All of lore.kernel.org
 help / color / mirror / Atom feed
From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Minjae Kim <flowergom@gmail.com>,
	openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] vim: fix CVE-2021-3778
Date: Tue, 28 Sep 2021 00:08:15 +0100	[thread overview]
Message-ID: <9a22c351a2971e60a080c6a68ed613efbb1901f5.camel@linuxfoundation.org> (raw)
In-Reply-To: <20210927104430.414250-1-flowergom@gmail.com>

On Mon, 2021-09-27 at 19:44 +0900, Minjae Kim wrote:
> vim is vulnerable to Heap-based Buffer Overflow
> 
> reference:
> https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f
> ---
>  .../vim/files/CVE-2021-3778.patch             | 49 +++++++++++++++++++
>  meta/recipes-support/vim/vim.inc              |  1 +
>  2 files changed, 50 insertions(+)
>  create mode 100644 meta/recipes-support/vim/files/CVE-2021-3778.patch
> 
> diff --git a/meta/recipes-support/vim/files/CVE-2021-3778.patch b/meta/recipes-support/vim/files/CVE-2021-3778.patch
> new file mode 100644
> index 0000000000..9cb61a6ac7
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2021-3778.patch
> @@ -0,0 +1,49 @@
> +From eb41373c8c88b0789e5cf04669d6116f9a199264 Mon Sep 17 00:00:00 2001
> +From: Minjae Kim <flowergom@gmail.com>
> +Date: Sun, 26 Sep 2021 23:48:00 +0000
> +Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid utf-8
> + character
> +
> +Problem: Reading beyond end of line with invalid utf-8 character.
> +Solution: Check for NUL when advancing.
> +
> +Upstream-Status: Accepted [https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f]
> +CVE: CVE-2021-3778
> +Signed-off-by: Minjae Kim <flowergom@gmail.com>
> +---
> + src/regexp_nfa.c                 | 3 ++-
> + src/testdir/test_regexp_utf8.vim | 7 +++++++
> + 2 files changed, 9 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
> +index fb512f961..4d337f1f1 100644
> +--- a/src/regexp_nfa.c
> ++++ b/src/regexp_nfa.c
> +@@ -5455,7 +5455,8 @@ find_match_text(colnr_T startcol, int regstart, char_u *match_text)
> +               match = FALSE;
> +               break;
> +           }
> +-          len2 += MB_CHAR2LEN(c2);
> ++          len2 += enc_utf8 ? utf_ptr2len(rex.line + col + len2)
> ++                                                           : MB_CHAR2LEN(c2);
> +       }
> +       if (match
> +               // check that no composing char follows
> +diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
> +index 19ff882be..e0665818b 100644
> +--- a/src/testdir/test_regexp_utf8.vim
> ++++ b/src/testdir/test_regexp_utf8.vim
> +@@ -215,3 +215,10 @@ func Test_optmatch_toolong()
> +   set re=0
> + endfunc
> + 
> ++func Test_match_invalid_byte()
> ++  call writefile(0z630a.765d30aa0a.2e0a.790a.4030, 'Xinvalid')
> ++  new
> ++  source Xinvalid
> ++  bwipe!
> ++  call delete('Xinvalid')
> ++endfunc
> +-- 
> +2.17.1
> +
> diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
> index 7e9225fbcb..db1e9caf4d 100644
> --- a/meta/recipes-support/vim/vim.inc
> +++ b/meta/recipes-support/vim/vim.inc
> @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/vim/vim.git \
>             file://no-path-adjust.patch \
>             file://racefix.patch \
>             file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
> +          file://CVE-2021-3778.patch \
>  "
>  
>  SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"


Thanks for the patch, I'd like to get this CVE fixed for master. Unfortunately
the patch doesn't seem to apply?

ERROR: vim-8.2-r0 do_patch: Command Error: 'quilt --quiltrc /media/build1/poky/build/tmp/work/core2-64-poky-linux/vim/8.2-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0  Output:
stdout: Applying patch CVE-2021-3778.patch
patching file src/regexp_nfa.c
Hunk #1 FAILED at 5455.
1 out of 1 hunk FAILED -- rejects in file src/regexp_nfa.c
patching file src/testdir/test_regexp_utf8.vim
Patch CVE-2021-3778.patch does not apply (enforce with -f)

stderr: 
ERROR: Logfile of failure stored in: /media/build1/poky/build/tmp/work/core2-64-poky-linux/vim/8.2-r0/temp/log.do_patch.45096
ERROR: Task (/media/build1/poky/meta/recipes-support/vim/vim_8.2.bb:do_patch) failed with exit code '1'

Cheers,

Richard




  reply	other threads:[~2021-09-27 23:08 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-27 10:44 [PATCH] vim: fix CVE-2021-3778 Minjae Kim
2021-09-27 23:08 ` Richard Purdie [this message]
2021-09-28  6:58   ` Minjae Kim
2021-09-28  7:36     ` Minjae Kim
2021-09-28 10:41       ` [OE-core] " Richard Purdie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9a22c351a2971e60a080c6a68ed613efbb1901f5.camel@linuxfoundation.org \
    --to=richard.purdie@linuxfoundation.org \
    --cc=flowergom@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.