* [dunfell][PATCH v2] vim: fix 2021-3796
@ 2021-10-25 7:28 Minjae Kim
2021-10-25 16:43 ` [OE-core] " Steve Sakoman
[not found] ` <16B153BAA3F7E703.19570@lists.openembedded.org>
0 siblings, 2 replies; 4+ messages in thread
From: Minjae Kim @ 2021-10-25 7:28 UTC (permalink / raw)
To: openembedded-core; +Cc: Minjae Kim
vim is vulnerable to Use After Free
Problem: Checking first character of url twice.
reference:
https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3
Signed-off-by: Minjae Kim <flowergom@gmail.com>
---
.../vim/files/CVE-2021-3796.patch | 50 +++++++++++++++++++
1 file changed, 50 insertions(+)
create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch
diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch b/meta/recipes-support/vim/files/CVE-2021-3796.patch
new file mode 100644
index 0000000000..666bd5c48b
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch
@@ -0,0 +1,50 @@
+From 6d02e1429771c00046b48f26e53ca4123c3ce4e1 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 24 Sep 2021 16:01:09 +0800
+Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
+
+Problem: Using freed memory when replacing. (Dhiraj Mishra)
+Solution: Get the line pointer after calling ins_copychar().
+
+Upstream-Status: Backport [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3]
+CVE: CVE-2021-3796
+
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ src/normal.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index c4963e621..305b514bc 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
+ {
+ /*
+ * Get ptr again, because u_save and/or showmatch() will have
+- * released the line. At the same time we let know that the
+- * line will be changed.
++ * released the line. This may also happen in ins_copychar().
++ * At the same time we let know that the line will be changed.
+ */
+- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
+ {
+ int c = ins_copychar(curwin->w_cursor.lnum
+ + (cap->nchar == Ctrl_Y ? -1 : 1));
++
++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ if (c != NUL)
+ ptr[curwin->w_cursor.col] = c;
+ }
+ else
++ {
++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ ptr[curwin->w_cursor.col] = cap->nchar;
++ }
+ if (p_sm && msg_silent == 0)
+ showmatch(cap->nchar);
+ ++curwin->w_cursor.col;
+--
+2.17.1
+
--
2.30.1 (Apple Git-130)
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [OE-core] [dunfell][PATCH v2] vim: fix 2021-3796
2021-10-25 7:28 [dunfell][PATCH v2] vim: fix 2021-3796 Minjae Kim
@ 2021-10-25 16:43 ` Steve Sakoman
[not found] ` <16B153BAA3F7E703.19570@lists.openembedded.org>
1 sibling, 0 replies; 4+ messages in thread
From: Steve Sakoman @ 2021-10-25 16:43 UTC (permalink / raw)
To: Minjae Kim; +Cc: openembedded-core
On Sun, Oct 24, 2021 at 9:29 PM Minjae Kim <flowergom@gmail.com> wrote:
>
> vim is vulnerable to Use After Free
> Problem: Checking first character of url twice.
>
> reference:
> https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3
>
> Signed-off-by: Minjae Kim <flowergom@gmail.com>
> ---
> .../vim/files/CVE-2021-3796.patch | 50 +++++++++++++++++++
> 1 file changed, 50 insertions(+)
> create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch
You don't seem to be adding the patch to the SRC_URI in the recipe!
Steve
>
> diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> new file mode 100644
> index 0000000000..666bd5c48b
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> @@ -0,0 +1,50 @@
> +From 6d02e1429771c00046b48f26e53ca4123c3ce4e1 Mon Sep 17 00:00:00 2001
> +From: Bram Moolenaar <Bram@vim.org>
> +Date: Fri, 24 Sep 2021 16:01:09 +0800
> +Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
> +
> +Problem: Using freed memory when replacing. (Dhiraj Mishra)
> +Solution: Get the line pointer after calling ins_copychar().
> +
> +Upstream-Status: Backport [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3]
> +CVE: CVE-2021-3796
> +
> +Signed-off-by: Minjae Kim <flowergom@gmail.com>
> +---
> + src/normal.c | 10 +++++++---
> + 1 file changed, 7 insertions(+), 3 deletions(-)
> +
> +diff --git a/src/normal.c b/src/normal.c
> +index c4963e621..305b514bc 100644
> +--- a/src/normal.c
> ++++ b/src/normal.c
> +@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
> + {
> + /*
> + * Get ptr again, because u_save and/or showmatch() will have
> +- * released the line. At the same time we let know that the
> +- * line will be changed.
> ++ * released the line. This may also happen in ins_copychar().
> ++ * At the same time we let know that the line will be changed.
> + */
> +- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> + if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
> + {
> + int c = ins_copychar(curwin->w_cursor.lnum
> + + (cap->nchar == Ctrl_Y ? -1 : 1));
> ++
> ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> + if (c != NUL)
> + ptr[curwin->w_cursor.col] = c;
> + }
> + else
> ++ {
> ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> + ptr[curwin->w_cursor.col] = cap->nchar;
> ++ }
> + if (p_sm && msg_silent == 0)
> + showmatch(cap->nchar);
> + ++curwin->w_cursor.col;
> +--
> +2.17.1
> +
> --
> 2.30.1 (Apple Git-130)
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#157332): https://lists.openembedded.org/g/openembedded-core/message/157332
> Mute This Topic: https://lists.openembedded.org/mt/86572003/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 4+ messages in thread[parent not found: <16B153BAA3F7E703.19570@lists.openembedded.org>]
* Re: [OE-core] [dunfell][PATCH v2] vim: fix 2021-3796
[not found] ` <16B153BAA3F7E703.19570@lists.openembedded.org>
@ 2021-10-25 17:59 ` Steve Sakoman
[not found] ` <16B157E496184ECA.20619@lists.openembedded.org>
1 sibling, 0 replies; 4+ messages in thread
From: Steve Sakoman @ 2021-10-25 17:59 UTC (permalink / raw)
To: steve; +Cc: Minjae Kim, openembedded-core
On Mon, Oct 25, 2021 at 6:43 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> On Sun, Oct 24, 2021 at 9:29 PM Minjae Kim <flowergom@gmail.com> wrote:
> >
> > vim is vulnerable to Use After Free
> > Problem: Checking first character of url twice.
> >
> > reference:
> > https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3
> >
> > Signed-off-by: Minjae Kim <flowergom@gmail.com>
> > ---
> > .../vim/files/CVE-2021-3796.patch | 50 +++++++++++++++++++
> > 1 file changed, 50 insertions(+)
> > create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch
>
> You don't seem to be adding the patch to the SRC_URI in the recipe!
I fixed that issue, but now once again the patch file fails to apply:
stdio: ERROR: vim-8.2-r0 do_patch: Applying patch
'CVE-2021-3796.patch' on target directory
'/home/pokybuild/yocto-worker/no-x11/build/build/tmp/work/core2-64-poky-linux/vim/8.2-r0/git'
stdio: ERROR: Logfile of failure stored in:
/home/pokybuild/yocto-worker/no-x11/build/build/tmp/work/core2-64-poky-linux/vim/8.2-r0/temp/log.do_patch.7612
stdio: ERROR: Task
(/home/pokybuild/yocto-worker/no-x11/build/meta/recipes-support/vim/vim_8.2.bb:do_patch)
failed with exit code '1'
Steve
>
> Steve
>
> >
> > diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> > new file mode 100644
> > index 0000000000..666bd5c48b
> > --- /dev/null
> > +++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> > @@ -0,0 +1,50 @@
> > +From 6d02e1429771c00046b48f26e53ca4123c3ce4e1 Mon Sep 17 00:00:00 2001
> > +From: Bram Moolenaar <Bram@vim.org>
> > +Date: Fri, 24 Sep 2021 16:01:09 +0800
> > +Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
> > +
> > +Problem: Using freed memory when replacing. (Dhiraj Mishra)
> > +Solution: Get the line pointer after calling ins_copychar().
> > +
> > +Upstream-Status: Backport [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3]
> > +CVE: CVE-2021-3796
> > +
> > +Signed-off-by: Minjae Kim <flowergom@gmail.com>
> > +---
> > + src/normal.c | 10 +++++++---
> > + 1 file changed, 7 insertions(+), 3 deletions(-)
> > +
> > +diff --git a/src/normal.c b/src/normal.c
> > +index c4963e621..305b514bc 100644
> > +--- a/src/normal.c
> > ++++ b/src/normal.c
> > +@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
> > + {
> > + /*
> > + * Get ptr again, because u_save and/or showmatch() will have
> > +- * released the line. At the same time we let know that the
> > +- * line will be changed.
> > ++ * released the line. This may also happen in ins_copychar().
> > ++ * At the same time we let know that the line will be changed.
> > + */
> > +- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> > + if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
> > + {
> > + int c = ins_copychar(curwin->w_cursor.lnum
> > + + (cap->nchar == Ctrl_Y ? -1 : 1));
> > ++
> > ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> > + if (c != NUL)
> > + ptr[curwin->w_cursor.col] = c;
> > + }
> > + else
> > ++ {
> > ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> > + ptr[curwin->w_cursor.col] = cap->nchar;
> > ++ }
> > + if (p_sm && msg_silent == 0)
> > + showmatch(cap->nchar);
> > + ++curwin->w_cursor.col;
> > +--
> > +2.17.1
> > +
> > --
> > 2.30.1 (Apple Git-130)
> >
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#157352): https://lists.openembedded.org/g/openembedded-core/message/157352
> Mute This Topic: https://lists.openembedded.org/mt/86572003/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 4+ messages in thread[parent not found: <16B157E496184ECA.20619@lists.openembedded.org>]
* Re: [OE-core] [dunfell][PATCH v2] vim: fix 2021-3796
[not found] ` <16B157E496184ECA.20619@lists.openembedded.org>
@ 2021-10-25 18:50 ` Steve Sakoman
0 siblings, 0 replies; 4+ messages in thread
From: Steve Sakoman @ 2021-10-25 18:50 UTC (permalink / raw)
To: steve; +Cc: Minjae Kim, openembedded-core
On Mon, Oct 25, 2021 at 7:59 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> On Mon, Oct 25, 2021 at 6:43 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> >
> > On Sun, Oct 24, 2021 at 9:29 PM Minjae Kim <flowergom@gmail.com> wrote:
> > >
> > > vim is vulnerable to Use After Free
> > > Problem: Checking first character of url twice.
> > >
> > > reference:
> > > https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3
> > >
> > > Signed-off-by: Minjae Kim <flowergom@gmail.com>
> > > ---
> > > .../vim/files/CVE-2021-3796.patch | 50 +++++++++++++++++++
> > > 1 file changed, 50 insertions(+)
> > > create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch
> >
> > You don't seem to be adding the patch to the SRC_URI in the recipe!
>
> I fixed that issue, but now once again the patch file fails to apply:
>
> stdio: ERROR: vim-8.2-r0 do_patch: Applying patch
> 'CVE-2021-3796.patch' on target directory
> '/home/pokybuild/yocto-worker/no-x11/build/build/tmp/work/core2-64-poky-linux/vim/8.2-r0/git'
> stdio: ERROR: Logfile of failure stored in:
> /home/pokybuild/yocto-worker/no-x11/build/build/tmp/work/core2-64-poky-linux/vim/8.2-r0/temp/log.do_patch.7612
> stdio: ERROR: Task
> (/home/pokybuild/yocto-worker/no-x11/build/meta/recipes-support/vim/vim_8.2.bb:do_patch)
> failed with exit code '1'
Perhaps you are having some issues with your mailer that is corrupting
the patch? I see that the master version is also having problems.
Do you have a git repo I could try pulling from?
Steve
>
> Steve
>
> >
> > Steve
> >
> > >
> > > diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> > > new file mode 100644
> > > index 0000000000..666bd5c48b
> > > --- /dev/null
> > > +++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> > > @@ -0,0 +1,50 @@
> > > +From 6d02e1429771c00046b48f26e53ca4123c3ce4e1 Mon Sep 17 00:00:00 2001
> > > +From: Bram Moolenaar <Bram@vim.org>
> > > +Date: Fri, 24 Sep 2021 16:01:09 +0800
> > > +Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
> > > +
> > > +Problem: Using freed memory when replacing. (Dhiraj Mishra)
> > > +Solution: Get the line pointer after calling ins_copychar().
> > > +
> > > +Upstream-Status: Backport [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3]
> > > +CVE: CVE-2021-3796
> > > +
> > > +Signed-off-by: Minjae Kim <flowergom@gmail.com>
> > > +---
> > > + src/normal.c | 10 +++++++---
> > > + 1 file changed, 7 insertions(+), 3 deletions(-)
> > > +
> > > +diff --git a/src/normal.c b/src/normal.c
> > > +index c4963e621..305b514bc 100644
> > > +--- a/src/normal.c
> > > ++++ b/src/normal.c
> > > +@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
> > > + {
> > > + /*
> > > + * Get ptr again, because u_save and/or showmatch() will have
> > > +- * released the line. At the same time we let know that the
> > > +- * line will be changed.
> > > ++ * released the line. This may also happen in ins_copychar().
> > > ++ * At the same time we let know that the line will be changed.
> > > + */
> > > +- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> > > + if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
> > > + {
> > > + int c = ins_copychar(curwin->w_cursor.lnum
> > > + + (cap->nchar == Ctrl_Y ? -1 : 1));
> > > ++
> > > ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> > > + if (c != NUL)
> > > + ptr[curwin->w_cursor.col] = c;
> > > + }
> > > + else
> > > ++ {
> > > ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> > > + ptr[curwin->w_cursor.col] = cap->nchar;
> > > ++ }
> > > + if (p_sm && msg_silent == 0)
> > > + showmatch(cap->nchar);
> > > + ++curwin->w_cursor.col;
> > > +--
> > > +2.17.1
> > > +
> > > --
> > > 2.30.1 (Apple Git-130)
> > >
> > >
> > >
> > >
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#157353): https://lists.openembedded.org/g/openembedded-core/message/157353
> Mute This Topic: https://lists.openembedded.org/mt/86572003/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-10-25 18:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-25 7:28 [dunfell][PATCH v2] vim: fix 2021-3796 Minjae Kim
2021-10-25 16:43 ` [OE-core] " Steve Sakoman
[not found] ` <16B153BAA3F7E703.19570@lists.openembedded.org>
2021-10-25 17:59 ` Steve Sakoman
[not found] ` <16B157E496184ECA.20619@lists.openembedded.org>
2021-10-25 18:50 ` Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.