fix CVE-2025-1215 CVE-2025-26603

2025-02-18 17:00:23 +08:00 · 2025-02-18 17:00:23 +08:00 · 6b130b0f8e
commit 6b130b0f8e
parent 2ce48f9807
3 changed files with 195 additions and 1 deletions
--- a/backport-CVE-2025-1215.patch
+++ b/backport-CVE-2025-1215.patch
@ -0,0 +1,124 @@
+From c5654b84480822817bb7b69ebc97c174c91185e9 Mon Sep 17 00:00:00 2001
+From: Hirohito Higashi <h.east.727@gmail.com>
+Date: Mon, 10 Feb 2025 20:55:17 +0100
+Subject: [PATCH] patch 9.1.1097: --log with non-existent path causes a crash
+
+Problem:  --log with non-existent path causes a crash
+          (Ekkosun)
+Solution: split initialization phase and init the execution stack
+          earlier (Hirohito Higashi)
+
+fixes: #16606
+closes: #16610
+
+Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/main.c                   | 21 +++++++++++++++++----
+ src/message_test.c           |  3 ++-
+ src/proto/main.pro           |  3 ++-
+ src/testdir/test_startup.vim |  7 +++++++
+ 4 files changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/src/main.c b/src/main.c
+index ecc61f4d0be886..f603a52a52e09d 100644
+--- a/src/main.c
+++ b/src/main.c
+@@ -144,6 +144,11 @@ main
+     atexit(vim_mem_profile_dump);
+ #endif
+ 
+    /*
+     * Various initialisations #1 shared with tests.
+     */
+    common_init_1();
+
+ #if defined(STARTUPTIME) || defined(FEAT_JOB_CHANNEL)
+     // Need to find "--startuptime" and "--log" before actually parsing
+     // arguments.
+@@ -185,9 +190,9 @@ main
+ #endif
+ 
+     /*
+-     * Various initialisations shared with tests.
+     * Various initialisations #2 shared with tests.
+      */
+-    common_init(&params);
+    common_init_2(&params);
+ 
+ #ifdef VIMDLL
+     // Check if the current executable file is for the GUI subsystem.
+@@ -900,10 +905,10 @@ vim_main2(void)
+ }
+ 
+ /*
+- * Initialisation shared by main() and some tests.
+ * Initialisation #1 shared by main() and some tests.
+  */
+     void
+-common_init(mparm_T *paramp)
+common_init_1(void)
+ {
+     estack_init();
+     cmdline_init();
+@@ -925,7 +930,15 @@ common_init(mparm_T *paramp)
+ 	    || (NameBuff = alloc(MAXPATHL)) == NULL)
+ 	mch_exit(0);
+     TIME_MSG("Allocated generic buffers");
+}
+
+ 
+/*
+ * Initialisation #2 shared by main() and some tests.
+ */
+    void
+common_init_2(mparm_T *paramp)
+{
+ #ifdef NBDEBUG
+     // Wait a moment for debugging NetBeans.  Must be after allocating
+     // NameBuff.
+diff --git a/src/message_test.c b/src/message_test.c
+index 62f7772470d0e4..83767ece930899 100644
+--- a/src/message_test.c
+++ b/src/message_test.c
+@@ -508,7 +508,8 @@ main(int argc, char **argv)
+     CLEAR_FIELD(params);
+     params.argc = argc;
+     params.argv = argv;
+-    common_init(&params);
+    common_init_1();
+    common_init_2(&params);
+ 
+     set_option_value_give_err((char_u *)"encoding", 0, (char_u *)"utf-8", 0);
+     init_chartab();
+diff --git a/src/proto/main.pro b/src/proto/main.pro
+index 496fe66be6950d..7e4c50803e8ef2 100644
+--- a/src/proto/main.pro
+++ b/src/proto/main.pro
+@@ -1,6 +1,7 @@
+ /* main.c */
+ int vim_main2(void);
+-void common_init(mparm_T *paramp);
+void common_init_1(void);
+void common_init_2(mparm_T *paramp);
+ int is_not_a_term(void);
+ int is_not_a_term_or_gui(void);
+ void free_vbuf(void);
+diff --git a/src/testdir/test_startup.vim b/src/testdir/test_startup.vim
+index 7c703916045e70..c16e4ae27de3b2 100644
+--- a/src/testdir/test_startup.vim
+++ b/src/testdir/test_startup.vim
+@@ -734,6 +734,13 @@ func Test_log()
+   call delete('Xlogfile')
+ endfunc
+ 
+func Test_log_nonexistent()
+  " this used to crash Vim
+  CheckFeature channel
+  let result = join(systemlist(GetVimCommand() .. ' --log /X/Xlogfile -c qa!'))
+  call assert_match("E484: Can't open file", result)
+endfunc
+
+ func Test_read_stdin()
+   let after =<< trim [CODE]
+     write Xtestout
--- a/backport-CVE-2025-26603.patch
+++ b/backport-CVE-2025-26603.patch
@ -0,0 +1,62 @@
+From c0f0e2380e5954f4a52a131bf6b8499838ad1dae Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 16 Feb 2025 16:06:38 +0100
+Subject: [PATCH] patch 9.1.1115: [security]: use-after-free in str_to_reg()
+
+Problem:  [security]: use-after-free in str_to_reg()
+          (fizz-is-on-the-way)
+Solution: when redirecting the :display command, check that one
+          does not output to the register being displayed
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/register.c                 |  3 ++-
+ src/testdir/test_registers.vim | 20 ++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/register.c b/src/register.c
+index 0df05054ca7229..a9630f8ef5db93 100644
+--- a/src/register.c
+++ b/src/register.c
+@@ -2405,7 +2405,8 @@ ex_display(exarg_T *eap)
+ 
+ #ifdef FEAT_EVAL
+ 	if (name == MB_TOLOWER(redir_reg)
+-		|| (redir_reg == '"' && yb == y_previous))
+		|| (vim_strchr((char_u *)"\"*+", redir_reg) != NULL &&
+		    (yb == y_previous || yb == &y_regs[0])))
+ 	    continue;	    // do not list register being written to, the
+ 			    // pointer can be freed
+ #endif
+diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim
+index 1177c2395d3f09..13127022666e04 100644
+--- a/src/testdir/test_registers.vim
+++ b/src/testdir/test_registers.vim
+@@ -929,4 +929,24 @@ func Test_register_y_append_reset()
+   bwipe!
+ endfunc
+ 
+" This caused use-after-free
+func Test_register_redir_display()
+  " don't touch the clipboard, so only perform this, when the clipboard is not working
+  if has("clipboard_working")
+    throw "Skipped: skip touching the clipboard register!"
+  endif
+  let @"=''
+  redir @+>
+  disp +"
+  redir END
+  call assert_equal("\nType Name Content", getreg('+'))
+  let a = [getreg('1'), getregtype('1')]
+  let @1='register 1'
+  redir @+
+  disp 1
+  redir END
+  call assert_equal("register 1", getreg('1'))
+  call setreg(1, a[0], a[1])
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
--- a/vim.spec
+++ b/vim.spec
@ -14,7 +14,7 @@
 Name:           vim
 Epoch:          2
 Version:        %{baseversion}.%{patchlevel}
-Release:        16
+Release:        17
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -56,6 +56,8 @@ Patch6021:      backport-patch-9.1.0918-tiny-vim-crashes-with-fuzzy-buffer-compl
 Patch6022:      backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
 Patch6023:      backport-CVE-2025-22134.patch
 Patch6024:      backport-CVE-2025-24014.patch
+Patch6025:      backport-CVE-2025-1215.patch
+Patch6026:      backport-CVE-2025-26603.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      fix-CVE-2024-47814.patch
@ -464,6 +466,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
 %{_mandir}/man1/evim.*

 %changelog
+* Tue Feb 18 2025 wangjiang <app@cameyan.com> - 2:9.0.2092-17
+- Type:CVE
+- ID:CVE-2025-1215 CVE-2025-26603
+- SUG:NA
+- DESC:fix CVE-2025-1215 CVE-2025-26603
+
 * Mon Jan 20 2025 wangjiang <app@cameyan.com> - 2:9.0.2092-16
 - Type:CVE
 - ID:CVE-2025-22134 CVE-2025-24014