[PATCH 1/2] vim: Security Fix For CVE-2022-1381

[PATCH 1/2] vim: Security Fix For CVE-2022-1381

[Rahul Chauhan]

CVE: CVE-2022-1381

Signed-off-by: Rahul Chauhan <rahulchauhankitps@gmail.com>
---
 .../vim/files/CVE-2022-1381.patch             | 111 ++++++++++++++++++
 meta/recipes-support/vim/vim.inc              |   1 +
 2 files changed, 112 insertions(+)
 create mode 100644 meta/recipes-support/vim/files/CVE-2022-1381.patch

diff --git a/meta/recipes-support/vim/files/CVE-2022-1381.patch b/meta/recipes-support/vim/files/CVE-2022-1381.patch
new file mode 100644
index 0000000000..1b0e129746
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2022-1381.patch
@@ -0,0 +1,111 @@
+From 6a6cb529c7a8bda2c45964137d7c8df9c2623d51 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 16 Apr 2022 18:52:17 +0100
+Subject: [PATCH] patch 8.2.4763: using invalid pointer with "V:" in Ex mode
+
+Problem:    Using invalid pointer with "V:" in Ex mode.
+Solution:   Correctly handle the command being changed to "+".
+
+Upstream-Status: Backport [https://github.com/vim/vim/commit/f50808ed135ab973296bca515ae4029b321afe47]
+CVE-2022-1381
+
+Signed-off-by: Rahul Chauhan <rahulchauhankitps@gmail.com>
+---
+ src/ex_docmd.c               | 29 ++++++++++++++++++++++++-----
+ src/testdir/test_ex_mode.vim | 13 +++++++++++++
+ src/version.c                |  2 ++
+ 3 files changed, 39 insertions(+), 5 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index c12f151c3..9d3f1b420 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -2782,7 +2782,9 @@ parse_command_modifiers(
+ 	cmdmod_T    *cmod,
+ 	int	    skip_only)
+ {
++    char_u  *orig_cmd = eap->cmd;
+     char_u  *cmd_start = NULL;
++    int	    did_plus_cmd = FALSE;
+     char_u  *p;
+     int	    starts_with_colon = FALSE;
+     int	    vim9script = in_vim9script();
+@@ -2818,6 +2820,7 @@ parse_command_modifiers(
+ 			&& curwin->w_cursor.lnum < curbuf->b_ml.ml_line_count)
+ 	{
+ 	    eap->cmd = (char_u *)"+";
++	    did_plus_cmd = TRUE;
+ 	    if (!skip_only)
+ 		ex_pressedreturn = TRUE;
+ 	}
+@@ -3100,13 +3103,29 @@ parse_command_modifiers(
+ 	    // Since the modifiers have been parsed put the colon on top of the
+ 	    // space: "'<,'>mod cmd" -> "mod:'<,'>cmd
+ 	    // Put eap->cmd after the colon.
+-	    mch_memmove(cmd_start - 5, cmd_start, eap->cmd - cmd_start);
+-	    eap->cmd -= 5;
+-	    mch_memmove(eap->cmd - 1, ":'<,'>", 6);
++	    if (did_plus_cmd)
++	    {
++		size_t len = STRLEN(cmd_start);
++
++		// Special case: empty command may have been changed to "+":
++		//  "'<,'>mod" -> "mod'<,'>+
++		mch_memmove(orig_cmd, cmd_start, len);
++		STRCPY(orig_cmd + len, "'<,'>+");
++	    }
++	    else
++	    {
++		mch_memmove(cmd_start - 5, cmd_start, eap->cmd - cmd_start);
++		eap->cmd -= 5;
++		mch_memmove(eap->cmd - 1, ":'<,'>", 6);
++	    }
+ 	}
+ 	else
+-	    // no modifiers, move the pointer back
+-	    eap->cmd -= 5;
++	    // No modifiers, move the pointer back.
++	    // Special case: empty command may have been changed to "+".
++	    if (did_plus_cmd)
++		eap->cmd = (char_u *)"'<,'>+";
++	    else
++		eap->cmd = orig_cmd;
+     }
+ 
+     return OK;
+diff --git a/src/testdir/test_ex_mode.vim b/src/testdir/test_ex_mode.vim
+index 2642a16d2..d981ced6b 100644
+--- a/src/testdir/test_ex_mode.vim
++++ b/src/testdir/test_ex_mode.vim
+@@ -250,5 +250,18 @@ func Test_ex_mode_large_indent()
+   bwipe!
+ endfunc
+ 
++" This was accessing illegal memory when using "+" for eap->cmd.
++func Test_empty_command_visual_mode()
++  let lines =<< trim END
++      r<sfile>
++      0norm0V:^[
++      :qall!
++  END
++  call writefile(lines, 'Xexmodescript')
++  call assert_equal(1, RunVim([], [], '-u NONE -e -s -S Xexmodescript'))
++
++  call delete('Xexmodescript')
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 79a3bad67..38c3e69b6 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -750,6 +750,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/
++    4763,
+ /**/
+     4681,
+ /**/
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 21ff036cf4..c78e53007e 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,6 +19,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://0001-src-Makefile-improve-reproducibility.patch \
            file://no-path-adjust.patch \
            file://racefix.patch \
+           file://CVE-2022-1381.patch \
            "
 
 PV .= ".4681"
-- 
2.17.1

[PATCH 2/2] vim: Security Fix For CVE-2022-1420

[Rahul Chauhan]

CVE: CVE-2022-1420

Signed-off-by: Rahul Chauhan <rahulchauhankitps@gmail.com>
---
 .../vim/files/CVE-2022-1420.patch             | 93 +++++++++++++++++++
 meta/recipes-support/vim/vim.inc              |  1 +
 2 files changed, 94 insertions(+)
 create mode 100644 meta/recipes-support/vim/files/CVE-2022-1420.patch

diff --git a/meta/recipes-support/vim/files/CVE-2022-1420.patch b/meta/recipes-support/vim/files/CVE-2022-1420.patch
new file mode 100644
index 0000000000..2c2e09a9d2
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2022-1420.patch
@@ -0,0 +1,93 @@
+From 6258e29cbdc55c9496baa23462ef77d79a4e08cf Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 17 Apr 2022 15:06:35 +0100
+Subject: [PATCH] patch 8.2.4774: crash when using a number for lambda name
+
+Problem:    Crash when using a number for lambda name.
+Solution:   Check the type of the lambda reference.
+
+Upstream-Status: Backport [https://github.com/vim/vim/commit/8b91e71441069b1dde9ac9ff9d9a829b1b4aecca]
+CVE-2022-1420
+
+Signed-off-by: Rahul Chauhan <rahulchauhankitps@gmail.com>
+---
+ src/errors.h                |  4 ++++
+ src/eval.c                  | 16 ++++++++++------
+ src/testdir/test_lambda.vim |  4 ++++
+ src/version.c               |  2 ++
+ 4 files changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/src/errors.h b/src/errors.h
+index 951acabb2..96bba755b 100644
+--- a/src/errors.h
++++ b/src/errors.h
+@@ -3256,3 +3256,7 @@ EXTERN char e_compiling_closure_without_context_str[]
+ EXTERN char e_using_type_not_in_script_context_str[]
+ 	INIT(= N_("E1272: Using type not in a script context: %s"));
+ #endif
++#ifdef FEAT_EVAL
++EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
++       INIT(= N_("E1275: String or function required for ->(expr)"));
++#endif
+diff --git a/src/eval.c b/src/eval.c
+index 2cde64216..5d208a378 100644
+--- a/src/eval.c
++++ b/src/eval.c
+@@ -4094,19 +4094,23 @@ eval_lambda(
+ 	++*arg;
+ 	ret = eval1(arg, rettv, evalarg);
+ 	*arg = skipwhite_and_linebreak(*arg, evalarg);
+-	if (**arg == ')')
++	if (**arg != ')')
+ 	{
+-	    ++*arg;
++	    emsg(_(e_missing_closing_paren));
++	    return FAIL;
+ 	}
+-	else
++	if (rettv->v_type != VAR_STRING && rettv->v_type != VAR_FUNC
++					       && rettv->v_type != VAR_PARTIAL)
+ 	{
+-	    emsg(_(e_missing_closing_paren));
+-	    ret = FAIL;
++	    emsg(_(e_string_or_function_required_for_arrow_parens_expr));
++	    return FAIL;
+ 	}
++	++*arg;
+     }
+     if (ret != OK)
+ 	return FAIL;
+-    else if (**arg != '(')
++
++    if (**arg != '(')
+     {
+ 	if (verbose)
+ 	{
+diff --git a/src/testdir/test_lambda.vim b/src/testdir/test_lambda.vim
+index e6dcb6774..8d06e5973 100644
+--- a/src/testdir/test_lambda.vim
++++ b/src/testdir/test_lambda.vim
+@@ -66,6 +66,10 @@ function Test_lambda_fails()
+   echo assert_fails('echo 10->{a -> a + 2}', 'E107:')
+ 
+   call assert_fails('eval 0->(', "E110: Missing ')'")
++  call assert_fails('eval 0->(3)()', "E1275:")
++  call assert_fails('eval 0->([3])()', "E1275:")
++  call assert_fails('eval 0->({"a": 3})()', "E1275:")
++  call assert_fails('eval 0->(xxx)()', "E121:")
+ endfunc
+ 
+ func Test_not_lamda()
+diff --git a/src/version.c b/src/version.c
+index 38c3e69b6..c7516e3a5 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -750,6 +750,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/
++    4774,
+ /**/
+     4763,
+ /**/
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index c78e53007e..05891b07df 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://no-path-adjust.patch \
            file://racefix.patch \
            file://CVE-2022-1381.patch \
+           file://CVE-2022-1420.patch \
            "
 
 PV .= ".4681"
-- 
2.17.1

Re: [OE-core] [PATCH 1/2] vim: Security Fix For CVE-2022-1381

[Richard Purdie]

On Mon, 2022-05-02 at 18:20 +0530, Rahul Chauhan wrote:
> CVE: CVE-2022-1381
> 
> Signed-off-by: Rahul Chauhan <rahulchauhankitps@gmail.com>
> ---
>  .../vim/files/CVE-2022-1381.patch             | 111 ++++++++++++++++++
>  meta/recipes-support/vim/vim.inc              |   1 +
>  2 files changed, 112 insertions(+)
>  create mode 100644 meta/recipes-support/vim/files/CVE-2022-1381.patch

The security issues with vim have proven to be rather annoying and we've simply
been updating the recipe to the latest version more recently to handle these.
Would you fancy sending a version update for this instead? It isn't what we
generally do but does seem more appropriate here given the frequency.

Cheers,

Richard