diff -Nru vim-8.2.2434/debian/changelog vim-8.2.2434/debian/changelog --- vim-8.2.2434/debian/changelog 2021-05-10 11:47:48.000000000 +0000 +++ vim-8.2.2434/debian/changelog 2021-09-21 08:39:53.000000000 +0000 @@ -1,3 +1,29 @@ +vim (2:8.2.2434-3ubuntu3) impish; urgency=medium + + * Add impish to supported releases (LP: #1944419) + + -- Heinrich Schuchardt Tue, 21 Sep 2021 10:39:53 +0200 + +vim (2:8.2.2434-3ubuntu2) impish; urgency=medium + + * SECURITY UPDATE: Fix heap-based buffer overflow when using :retab with large value + - debian/patches/CVE-2021-3770-1.patch: Check vartabstop contains positive + number in src/indent.c. + - debian/patches/CVE-2021-3770-2.patch: Fix memory leak for :retab with + invalid argument + - CVE-2021-3770 + * SECURITY UPDATE: Fix heap-based buffer overflow when reading beyond end of line + with invalid utf-8 character + - debian/patches/CVE-2021-3778.patch: Validate encoding of character before + advancing line in regexp_nfa.c. + - CVE-2021-3778 + * SECURITY UPDATE: Fix use after free when replacing + - debian/patches/CVE-2021-3796.patch: Get the line pointer after calling + ins_copychar() in src/normal.c. + - CVE-2021-3796 + + -- Spyros Seimenis Mon, 20 Sep 2021 14:50:52 +0300 + vim (2:8.2.2434-3ubuntu1) impish; urgency=medium * Merge from Debian unstable. Remaining changes: diff -Nru vim-8.2.2434/debian/patches/0001-add-impish.patch vim-8.2.2434/debian/patches/0001-add-impish.patch --- vim-8.2.2434/debian/patches/0001-add-impish.patch 1970-01-01 00:00:00.000000000 +0000 +++ vim-8.2.2434/debian/patches/0001-add-impish.patch 2021-09-21 08:39:53.000000000 +0000 @@ -0,0 +1,29 @@ +Description: Add impish to supported releases +Author: Heinrich Schuchardt +Bug-Ubuntu: https://launchpad.net/bugs/1944419 +Last-Update: 2021-09-21 + +--- a/runtime/syntax/debchangelog.vim ++++ b/runtime/syntax/debchangelog.vim +@@ -24,7 +24,8 @@ + \ 'jessie', 'stretch', 'buster', 'bullseye', 'bookworm', + \ 'trixie', 'sid', 'rc-buggy', + \ +- \ 'trusty', 'xenial', 'bionic', 'focal', 'groovy', 'hirsute', 'devel' ++ \ 'trusty', 'xenial', 'bionic', 'focal', 'groovy', 'hirsute', 'impish', ++ \ 'devel' + \ ] + let s:unsupported = [ + \ 'frozen', 'buzz', 'rex', 'bo', 'hamm', 'slink', 'potato', +--- a/runtime/syntax/debsources.vim ++++ b/runtime/syntax/debsources.vim +@@ -26,7 +26,8 @@ + \ 'jessie', 'stretch', 'buster', 'bullseye', 'bookworm', + \ 'trixie', 'sid', 'rc-buggy', + \ +- \ 'trusty', 'xenial', 'bionic', 'focal', 'groovy', 'hirsute', 'devel' ++ \ 'trusty', 'xenial', 'bionic', 'focal', 'groovy', 'hirsute', 'impish', ++ \ 'devel' + \ ] + let s:unsupported = [ + \ 'buzz', 'rex', 'bo', 'hamm', 'slink', 'potato', diff -Nru vim-8.2.2434/debian/patches/CVE-2021-3770-1.patch vim-8.2.2434/debian/patches/CVE-2021-3770-1.patch --- vim-8.2.2434/debian/patches/CVE-2021-3770-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ vim-8.2.2434/debian/patches/CVE-2021-3770-1.patch 2021-09-20 11:50:52.000000000 +0000 @@ -0,0 +1,205 @@ +From b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 4 Sep 2021 18:47:28 +0200 +Subject: [PATCH] patch 8.2.3402: invalid memory access when using :retab with + large value + +Problem: Invalid memory access when using :retab with large value. +Solution: Check the number is positive. +--- + src/indent.c | 34 +++++++++++++++++++++------------- + src/option.c | 12 ++++++------ + src/optionstr.c | 4 ++-- + src/testdir/test_retab.vim | 3 +++ + src/version.c | 2 ++ + 5 files changed, 34 insertions(+), 21 deletions(-) + +Index: vim-8.2.2434/src/indent.c +=================================================================== +--- vim-8.2.2434.orig/src/indent.c ++++ vim-8.2.2434/src/indent.c +@@ -18,18 +18,19 @@ + /* + * Set the integer values corresponding to the string setting of 'vartabstop'. + * "array" will be set, caller must free it if needed. ++ * Return FAIL for an error. + */ + int + tabstop_set(char_u *var, int **array) + { +- int valcount = 1; +- int t; +- char_u *cp; ++ int valcount = 1; ++ int t; ++ char_u *cp; + + if (var[0] == NUL || (var[0] == '0' && var[1] == NUL)) + { + *array = NULL; +- return TRUE; ++ return OK; + } + + for (cp = var; *cp != NUL; ++cp) +@@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array) + if (cp != end) + emsg(_(e_positive)); + else +- emsg(_(e_invarg)); +- return FALSE; ++ semsg(_(e_invarg2), cp); ++ return FAIL; + } + } + +@@ -55,26 +56,33 @@ tabstop_set(char_u *var, int **array) + ++valcount; + continue; + } +- emsg(_(e_invarg)); +- return FALSE; ++ semsg(_(e_invarg2), var); ++ return FAIL; + } + + *array = ALLOC_MULT(int, valcount + 1); + if (*array == NULL) +- return FALSE; ++ return FAIL; + (*array)[0] = valcount; + + t = 1; + for (cp = var; *cp != NUL;) + { +- (*array)[t++] = atoi((char *)cp); +- while (*cp != NUL && *cp != ',') ++ int n = atoi((char *)cp); ++ ++ if (n < 0 || n > 9999) ++ { ++ semsg(_(e_invarg2), cp); ++ return FAIL; ++ } ++ (*array)[t++] = n; ++ while (*cp != NUL && *cp != ',') + ++cp; + if (*cp != NUL) + ++cp; + } + +- return TRUE; ++ return OK; + } + + /* +@@ -1560,7 +1568,7 @@ ex_retab(exarg_T *eap) + + #ifdef FEAT_VARTABS + new_ts_str = eap->arg; +- if (!tabstop_set(eap->arg, &new_vts_array)) ++ if (tabstop_set(eap->arg, &new_vts_array) == FAIL) + return; + while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',') + ++(eap->arg); +Index: vim-8.2.2434/src/option.c +=================================================================== +--- vim-8.2.2434.orig/src/option.c ++++ vim-8.2.2434/src/option.c +@@ -2347,9 +2347,9 @@ didset_options2(void) + #endif + #ifdef FEAT_VARTABS + vim_free(curbuf->b_p_vsts_array); +- tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array); ++ (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array); + vim_free(curbuf->b_p_vts_array); +- tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array); ++ (void)tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array); + #endif + } + +@@ -5808,7 +5808,7 @@ buf_copy_options(buf_T *buf, int flags) + buf->b_p_vsts = vim_strsave(p_vsts); + COPY_OPT_SCTX(buf, BV_VSTS); + if (p_vsts && p_vsts != empty_option) +- tabstop_set(p_vsts, &buf->b_p_vsts_array); ++ (void)tabstop_set(p_vsts, &buf->b_p_vsts_array); + else + buf->b_p_vsts_array = 0; + buf->b_p_vsts_nopaste = p_vsts_nopaste +@@ -5968,7 +5968,7 @@ buf_copy_options(buf_T *buf, int flags) + buf->b_p_isk = save_p_isk; + #ifdef FEAT_VARTABS + if (p_vts && p_vts != empty_option && !buf->b_p_vts_array) +- tabstop_set(p_vts, &buf->b_p_vts_array); ++ (void)tabstop_set(p_vts, &buf->b_p_vts_array); + else + buf->b_p_vts_array = NULL; + #endif +@@ -5983,7 +5983,7 @@ buf_copy_options(buf_T *buf, int flags) + buf->b_p_vts = vim_strsave(p_vts); + COPY_OPT_SCTX(buf, BV_VTS); + if (p_vts && p_vts != empty_option && !buf->b_p_vts_array) +- tabstop_set(p_vts, &buf->b_p_vts_array); ++ (void)tabstop_set(p_vts, &buf->b_p_vts_array); + else + buf->b_p_vts_array = NULL; + #endif +@@ -6676,7 +6676,7 @@ paste_option_changed(void) + if (buf->b_p_vsts_array) + vim_free(buf->b_p_vsts_array); + if (buf->b_p_vsts && buf->b_p_vsts != empty_option) +- tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array); ++ (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array); + else + buf->b_p_vsts_array = 0; + #endif +Index: vim-8.2.2434/src/optionstr.c +=================================================================== +--- vim-8.2.2434.orig/src/optionstr.c ++++ vim-8.2.2434/src/optionstr.c +@@ -2180,7 +2180,7 @@ did_set_string_option( + if (errmsg == NULL) + { + int *oldarray = curbuf->b_p_vsts_array; +- if (tabstop_set(*varp, &(curbuf->b_p_vsts_array))) ++ if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK) + { + if (oldarray) + vim_free(oldarray); +@@ -2219,7 +2219,7 @@ did_set_string_option( + { + int *oldarray = curbuf->b_p_vts_array; + +- if (tabstop_set(*varp, &(curbuf->b_p_vts_array))) ++ if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK) + { + vim_free(oldarray); + #ifdef FEAT_FOLDING +Index: vim-8.2.2434/src/testdir/test_retab.vim +=================================================================== +--- vim-8.2.2434.orig/src/testdir/test_retab.vim ++++ vim-8.2.2434/src/testdir/test_retab.vim +@@ -75,6 +75,9 @@ endfunc + func Test_retab_error() + call assert_fails('retab -1', 'E487:') + call assert_fails('retab! -1', 'E487:') ++ call assert_fails('ret -1000', 'E487:') ++ call assert_fails('ret 10000', 'E475:') ++ call assert_fails('ret 80000000000000000000', 'E475:') + endfunc + + " vim: shiftwidth=2 sts=2 expandtab +Index: vim-8.2.2434/src/version.c +=================================================================== +--- vim-8.2.2434.orig/src/version.c ++++ vim-8.2.2434/src/version.c +@@ -751,6 +751,8 @@ static char *(features[]) = + static int included_patches[] = + { /* Add new patch number below this line */ + /**/ ++ 3402, ++/**/ + 2434, + /**/ + 2433, diff -Nru vim-8.2.2434/debian/patches/CVE-2021-3770-2.patch vim-8.2.2434/debian/patches/CVE-2021-3770-2.patch --- vim-8.2.2434/debian/patches/CVE-2021-3770-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ vim-8.2.2434/debian/patches/CVE-2021-3770-2.patch 2021-09-20 11:50:52.000000000 +0000 @@ -0,0 +1,63 @@ +From 2ddb89f8a94425cda1e5491efc80c1ccccb6e08e Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 4 Sep 2021 21:20:41 +0200 +Subject: [PATCH] patch 8.2.3403: memory leak for :retab with invalid argument + +Problem: Memory leak for :retab with invalid argument. +Solution: Free the memory. Make error messages consistent. +--- + src/indent.c | 13 +++++++++++-- + src/version.c | 2 ++ + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/indent.c b/src/indent.c +index cd03f25d258..51af4df06ba 100644 +--- a/src/indent.c ++++ b/src/indent.c +@@ -70,9 +70,12 @@ tabstop_set(char_u *var, int **array) + { + int n = atoi((char *)cp); + ++ // Catch negative values, overflow and ridiculous big values. + if (n < 0 || n > 9999) + { + semsg(_(e_invarg2), cp); ++ vim_free(*array); ++ *array = NULL; + return FAIL; + } + (*array)[t++] = n; +@@ -1615,12 +1618,18 @@ ex_retab(exarg_T *eap) + else + new_ts_str = vim_strnsave(new_ts_str, eap->arg - new_ts_str); + #else +- new_ts = getdigits(&(eap->arg)); +- if (new_ts < 0) ++ ptr = eap->arg; ++ new_ts = getdigits(&ptr); ++ if (new_ts < 0 && *eap->arg == '-') + { + emsg(_(e_positive)); + return; + } ++ if (new_ts < 0 || new_ts > 9999) ++ { ++ semsg(_(e_invarg2), eap->arg); ++ return; ++ } + if (new_ts == 0) + new_ts = curbuf->b_p_ts; + #endif +diff --git a/src/version.c b/src/version.c +index a5e931cfad1..97467aab992 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -755,6 +755,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 3403, + /**/ + 3402, + /**/ diff -Nru vim-8.2.2434/debian/patches/CVE-2021-3778.patch vim-8.2.2434/debian/patches/CVE-2021-3778.patch --- vim-8.2.2434/debian/patches/CVE-2021-3778.patch 1970-01-01 00:00:00.000000000 +0000 +++ vim-8.2.2434/debian/patches/CVE-2021-3778.patch 2021-09-20 11:50:52.000000000 +0000 @@ -0,0 +1,58 @@ +From 65b605665997fad54ef39a93199e305af2fe4d7f Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Tue, 7 Sep 2021 19:26:53 +0200 +Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid utf-8 + character + +Problem: Reading beyond end of line with invalid utf-8 character. +Solution: Check for NUL when advancing. +--- + src/regexp_nfa.c | 3 ++- + src/testdir/test_regexp_utf8.vim | 8 ++++++++ + src/version.c | 2 ++ + 3 files changed, 12 insertions(+), 1 deletion(-) + +Index: vim-8.2.2434/src/regexp_nfa.c +=================================================================== +--- vim-8.2.2434.orig/src/regexp_nfa.c ++++ vim-8.2.2434/src/regexp_nfa.c +@@ -5479,7 +5479,8 @@ find_match_text(colnr_T startcol, int re + match = FALSE; + break; + } +- len2 += MB_CHAR2LEN(c2); ++ len2 += enc_utf8 ? utf_ptr2len(rex.line + col + len2) ++ : MB_CHAR2LEN(c2); + } + if (match + // check that no composing char follows +Index: vim-8.2.2434/src/testdir/test_regexp_utf8.vim +=================================================================== +--- vim-8.2.2434.orig/src/testdir/test_regexp_utf8.vim ++++ vim-8.2.2434/src/testdir/test_regexp_utf8.vim +@@ -558,4 +558,12 @@ func Test_match_char_class_upper() + bwipe! + endfunc + ++func Test_match_invalid_byte() ++ call writefile(0z630a.765d30aa0a.2e0a.790a.4030, 'Xinvalid') ++ new ++ source Xinvalid ++ bwipe! ++ call delete('Xinvalid') ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +Index: vim-8.2.2434/src/version.c +=================================================================== +--- vim-8.2.2434.orig/src/version.c ++++ vim-8.2.2434/src/version.c +@@ -751,6 +751,8 @@ static char *(features[]) = + static int included_patches[] = + { /* Add new patch number below this line */ + /**/ ++ 3409, ++/**/ + 3403, + /**/ + 3402, diff -Nru vim-8.2.2434/debian/patches/CVE-2021-3796.patch vim-8.2.2434/debian/patches/CVE-2021-3796.patch --- vim-8.2.2434/debian/patches/CVE-2021-3796.patch 1970-01-01 00:00:00.000000000 +0000 +++ vim-8.2.2434/debian/patches/CVE-2021-3796.patch 2021-09-20 11:50:52.000000000 +0000 @@ -0,0 +1,78 @@ +From 35a9a00afcb20897d462a766793ff45534810dc3 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Sat, 11 Sep 2021 21:14:20 +0200 +Subject: [PATCH] patch 8.2.3428: using freed memory when replacing + +Problem: Using freed memory when replacing. (Dhiraj Mishra) +Solution: Get the line pointer after calling ins_copychar(). +--- + src/normal.c | 10 +++++++--- + src/testdir/test_edit.vim | 12 ++++++++++++ + src/version.c | 2 ++ + 3 files changed, 21 insertions(+), 3 deletions(-) + +Index: vim-8.2.2434/src/normal.c +=================================================================== +--- vim-8.2.2434.orig/src/normal.c ++++ vim-8.2.2434/src/normal.c +@@ -5074,19 +5074,23 @@ nv_replace(cmdarg_T *cap) + { + /* + * Get ptr again, because u_save and/or showmatch() will have +- * released the line. At the same time we let know that the +- * line will be changed. ++ * released the line. This may also happen in ins_copychar(). ++ * At the same time we let know that the line will be changed. + */ +- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y) + { + int c = ins_copychar(curwin->w_cursor.lnum + + (cap->nchar == Ctrl_Y ? -1 : 1)); ++ ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + if (c != NUL) + ptr[curwin->w_cursor.col] = c; + } + else ++ { ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); + ptr[curwin->w_cursor.col] = cap->nchar; ++ } + if (p_sm && msg_silent == 0) + showmatch(cap->nchar); + ++curwin->w_cursor.col; +Index: vim-8.2.2434/src/testdir/test_edit.vim +=================================================================== +--- vim-8.2.2434.orig/src/testdir/test_edit.vim ++++ vim-8.2.2434/src/testdir/test_edit.vim +@@ -1839,4 +1839,16 @@ func Test_read_invalid() + set encoding=utf-8 + endfunc + ++" Test for getting the character of the line below after "p" ++func Test_edit_put_CTRL_E() ++ set encoding=latin1 ++ new ++ let @" = '' ++ sil! norm orggRx ++ sil! norm pr ++ call assert_equal(['r', 'r'], getline(1, 2)) ++ bwipe! ++ set encoding=utf-8 ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +Index: vim-8.2.2434/src/version.c +=================================================================== +--- vim-8.2.2434.orig/src/version.c ++++ vim-8.2.2434/src/version.c +@@ -751,6 +751,8 @@ static char *(features[]) = + static int included_patches[] = + { /* Add new patch number below this line */ + /**/ ++ 3428, ++/**/ + 3409, + /**/ + 3403, diff -Nru vim-8.2.2434/debian/patches/series vim-8.2.2434/debian/patches/series --- vim-8.2.2434/debian/patches/series 2021-05-10 11:45:35.000000000 +0000 +++ vim-8.2.2434/debian/patches/series 2021-09-21 08:39:53.000000000 +0000 @@ -6,3 +6,8 @@ update-upstart-syntax.patch ubuntu-mouse-off.patch increase_timeout.diff +CVE-2021-3770-1.patch +CVE-2021-3770-2.patch +CVE-2021-3778.patch +CVE-2021-3796.patch +0001-add-impish.patch