From: "Richard Purdie" <richard.purdie@linuxfoundation.org>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 01/14] vim: Backport fix for CVE-2021-3770
Date: Mon, 20 Sep 2021 13:46:08 +0100 [thread overview]
Message-ID: <20210920124621.1576702-1-richard.purdie@linuxfoundation.org> (raw)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
...1e135a16091c93f6f5f7525a5c58fb7ca9f9.patch | 207 ++++++++++++++++++
meta/recipes-support/vim/vim.inc | 2 +
2 files changed, 209 insertions(+)
create mode 100644 meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch
diff --git a/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch b/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch
new file mode 100644
index 00000000000..1cee7595021
--- /dev/null
+++ b/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch
@@ -0,0 +1,207 @@
+From b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 4 Sep 2021 18:47:28 +0200
+Subject: [PATCH] patch 8.2.3402: invalid memory access when using :retab with
+ large value
+
+Problem: Invalid memory access when using :retab with large value.
+Solution: Check the number is positive.
+
+CVE: CVE-2021-3770
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Upstream-Status: Backport [https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9]
+---
+ src/indent.c | 34 +++++++++++++++++++++-------------
+ src/option.c | 12 ++++++------
+ src/optionstr.c | 4 ++--
+ src/testdir/test_retab.vim | 3 +++
+ src/version.c | 2 ++
+ 5 files changed, 34 insertions(+), 21 deletions(-)
+
+Index: git/src/indent.c
+===================================================================
+--- git.orig/src/indent.c
++++ git/src/indent.c
+@@ -18,18 +18,19 @@
+ /*
+ * Set the integer values corresponding to the string setting of 'vartabstop'.
+ * "array" will be set, caller must free it if needed.
++ * Return FAIL for an error.
+ */
+ int
+ tabstop_set(char_u *var, int **array)
+ {
+- int valcount = 1;
+- int t;
+- char_u *cp;
++ int valcount = 1;
++ int t;
++ char_u *cp;
+
+ if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
+ {
+ *array = NULL;
+- return TRUE;
++ return OK;
+ }
+
+ for (cp = var; *cp != NUL; ++cp)
+@@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array)
+ if (cp != end)
+ emsg(_(e_positive));
+ else
+- emsg(_(e_invarg));
+- return FALSE;
++ semsg(_(e_invarg2), cp);
++ return FAIL;
+ }
+ }
+
+@@ -55,26 +56,33 @@ tabstop_set(char_u *var, int **array)
+ ++valcount;
+ continue;
+ }
+- emsg(_(e_invarg));
+- return FALSE;
++ semsg(_(e_invarg2), var);
++ return FAIL;
+ }
+
+ *array = ALLOC_MULT(int, valcount + 1);
+ if (*array == NULL)
+- return FALSE;
++ return FAIL;
+ (*array)[0] = valcount;
+
+ t = 1;
+ for (cp = var; *cp != NUL;)
+ {
+- (*array)[t++] = atoi((char *)cp);
+- while (*cp != NUL && *cp != ',')
++ int n = atoi((char *)cp);
++
++ if (n < 0 || n > 9999)
++ {
++ semsg(_(e_invarg2), cp);
++ return FAIL;
++ }
++ (*array)[t++] = n;
++ while (*cp != NUL && *cp != ',')
+ ++cp;
+ if (*cp != NUL)
+ ++cp;
+ }
+
+- return TRUE;
++ return OK;
+ }
+
+ /*
+@@ -1556,7 +1564,7 @@ ex_retab(exarg_T *eap)
+
+ #ifdef FEAT_VARTABS
+ new_ts_str = eap->arg;
+- if (!tabstop_set(eap->arg, &new_vts_array))
++ if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
+ return;
+ while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
+ ++(eap->arg);
+Index: git/src/option.c
+===================================================================
+--- git.orig/src/option.c
++++ git/src/option.c
+@@ -2292,9 +2292,9 @@ didset_options2(void)
+ #endif
+ #ifdef FEAT_VARTABS
+ vim_free(curbuf->b_p_vsts_array);
+- tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
++ (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
+ vim_free(curbuf->b_p_vts_array);
+- tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
++ (void)tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
+ #endif
+ }
+
+@@ -5756,7 +5756,7 @@ buf_copy_options(buf_T *buf, int flags)
+ buf->b_p_vsts = vim_strsave(p_vsts);
+ COPY_OPT_SCTX(buf, BV_VSTS);
+ if (p_vsts && p_vsts != empty_option)
+- tabstop_set(p_vsts, &buf->b_p_vsts_array);
++ (void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
+ else
+ buf->b_p_vsts_array = 0;
+ buf->b_p_vsts_nopaste = p_vsts_nopaste
+@@ -5914,7 +5914,7 @@ buf_copy_options(buf_T *buf, int flags)
+ buf->b_p_isk = save_p_isk;
+ #ifdef FEAT_VARTABS
+ if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
+- tabstop_set(p_vts, &buf->b_p_vts_array);
++ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
+ else
+ buf->b_p_vts_array = NULL;
+ #endif
+@@ -5929,7 +5929,7 @@ buf_copy_options(buf_T *buf, int flags)
+ buf->b_p_vts = vim_strsave(p_vts);
+ COPY_OPT_SCTX(buf, BV_VTS);
+ if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
+- tabstop_set(p_vts, &buf->b_p_vts_array);
++ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
+ else
+ buf->b_p_vts_array = NULL;
+ #endif
+@@ -6634,7 +6634,7 @@ paste_option_changed(void)
+ if (buf->b_p_vsts_array)
+ vim_free(buf->b_p_vsts_array);
+ if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
+- tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
++ (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
+ else
+ buf->b_p_vsts_array = 0;
+ #endif
+Index: git/src/optionstr.c
+===================================================================
+--- git.orig/src/optionstr.c
++++ git/src/optionstr.c
+@@ -2166,7 +2166,7 @@ did_set_string_option(
+ if (errmsg == NULL)
+ {
+ int *oldarray = curbuf->b_p_vsts_array;
+- if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)))
++ if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK)
+ {
+ if (oldarray)
+ vim_free(oldarray);
+@@ -2205,7 +2205,7 @@ did_set_string_option(
+ {
+ int *oldarray = curbuf->b_p_vts_array;
+
+- if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
++ if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK)
+ {
+ vim_free(oldarray);
+ #ifdef FEAT_FOLDING
+Index: git/src/testdir/test_retab.vim
+===================================================================
+--- git.orig/src/testdir/test_retab.vim
++++ git/src/testdir/test_retab.vim
+@@ -74,4 +74,7 @@ endfunc
+ func Test_retab_error()
+ call assert_fails('retab -1', 'E487:')
+ call assert_fails('retab! -1', 'E487:')
++ call assert_fails('ret -1000', 'E487:')
++ call assert_fails('ret 10000', 'E475:')
++ call assert_fails('ret 80000000000000000000', 'E475:')
+ endfunc
+Index: git/src/version.c
+===================================================================
+--- git.orig/src/version.c
++++ git/src/version.c
+@@ -743,6 +743,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 3402,
++/**/
+ 0
+ };
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 17322885dc6..7e9225fbcb5 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -17,7 +17,9 @@ SRC_URI = "git://github.com/vim/vim.git \
file://0001-src-Makefile-improve-reproducibility.patch \
file://no-path-adjust.patch \
file://racefix.patch \
+ file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
"
+
SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
# Do not consider .z in x.y.z, as that is updated with every commit
--
2.32.0
next reply other threads:[~2021-09-20 12:46 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-20 12:46 Richard Purdie [this message]
2021-09-20 12:46 ` [PATCH 02/14] libgcrypt: Upgrade 1.9.3 -> 1.9.4 Richard Purdie
2021-09-20 12:46 ` [PATCH 03/14] sqlite3: Exclude CVE-2021-36690 from cve checks Richard Purdie
2021-09-20 12:46 ` [PATCH 04/14] recipes: Add missing pkgconfig inherit Richard Purdie
2021-09-20 12:46 ` [PATCH 05/14] lttng-tools: Add missing DEPENDS on bison-native Richard Purdie
2022-01-18 20:48 ` [OE-core] " Denys Dmytriyenko
2021-09-20 12:46 ` [PATCH 06/14] image/qemu: Add explict depends for qemu-helper addto_recipe_sysroot task Richard Purdie
2021-09-20 12:46 ` [PATCH 07/14] staging: Mark deploy an sstate task Richard Purdie
2021-09-20 12:46 ` [PATCH 08/14] sstate: Ensure deploy tasks don't pull in toolchains Richard Purdie
2021-09-20 12:46 ` [PATCH 09/14] sstate: Avoid deploy_source_date_epoch sstate when unneeded Richard Purdie
2021-09-20 12:46 ` [RFC PATCH 10/14] package_ipk/deb/rpm: Drop recursive do_build task dependencies Richard Purdie
2021-09-23 21:41 ` [OE-core] " Peter Kjellerstedt
2021-09-23 21:58 ` Richard Purdie
2021-09-24 4:50 ` Khem Raj
2021-09-24 7:58 ` Martin Jansa
2021-09-24 8:30 ` Richard Purdie
2021-09-24 17:20 ` Khem Raj
2021-09-20 12:46 ` [RFC PATCH 11/14] populate_sdk_base/images: Drop use of 'meta' class and hence do_build dependencies Richard Purdie
2021-10-27 2:43 ` [OE-core] " ChenQi
2021-11-02 13:06 ` Richard Purdie
2021-09-20 12:46 ` [PATCH 12/14] buildtools-tarball/uninative-tarball/meta-ide-support: Drop useless meta class Richard Purdie
2021-09-20 12:46 ` [PATCH 13/14] meta: Drop useless class Richard Purdie
2021-09-20 12:46 ` [RFC PATCH 14/14] layer.conf: Extend recipes not to install without explict dependencies Richard Purdie
[not found] ` <16A68880435BB472.28512@lists.openembedded.org>
2021-09-20 12:48 ` [OE-core] " Richard Purdie
2021-09-20 13:34 ` Joshua Watt
2021-09-21 4:21 ` Khem Raj
2021-10-01 14:17 ` Martin Jansa
2021-10-17 23:50 ` Andreas Müller
2021-10-18 14:12 ` Martin Jansa
2021-10-18 14:29 ` Richard Purdie
2021-10-18 16:50 ` Andreas Müller
2021-10-18 16:59 ` Andreas Müller
2021-10-18 19:07 ` Konrad Weihmann
2021-10-18 21:08 ` Richard Purdie
[not found] ` <16A6887F33E2E04C.31899@lists.openembedded.org>
2021-09-20 12:51 ` [OE-core] [RFC PATCH 11/14] populate_sdk_base/images: Drop use of 'meta' class and hence do_build dependencies Richard Purdie
2021-09-20 16:32 ` Khem Raj
2021-09-20 20:02 ` Richard Purdie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210920124621.1576702-1-richard.purdie@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).