packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-47814

Browse Source
This commit is contained in:
changtao 2024-10-08 09:28:18 +08:00
parent 7670ef8265
commit 53395f0e5f
2 changed files with 125 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
fix-CVE-2024-47814.patch Normal file
View File

@ -0,0 +1,117 @@
From 51b62387be93c65fa56bbabe1c3c1ea5df187641 Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Tue, 8 Oct 2024 09:24:30 +0800
Subject: [PATCH] fix CVE-2024-47814
Problem: [security]: use-after-free when closing a buffer
Solution: When splitting the window and editing a new buffer,
check whether the newly to be edited buffer has been marked
for deletion and abort in this case
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
src/buffer.c | 6 ++++++
src/ex_cmds.c | 12 ++++++++++++
src/proto/buffer.pro | 1 +
src/testdir/test_autocmd.vim | 19 +++++++++++++++++++
src/version.c | 2 ++
5 files changed, 40 insertions(+)
diff --git a/src/buffer.c b/src/buffer.c
index 260d22e..6bdb7a6 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -496,6 +496,12 @@ can_unload_buffer(buf_T *buf)
return can_unload;
}
+ int
+buf_locked(buf_T *buf)
+{
+ return buf->b_locked || buf->b_locked_split;
+}
+
/*
* Close the link to a buffer.
* "action" is used when there is no longer a window for the buffer.
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 46c4503..31cef2a 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -2740,6 +2740,18 @@ do_ecmd(
}
if (buf == NULL)
goto theend;
+ // autocommands try to edit a file that is goind to be removed,
+ // abort
+ if (buf_locked(buf))
+ {
+ // window was split, but not editing the new buffer,
+ // reset b_nwindows again
+ if (oldwin == NULL
+ && curwin->w_buffer != NULL
+ && curwin->w_buffer->b_nwindows > 1)
+ --curwin->w_buffer->b_nwindows;
+ goto theend;
+ }
if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
// reusing the buffer, keep the old alternate file
curwin->w_alt_fnum = prev_alt_fnum;
diff --git a/src/proto/buffer.pro b/src/proto/buffer.pro
index 3a61027..dc68ca8 100644
--- a/src/proto/buffer.pro
+++ b/src/proto/buffer.pro
@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
void set_buflisted(int on);
int buf_contents_changed(buf_T *buf);
void wipe_buffer(buf_T *buf, int aucmd);
+int buf_locked(buf_T *buf);
/* vim: set ft=c : */
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
index 0652a6f..3abde1e 100644
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
@@ -4311,4 +4311,23 @@ func Test_autocmd_shortmess()
delfunc SetupVimTest_shm
endfunc
+" This was using freed memory
+func Test_autocmd_BufWinLeave_with_vsp()
+ new
+ let fname = 'XXXBufWinLeaveUAF.txt'
+ let dummy = 'XXXDummy.txt'
+ call writefile([], fname)
+ call writefile([], dummy)
+ defer delete(fname)
+ defer delete(dummy)
+ exe "e " fname
+ vsp
+ augroup testing
+ exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
+ augroup END
+ bw
+ call CleanUpTestAuGroup()
+ exe "bw! " .. dummy
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 10916ed..286a45f 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 679,
/**/
678,
/**/
--
2.43.0

9
vim.spec
View File

@ -14,7 +14,7 @@
Name: vim Name: vim
Epoch: 2 Epoch: 2
Version: %{baseversion}.%{patchlevel} Version: %{baseversion}.%{patchlevel}
Release: 11 Release: 12
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
License: Vim and MIT License: Vim and MIT
URL: http://www.vim.org URL: http://www.vim.org
@ -52,6 +52,7 @@ Patch6017: backport-CVE-2024-43374.patch
Patch6018: backport-CVE-2024-43802.patch Patch6018: backport-CVE-2024-43802.patch
Patch9000: bugfix-rm-modify-info-version.patch Patch9000: bugfix-rm-modify-info-version.patch
Patch9001: fix-CVE-2024-47814.patch
BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
@ -457,6 +458,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
%{_mandir}/man1/evim.* %{_mandir}/man1/evim.*
%changelog %changelog
* Tue Oct 08 2024 changtao <changtao@kylinos.cn> - 2:9.0.2092-12
- Type:CVE
- ID:CVE-2024-47814
- SUG:NA
- DESC:fix CVE-2024-47814
* Thu Aug 29 2024 wangjiang <app@cameyan.com> - 2:9.0.2092-11 * Thu Aug 29 2024 wangjiang <app@cameyan.com> - 2:9.0.2092-11
- Type:CVE - Type:CVE
- ID:CVE-2024-43802 - ID:CVE-2024-43802