From 009b337b565ec35b5850feb9cfdff821d9dea99c Mon Sep 17 00:00:00 2001 From: Emre Girgin Date: Fri, 16 Oct 2020 21:39:10 +0000 Subject: [PATCH 1/2] Fix CVE-2019-12735 in vim --- SPECS/vim/CVE-2019-12735.patch | 47 ++++++++++++++++++++++++++++++++++ SPECS/vim/vim.spec | 11 ++++++-- 2 files changed, 56 insertions(+), 2 deletions(-) create mode 100644 SPECS/vim/CVE-2019-12735.patch diff --git a/SPECS/vim/CVE-2019-12735.patch b/SPECS/vim/CVE-2019-12735.patch new file mode 100644 index 00000000000..83c6cbc0b48 --- /dev/null +++ b/SPECS/vim/CVE-2019-12735.patch @@ -0,0 +1,47 @@ +diff --git a/src/getchar.c b/src/getchar.c +index cc8b344e1..53f3a76be 100644 +--- a/src/getchar.c ++++ b/src/getchar.c +@@ -1442,6 +1442,12 @@ openscript( + EMSG(_(e_nesting)); + return; + } ++ ++ // Disallow sourcing a file in the sandbox, the commands would be executed ++ // later, possibly outside of the sandbox. ++ if (check_secure()) ++ return; ++ + #ifdef FEAT_EVAL + if (ignore_script) + /* Not reading from script, also don't open one. Warning message? */ +diff --git a/src/testdir/test_source_utf8.vim b/src/testdir/test_source_utf8.vim +index c29c2ec1f..f13906242 100644 +--- a/src/testdir/test_source_utf8.vim ++++ b/src/testdir/test_source_utf8.vim +@@ -61,3 +61,12 @@ func Test_source_ctrl_v() + unmap __4 + unmap __5 + endfunc ++ ++func Test_source_sandbox() ++ new ++ call writefile(["Ohello\"], 'Xsourcehello') ++ source! Xsourcehello | echo ++ call assert_equal('hello', getline(1)) ++ call assert_fails('sandbox source! Xsourcehello', 'E48:') ++ bwipe! ++endfunc +diff --git a/src/version.c b/src/version.c +index dce4643c2..c6e64ea76 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -794,6 +794,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 1365, + /**/ + 388, + /**/ diff --git a/SPECS/vim/vim.spec b/SPECS/vim/vim.spec index cf2c83c98f4..249e19c0a7c 100644 --- a/SPECS/vim/vim.spec +++ b/SPECS/vim/vim.spec @@ -3,7 +3,7 @@ Summary: Text editor Name: vim Version: 8.1.0388 -Release: 6%{?dist} +Release: 7%{?dist} License: Vim URL: https://www.vim.org Group: Applications/Editors @@ -11,6 +11,11 @@ Vendor: Microsoft Corporation Distribution: Mariner #Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz Source0: %{name}-%{version}.tar.gz +# Based on: +# https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040.patch +# Had some modifications for patch to apply cleanly. +Patch0: CVE-2019-12735.patch + BuildRequires: ncurses-devel %description @@ -26,7 +31,7 @@ Conflicts: toybox The vim extra package contains a extra files for powerful text editor. %prep -%setup -q +%autosetup -p1 echo '#define SYS_VIMRC_FILE "/etc/vimrc"' >> src/feature.h %build @@ -184,6 +189,8 @@ fi %{_bindir}/vimdiff %changelog +* Thu Oct 15 2020 Emre Girgin 8.1.0388-7 +- Fix CVE-2019-12735, CVE-2019-20079, CVE-2019-20807. * Mon Jun 01 2020 Pawel Winogrodzki 8.1.0388-6 - Adding a license reference. * Mon Apr 13 2020 Eric Li 8.1.0388-5 From 8fd088ca2622f129ef8b305f31bbedc39cf9abb1 Mon Sep 17 00:00:00 2001 From: Emre Girgin <50592283+mrgirgin@users.noreply.github.com> Date: Fri, 16 Oct 2020 16:46:17 -0700 Subject: [PATCH 2/2] Update the changelog to address only one CVE. --- SPECS/vim/vim.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS/vim/vim.spec b/SPECS/vim/vim.spec index 249e19c0a7c..4e0eaeb3c95 100644 --- a/SPECS/vim/vim.spec +++ b/SPECS/vim/vim.spec @@ -190,7 +190,7 @@ fi %changelog * Thu Oct 15 2020 Emre Girgin 8.1.0388-7 -- Fix CVE-2019-12735, CVE-2019-20079, CVE-2019-20807. +- Fix CVE-2019-12735. * Mon Jun 01 2020 Pawel Winogrodzki 8.1.0388-6 - Adding a license reference. * Mon Apr 13 2020 Eric Li 8.1.0388-5