* [PATCH] vim: fix CVE-2021-3778
@ 2021-09-27 10:44 Minjae Kim
2021-09-27 23:08 ` [OE-core] " Richard Purdie
0 siblings, 1 reply; 5+ messages in thread
From: Minjae Kim @ 2021-09-27 10:44 UTC (permalink / raw)
To: openembedded-core; +Cc: Minjae Kim
vim is vulnerable to Heap-based Buffer Overflow
reference:
https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f
---
.../vim/files/CVE-2021-3778.patch | 49 +++++++++++++++++++
meta/recipes-support/vim/vim.inc | 1 +
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-support/vim/files/CVE-2021-3778.patch
diff --git a/meta/recipes-support/vim/files/CVE-2021-3778.patch b/meta/recipes-support/vim/files/CVE-2021-3778.patch
new file mode 100644
index 0000000000..9cb61a6ac7
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2021-3778.patch
@@ -0,0 +1,49 @@
+From eb41373c8c88b0789e5cf04669d6116f9a199264 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Sun, 26 Sep 2021 23:48:00 +0000
+Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid utf-8
+ character
+
+Problem: Reading beyond end of line with invalid utf-8 character.
+Solution: Check for NUL when advancing.
+
+Upstream-Status: Accepted [https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f]
+CVE: CVE-2021-3778
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ src/regexp_nfa.c | 3 ++-
+ src/testdir/test_regexp_utf8.vim | 7 +++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
+index fb512f961..4d337f1f1 100644
+--- a/src/regexp_nfa.c
++++ b/src/regexp_nfa.c
+@@ -5455,7 +5455,8 @@ find_match_text(colnr_T startcol, int regstart, char_u *match_text)
+ match = FALSE;
+ break;
+ }
+- len2 += MB_CHAR2LEN(c2);
++ len2 += enc_utf8 ? utf_ptr2len(rex.line + col + len2)
++ : MB_CHAR2LEN(c2);
+ }
+ if (match
+ // check that no composing char follows
+diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
+index 19ff882be..e0665818b 100644
+--- a/src/testdir/test_regexp_utf8.vim
++++ b/src/testdir/test_regexp_utf8.vim
+@@ -215,3 +215,10 @@ func Test_optmatch_toolong()
+ set re=0
+ endfunc
+
++func Test_match_invalid_byte()
++ call writefile(0z630a.765d30aa0a.2e0a.790a.4030, 'Xinvalid')
++ new
++ source Xinvalid
++ bwipe!
++ call delete('Xinvalid')
++endfunc
+--
+2.17.1
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 7e9225fbcb..db1e9caf4d 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/vim/vim.git \
file://no-path-adjust.patch \
file://racefix.patch \
file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
+ file://CVE-2021-3778.patch \
"
SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [OE-core] [PATCH] vim: fix CVE-2021-3778
2021-09-27 10:44 [PATCH] vim: fix CVE-2021-3778 Minjae Kim
@ 2021-09-27 23:08 ` Richard Purdie
2021-09-28 6:58 ` Minjae Kim
0 siblings, 1 reply; 5+ messages in thread
From: Richard Purdie @ 2021-09-27 23:08 UTC (permalink / raw)
To: Minjae Kim, openembedded-core
On Mon, 2021-09-27 at 19:44 +0900, Minjae Kim wrote:
> vim is vulnerable to Heap-based Buffer Overflow
>
> reference:
> https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f
> ---
> .../vim/files/CVE-2021-3778.patch | 49 +++++++++++++++++++
> meta/recipes-support/vim/vim.inc | 1 +
> 2 files changed, 50 insertions(+)
> create mode 100644 meta/recipes-support/vim/files/CVE-2021-3778.patch
>
> diff --git a/meta/recipes-support/vim/files/CVE-2021-3778.patch b/meta/recipes-support/vim/files/CVE-2021-3778.patch
> new file mode 100644
> index 0000000000..9cb61a6ac7
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2021-3778.patch
> @@ -0,0 +1,49 @@
> +From eb41373c8c88b0789e5cf04669d6116f9a199264 Mon Sep 17 00:00:00 2001
> +From: Minjae Kim <flowergom@gmail.com>
> +Date: Sun, 26 Sep 2021 23:48:00 +0000
> +Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid utf-8
> + character
> +
> +Problem: Reading beyond end of line with invalid utf-8 character.
> +Solution: Check for NUL when advancing.
> +
> +Upstream-Status: Accepted [https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f]
> +CVE: CVE-2021-3778
> +Signed-off-by: Minjae Kim <flowergom@gmail.com>
> +---
> + src/regexp_nfa.c | 3 ++-
> + src/testdir/test_regexp_utf8.vim | 7 +++++++
> + 2 files changed, 9 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
> +index fb512f961..4d337f1f1 100644
> +--- a/src/regexp_nfa.c
> ++++ b/src/regexp_nfa.c
> +@@ -5455,7 +5455,8 @@ find_match_text(colnr_T startcol, int regstart, char_u *match_text)
> + match = FALSE;
> + break;
> + }
> +- len2 += MB_CHAR2LEN(c2);
> ++ len2 += enc_utf8 ? utf_ptr2len(rex.line + col + len2)
> ++ : MB_CHAR2LEN(c2);
> + }
> + if (match
> + // check that no composing char follows
> +diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
> +index 19ff882be..e0665818b 100644
> +--- a/src/testdir/test_regexp_utf8.vim
> ++++ b/src/testdir/test_regexp_utf8.vim
> +@@ -215,3 +215,10 @@ func Test_optmatch_toolong()
> + set re=0
> + endfunc
> +
> ++func Test_match_invalid_byte()
> ++ call writefile(0z630a.765d30aa0a.2e0a.790a.4030, 'Xinvalid')
> ++ new
> ++ source Xinvalid
> ++ bwipe!
> ++ call delete('Xinvalid')
> ++endfunc
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
> index 7e9225fbcb..db1e9caf4d 100644
> --- a/meta/recipes-support/vim/vim.inc
> +++ b/meta/recipes-support/vim/vim.inc
> @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/vim/vim.git \
> file://no-path-adjust.patch \
> file://racefix.patch \
> file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
> + file://CVE-2021-3778.patch \
> "
>
> SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
Thanks for the patch, I'd like to get this CVE fixed for master. Unfortunately
the patch doesn't seem to apply?
ERROR: vim-8.2-r0 do_patch: Command Error: 'quilt --quiltrc /media/build1/poky/build/tmp/work/core2-64-poky-linux/vim/8.2-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output:
stdout: Applying patch CVE-2021-3778.patch
patching file src/regexp_nfa.c
Hunk #1 FAILED at 5455.
1 out of 1 hunk FAILED -- rejects in file src/regexp_nfa.c
patching file src/testdir/test_regexp_utf8.vim
Patch CVE-2021-3778.patch does not apply (enforce with -f)
stderr:
ERROR: Logfile of failure stored in: /media/build1/poky/build/tmp/work/core2-64-poky-linux/vim/8.2-r0/temp/log.do_patch.45096
ERROR: Task (/media/build1/poky/meta/recipes-support/vim/vim_8.2.bb:do_patch) failed with exit code '1'
Cheers,
Richard
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] vim: fix CVE-2021-3778
2021-09-27 23:08 ` [OE-core] " Richard Purdie
@ 2021-09-28 6:58 ` Minjae Kim
2021-09-28 7:36 ` Minjae Kim
0 siblings, 1 reply; 5+ messages in thread
From: Minjae Kim @ 2021-09-28 6:58 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 90 bytes --]
Hi Richard ,
Thanks for the notice, I'll update it properly.
Thanks
Minjae Kim.
[-- Attachment #2: Type: text/html, Size: 114 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] vim: fix CVE-2021-3778
2021-09-28 6:58 ` Minjae Kim
@ 2021-09-28 7:36 ` Minjae Kim
2021-09-28 10:41 ` [OE-core] " Richard Purdie
0 siblings, 1 reply; 5+ messages in thread
From: Minjae Kim @ 2021-09-28 7:36 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 3740 bytes --]
Hi Richard,
When I tried to rebuild this patch on the latest master branch,
I could not get any patch errors as below.
poky/master/poky$ bitbake vim -c cleanall; bitbake vim -C compile
Loading cache: 100% | | ETA: --:--:--
Loaded 0 entries from dependency cache.
Parsing recipes: 100% |######################################################################################################################################################| Time: 0:00:03
Parsing of 828 .bb files complete (0 cached, 828 parsed). 1469 targets, 44 skipped, 0 masked, 0 errors.
NOTE: Resolving any missing task queue dependencies
Build Configuration:
BB_VERSION = "1.51.1"
BUILD_SYS = "x86_64-linux"
NATIVELSBSTRING = "universal"
TARGET_SYS = "x86_64-poky-linux"
MACHINE = "qemux86-64"
DISTRO = "poky"
DISTRO_VERSION = "3.3+snapshot-a1e31bb8d625bf4531347e7cff6de89f104800c7"
TUNE_FEATURES = "m64 core2"
TARGET_FPU = ""
meta
meta-poky
meta-yocto-bsp = "master:a1e31bb8d625bf4531347e7cff6de89f104800c7"
Initialising tasks: 100% |###################################################################################################################################################| Time: 0:00:00
Sstate summary: Wanted 0 Local 0 Network 0 Missed 0 Current 0 (0% match, 0% complete)
NOTE: No setscene tasks
NOTE: Executing Tasks
NOTE: Tasks Summary: Attempted 3 tasks of which 0 didn't need to be rerun and all succeeded.
Loading cache: 100% |########################################################################################################################################################| Time: 0:00:00
Loaded 1469 entries from dependency cache.
NOTE: Resolving any missing task queue dependencies
Build Configuration:
BB_VERSION = "1.51.1"
BUILD_SYS = "x86_64-linux"
NATIVELSBSTRING = "universal"
TARGET_SYS = "x86_64-poky-linux"
MACHINE = "qemux86-64"
DISTRO = "poky"
DISTRO_VERSION = "3.3+snapshot-a1e31bb8d625bf4531347e7cff6de89f104800c7"
TUNE_FEATURES = "m64 core2"
TARGET_FPU = ""
meta
meta-poky
meta-yocto-bsp = "master:a1e31bb8d625bf4531347e7cff6de89f104800c7"
NOTE: Tainting hash to force rebuild of task /home/webos_build/upstream/poky/master/poky/meta/recipes-support/vim/vim_8.2.bb, do_compile | ETA: 0:00:00
WARNING: /home/webos_build/upstream/poky/master/poky/meta/recipes-support/vim/vim_8.2.bb:do_compile is tainted from a forced run | ETA: 0:00:00
Initialising tasks: 100% |###################################################################################################################################################| Time: 0:00:01
Sstate summary: Wanted 10 Local 0 Network 0 Missed 10 Current 549 (0% match, 98% complete)
Removing 3 stale sstate objects for arch qemux86_64: 100% |##################################################################################################################| Time: 0:00:00
NOTE: Executing Tasks
NOTE: Tasks Summary: Attempted 1964 tasks of which 1945 didn't need to be rerun and all succeeded.
Summary: There was 1 WARNING message shown.
upstream/poky/master/poky$
Thanks,
Minjae Kim
[-- Attachment #2: Type: text/html, Size: 5557 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] vim: fix CVE-2021-3778
2021-09-28 7:36 ` Minjae Kim
@ 2021-09-28 10:41 ` Richard Purdie
0 siblings, 0 replies; 5+ messages in thread
From: Richard Purdie @ 2021-09-28 10:41 UTC (permalink / raw)
To: Minjae Kim, openembedded-core
On Tue, 2021-09-28 at 00:36 -0700, Minjae Kim wrote:
> Hi Richard,
>
> When I tried to rebuild this patch on the latest master branch,
> I could not get any patch errors as below.
>
> poky/master/poky$ bitbake vim -c cleanall; bitbake vim -C compile
> Loading cache: 100% |
>
> | ETA: --:--:--
> Loaded 0 entries from dependency cache.
> Parsing recipes: 100%
> |#############################################################################
> #########################################################################|
> Time: 0:00:03
> Parsing of 828 .bb files complete (0 cached, 828 parsed). 1469 targets, 44
> skipped, 0 masked, 0 errors.
> NOTE: Resolving any missing task queue dependencies
>
> Build Configuration:
> BB_VERSION = "1.51.1"
> BUILD_SYS = "x86_64-linux"
> NATIVELSBSTRING = "universal"
> TARGET_SYS = "x86_64-poky-linux"
> MACHINE = "qemux86-64"
> DISTRO = "poky"
> DISTRO_VERSION = "3.3+snapshot-a1e31bb8d625bf4531347e7cff6de89f104800c7"
> TUNE_FEATURES = "m64 core2"
> TARGET_FPU = ""
> meta
> meta-poky
> meta-yocto-bsp = "master:a1e31bb8d625bf4531347e7cff6de89f104800c7"
>
> Initialising tasks: 100%
> |#############################################################################
> ######################################################################| Time:
> 0:00:00
> Sstate summary: Wanted 0 Local 0 Network 0 Missed 0 Current 0 (0% match, 0%
> complete)
> NOTE: No setscene tasks
> NOTE: Executing Tasks
> NOTE: Tasks Summary: Attempted 3 tasks of which 0 didn't need to be rerun and
> all succeeded.
> Loading cache: 100%
> |#############################################################################
> ###########################################################################|
> Time: 0:00:00
> Loaded 1469 entries from dependency cache.
> NOTE: Resolving any missing task queue dependencies
>
> Build Configuration:
> BB_VERSION = "1.51.1"
> BUILD_SYS = "x86_64-linux"
> NATIVELSBSTRING = "universal"
> TARGET_SYS = "x86_64-poky-linux"
> MACHINE = "qemux86-64"
> DISTRO = "poky"
> DISTRO_VERSION = "3.3+snapshot-a1e31bb8d625bf4531347e7cff6de89f104800c7"
> TUNE_FEATURES = "m64 core2"
> TARGET_FPU = ""
> meta
> meta-poky
> meta-yocto-bsp = "master:a1e31bb8d625bf4531347e7cff6de89f104800c7"
>
> NOTE: Tainting hash to force rebuild of task
> /home/webos_build/upstream/poky/master/poky/meta/recipes-
> support/vim/vim_8.2.bb, do_compile | ETA:
> 0:00:00
> WARNING: /home/webos_build/upstream/poky/master/poky/meta/recipes-
> support/vim/vim_8.2.bb:do_compile is tainted from a forced run
> | ETA: 0:00:00
> Initialising tasks: 100%
> |#############################################################################
> ######################################################################| Time:
> 0:00:01
> Sstate summary: Wanted 10 Local 0 Network 0 Missed 10 Current 549 (0% match,
> 98% complete)
> Removing 3 stale sstate objects for arch qemux86_64: 100%
> |#############################################################################
> #####################################| Time: 0:00:00
> NOTE: Executing Tasks
> NOTE: Tasks Summary: Attempted 1964 tasks of which 1945 didn't need to be
> rerun and all succeeded.
>
> Summary: There was 1 WARNING message shown.
> upstream/poky/master/poky$
I checked again and the patch definitely does not work. I think the whitespace
is being corrupted on the trip through the mailing list.
I've manually refreshed the patch locally to fix it but I think something about
your email setup is causing problems with patch corruption :(.
Cheers,
Richard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-09-28 10:41 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-27 10:44 [PATCH] vim: fix CVE-2021-3778 Minjae Kim
2021-09-27 23:08 ` [OE-core] " Richard Purdie
2021-09-28 6:58 ` Minjae Kim
2021-09-28 7:36 ` Minjae Kim
2021-09-28 10:41 ` [OE-core] " Richard Purdie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.