* [dunfell][PATCH] git: fix CVE-2021-4069
@ 2021-12-18 4:53 Minjae Kim
0 siblings, 0 replies; only message in thread
From: Minjae Kim @ 2021-12-18 4:53 UTC (permalink / raw)
To: openembedded-core; +Cc: Minjae Kim
Use After Free in vim/vim
Upstream-Status: Backport [https://github.com/vim/vim/commit/e031fe90cf2e375ce861ff5e5e281e4ad229ebb9]
CVE: CVE-2021-4069
---
.../vim/files/CVE-2021-4069.patch | 43 +++++++++++++++++++
meta/recipes-support/vim/vim.inc | 1 +
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-support/vim/files/CVE-2021-4069.patch
diff --git a/meta/recipes-support/vim/files/CVE-2021-4069.patch b/meta/recipes-support/vim/files/CVE-2021-4069.patch
new file mode 100644
index 0000000000..6a67281907
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2021-4069.patch
@@ -0,0 +1,43 @@
+From cd2422ee2dab3f33b2dbd1271e17cdaf8762b6d1 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Fri, 17 Dec 2021 20:32:02 -0800
+Subject: [PATCH] using freed memory in open command
+
+Problem: Using freed memory in open command.
+Solution: Make a copy of the current line.
+
+Upstream-Status: Backported [https://github.com/vim/vim/commit/e031fe90cf2e375ce861ff5e5e281e4ad229ebb9]
+CVE: CVE-2021-4069
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ src/ex_docmd.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index 59e245bee..ccd9e8bed 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -6029,13 +6029,17 @@ ex_open(exarg_T *eap)
+ regmatch.regprog = vim_regcomp(eap->arg, p_magic ? RE_MAGIC : 0);
+ if (regmatch.regprog != NULL)
+ {
++ // make a copy of the line, when searching for a mark it might be
++ // flushed
++ char_u *line = vim_strsave(ml_get_curline());
++
+ regmatch.rm_ic = p_ic;
+- p = ml_get_curline();
+- if (vim_regexec(®match, p, (colnr_T)0))
+- curwin->w_cursor.col = (colnr_T)(regmatch.startp[0] - p);
++ if (vim_regexec(®match, line, (colnr_T)0))
++ curwin->w_cursor.col = (colnr_T)(regmatch.startp[0] - line);
+ else
+ emsg(_(e_nomatch));
+ vim_regfree(regmatch.regprog);
++ vim_free(line);
+ }
+ // Move to the NUL, ignore any other arguments.
+ eap->arg += STRLEN(eap->arg);
+--
+2.25.1
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 11fed67527..51a6861325 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -26,6 +26,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
file://0001-patch-8.2.3581-reading-character-past-end-of-line.patch \
file://0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch \
file://0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch \
+ file://CVE-2021-4069.patch \
"
SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
--
2.25.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-12-18 4:54 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-18 4:53 [dunfell][PATCH] git: fix CVE-2021-4069 Minjae Kim
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox