_size_list() - # will be allocated as one piece of memory, check that changes work - var l = [1, 2, 3, 4] -diff --git a/src/userfunc.c b/src/userfunc.c -index f612160fc872..e0bdc3fda911 100644 ---- a/src/userfunc.c -+++ b/src/userfunc.c -@@ -1372,7 +1372,6 @@ get_lambda_tv( - char_u *start, *end; - int *old_eval_lavars = eval_lavars_used; - int eval_lavars = FALSE; -- char_u *tofree1 = NULL; - char_u *tofree2 = NULL; - int equal_arrow = **arg == '('; - int white_error = FALSE; -@@ -1457,12 +1456,6 @@ get_lambda_tv( - ret = skip_expr_concatenate(arg, &start, &end, evalarg); - if (ret == FAIL) - goto errret; -- if (evalarg != NULL) -- { -- // avoid that the expression gets freed when another line break follows -- tofree1 = evalarg->eval_tofree; -- evalarg->eval_tofree = NULL; -- } - - if (!equal_arrow) - { -@@ -1585,10 +1578,6 @@ get_lambda_tv( - - theend: - eval_lavars_used = old_eval_lavars; -- if (evalarg != NULL && evalarg->eval_tofree == NULL) -- evalarg->eval_tofree = tofree1; -- else -- vim_free(tofree1); - vim_free(tofree2); - if (types_optional) - ga_clear_strings(&argtypes); -@@ -1607,10 +1596,6 @@ get_lambda_tv( - } - vim_free(fp); - vim_free(pt); -- if (evalarg != NULL && evalarg->eval_tofree == NULL) -- evalarg->eval_tofree = tofree1; -- else -- vim_free(tofree1); - vim_free(tofree2); - eval_lavars_used = old_eval_lavars; - return FAIL; diff --git a/patches/source/vim/vim-gvim.SlackBuild b/patches/source/vim/vim-gvim.SlackBuild index 53f2686f3..a24a0ada1 100755 --- a/patches/source/vim/vim-gvim.SlackBuild +++ b/patches/source/vim/vim-gvim.SlackBuild @@ -30,9 +30,9 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=vim-gvim -VIMBRANCH=8.2 +VIMBRANCH=9.0 VERSION=$(echo vim-${VIMBRANCH}*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev) -BUILD=${BUILD:-3_slack15.0} +BUILD=${BUILD:-1_slack15.0} # The possible settings for this are yes/no/dynamic. PERLINTERP=${PERLINTERP:-dynamic} @@ -111,12 +111,6 @@ find . \ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ -exec chmod 644 {} \+ -# Fix security issues: -zcat $CWD/CVE-2022-2816.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/CVE-2022-2817.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/CVE-2022-2819.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/CVE-2022-2889.patch.gz | patch -p1 --verbose || exit 1 - config_vim --with-x --enable-gui=gtk3 || exit 1 make $NUMJOBS || make || exit 1 make install DESTDIR=$PKG || exit 1 diff --git a/patches/source/vim/vim.SlackBuild b/patches/source/vim/vim.SlackBuild index b628315ce..2d2cbe5b3 100755 --- a/patches/source/vim/vim.SlackBuild +++ b/patches/source/vim/vim.SlackBuild @@ -23,9 +23,9 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=vim -VIMBRANCH=8.2 +VIMBRANCH=9.0 CTAGSVER=5.8 -BUILD=${BUILD:-3_slack15.0} +BUILD=${BUILD:-1_slack15.0} # The possible settings for this are yes/no/dynamic. PERLINTERP=${PERLINTERP:-dynamic} @@ -152,12 +152,6 @@ find . \ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ -exec chmod 644 {} \+ -# Fix security issues: -zcat $CWD/CVE-2022-2816.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/CVE-2022-2817.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/CVE-2022-2819.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/CVE-2022-2889.patch.gz | patch -p1 --verbose || exit 1 - config_vim --without-x --disable-gui || exit 1 make $NUMJOBS || make || exit 1 make install DESTDIR=$PKG || exit 1 |