Bug#1035509: [pre-approval] unblock: vim/2:9.0.1378-2
Control: tags -1 confirmed moreinfo
On 2023-05-04 07:50:01 -0400, James McCoy wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: vim@packages.debian.org
> Control: affects -1 + src:vim
>
> Please unblock package vim
Please go ahead and remove the moreinfo tag once the package is
available in unstable.
Cheers
>
> [ Reason ]
> - Fix for CVE-2023-2426 (using uninitialized memory)
> - Minor fix for indenting of Perl scripts (regression from bullseye)
>
> [ Impact ]
> - Shipping with a known CVE, whose fix was requested by the security
> team
> - Thousands of wasted keystrokes indenting Perl scripts
>
> [ Tests ]
> - New test was added upstream for the CVE, but its mainly useful for
> running under valgrind
>
> [ Risks ]
> Fixes are small and straight forward.
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> unblock vim/2:9.0.1378-2
> diffstat for vim-9.0.1378 vim-9.0.1378
>
> changelog | 7
> patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch | 22 +
> patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch | 2
> patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch | 147 ++++++++++
> patches/series | 2
> 5 files changed, 179 insertions(+), 1 deletion(-)
>
> diff -Nru vim-9.0.1378/debian/changelog vim-9.0.1378/debian/changelog
> --- vim-9.0.1378/debian/changelog 2023-03-04 14:41:33.000000000 -0500
> +++ vim-9.0.1378/debian/changelog 2023-05-04 06:24:44.000000000 -0400
> @@ -1,3 +1,10 @@
> +vim (2:9.0.1378-2) unstable; urgency=medium
> +
> + * Backport 9.0.1499 to fix CVE-2023-2426 (Closes: #1035323)
> + * Backport fix for indenting of Perl subroutines (Closes: #1034529)
> +
> + -- James McCoy <jamessan@debian.org> Thu, 04 May 2023 06:24:44 -0400
> +
> vim (2:9.0.1378-1) unstable; urgency=medium
>
> * Merge upstream patch v9.0.1378
> diff -Nru vim-9.0.1378/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch vim-9.0.1378/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
> --- vim-9.0.1378/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch 2023-03-04 14:41:33.000000000 -0500
> +++ vim-9.0.1378/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch 2023-05-04 06:24:44.000000000 -0400
> @@ -86,7 +86,7 @@
> # define SYS_VIMRC_FILE "$VIM/vimrc"
> #endif
> diff --git a/src/structs.h b/src/structs.h
> -index d020449..dbbecb4 100644
> +index 46a71cb..ac661a6 100644
> --- a/src/structs.h
> +++ b/src/structs.h
> @@ -4468,6 +4468,9 @@ typedef struct
> diff -Nru vim-9.0.1378/debian/patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch vim-9.0.1378/debian/patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch
> --- vim-9.0.1378/debian/patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch 1969-12-31 19:00:00.000000000 -0500
> +++ vim-9.0.1378/debian/patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch 2023-05-04 06:24:44.000000000 -0400
> @@ -0,0 +1,22 @@
> +From: Andy Lester <andy@petdance.com>
> +Date: Tue, 26 Apr 2022 20:07:43 -0500
> +Subject: Fix GH#267 where indent after a sub would not work
> +
> +Closes: #1034529
> +Signed-off-by: James McCoy <jamessan@debian.org>
> +---
> + runtime/indent/perl.vim | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/runtime/indent/perl.vim b/runtime/indent/perl.vim
> +index 4c91fa1..bd2a1a9 100644
> +--- a/runtime/indent/perl.vim
> ++++ b/runtime/indent/perl.vim
> +@@ -133,6 +133,7 @@ function! GetPerlIndent()
> + \ || synid == "perlHereDoc"
> + \ || synid == "perlBraces"
> + \ || synid == "perlStatementIndirObj"
> ++ \ || synid == "perlSubDeclaration"
> + \ || synid =~ "^perlFiledescStatement"
> + \ || synid =~ '^perl\(Sub\|Block\|Package\)Fold'
> + let brace = strpart(line, bracepos, 1)
> diff -Nru vim-9.0.1378/debian/patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch vim-9.0.1378/debian/patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch
> --- vim-9.0.1378/debian/patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch 1969-12-31 19:00:00.000000000 -0500
> +++ vim-9.0.1378/debian/patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch 2023-05-04 06:24:44.000000000 -0400
> @@ -0,0 +1,147 @@
> +From: Bram Moolenaar <Bram@vim.org>
> +Date: Sat, 29 Apr 2023 21:38:04 +0100
> +Subject: patch 9.0.1499: using uninitialized memory with fuzzy matching
> +
> +Problem: Using uninitialized memory with fuzzy matching.
> +Solution: Initialize the arrays used to store match positions.
> +
> +Closes: #1035323
> +---
> + src/quickfix.c | 5 ++++-
> + src/search.c | 17 +++++++----------
> + src/testdir/test_matchfuzzy.vim | 27 +++++++++++++++++++++++++++
> + src/version.c | 2 ++
> + 4 files changed, 40 insertions(+), 11 deletions(-)
> +
> +diff --git a/src/quickfix.c b/src/quickfix.c
> +index 63dd541..799c243 100644
> +--- a/src/quickfix.c
> ++++ b/src/quickfix.c
> +@@ -6058,6 +6058,8 @@ vgr_match_buflines(
> + long lnum;
> + colnr_T col;
> + int pat_len = (int)STRLEN(spat);
> ++ if (pat_len > MAX_FUZZY_MATCHES)
> ++ pat_len = MAX_FUZZY_MATCHES;
> +
> + for (lnum = 1; lnum <= buf->b_ml.ml_line_count && *tomatch > 0; ++lnum)
> + {
> +@@ -6066,7 +6068,7 @@ vgr_match_buflines(
> + {
> + // Regular expression match
> + while (vim_regexec_multi(regmatch, curwin, buf, lnum,
> +- col, NULL) > 0)
> ++ col, NULL) > 0)
> + {
> + // Pass the buffer number so that it gets used even for a
> + // dummy buffer, unless duplicate_name is set, then the
> +@@ -6112,6 +6114,7 @@ vgr_match_buflines(
> + int_u sz = ARRAY_LENGTH(matches);
> +
> + // Fuzzy string match
> ++ CLEAR_FIELD(matches);
> + while (fuzzy_match(str + col, spat, FALSE, &score, matches, sz) > 0)
> + {
> + // Pass the buffer number so that it gets used even for a
> +diff --git a/src/search.c b/src/search.c
> +index 1e4464b..619032c 100644
> +--- a/src/search.c
> ++++ b/src/search.c
> +@@ -4422,14 +4422,14 @@ fuzzy_match_recursive(
> + // Found match
> + if (vim_tolower(c1) == vim_tolower(c2))
> + {
> +- int_u recursiveMatches[MAX_FUZZY_MATCHES];
> +- int recursiveScore = 0;
> +- char_u *next_char;
> +-
> + // Supplied matches buffer was too short
> + if (nextMatch >= maxMatches)
> + return 0;
> +
> ++ int recursiveScore = 0;
> ++ int_u recursiveMatches[MAX_FUZZY_MATCHES];
> ++ CLEAR_FIELD(recursiveMatches);
> ++
> + // "Copy-on-Write" srcMatches into matches
> + if (first_match && srcMatches)
> + {
> +@@ -4438,10 +4438,7 @@ fuzzy_match_recursive(
> + }
> +
> + // Recursive call that "skips" this match
> +- if (has_mbyte)
> +- next_char = str + (*mb_ptr2len)(str);
> +- else
> +- next_char = str + 1;
> ++ char_u *next_char = str + (has_mbyte ? (*mb_ptr2len)(str) : 1);
> + if (fuzzy_match_recursive(fuzpat, next_char, strIdx + 1,
> + &recursiveScore, strBegin, strLen, matches,
> + recursiveMatches,
> +@@ -4506,8 +4503,8 @@ fuzzy_match_recursive(
> + * Uses char_u for match indices. Therefore patterns are limited to
> + * MAX_FUZZY_MATCHES characters.
> + *
> +- * Returns TRUE if 'pat_arg' matches 'str'. Also returns the match score in
> +- * 'outScore' and the matching character positions in 'matches'.
> ++ * Returns TRUE if "pat_arg" matches "str". Also returns the match score in
> ++ * "outScore" and the matching character positions in "matches".
> + */
> + int
> + fuzzy_match(
> +diff --git a/src/testdir/test_matchfuzzy.vim b/src/testdir/test_matchfuzzy.vim
> +index 502d136..43eca8f 100644
> +--- a/src/testdir/test_matchfuzzy.vim
> ++++ b/src/testdir/test_matchfuzzy.vim
> +@@ -2,6 +2,7 @@
> +
> + source shared.vim
> + source check.vim
> ++source term_util.vim
> +
> + " Test for matchfuzzy()
> + func Test_matchfuzzy()
> +@@ -253,4 +254,30 @@ func Test_matchfuzzy_limit()
> + call assert_equal([{'id': 5, 'val': 'crayon'}], l->matchfuzzy('c', #{key: 'val', limit: 1}))
> + endfunc
> +
> ++" This was using uninitialized memory
> ++func Test_matchfuzzy_initialized()
> ++ CheckRunVimInTerminal
> ++
> ++ " This can take a very long time (esp. when using valgrind). Run in a
> ++ " separate Vim instance and kill it after two seconds. We only check for
> ++ " memory errors.
> ++ let lines =<< trim END
> ++ lvimgrep [ss [fg*
> ++ END
> ++ call writefile(lines, 'XTest_matchfuzzy', 'D')
> ++
> ++ let buf = RunVimInTerminal('-u NONE -X -Z', {})
> ++ call term_sendkeys(buf, ":source XTest_matchfuzzy\n")
> ++ call TermWait(buf, 2000)
> ++
> ++ let job = term_getjob(buf)
> ++ if job_status(job) == "run"
> ++ call job_stop(job, "int")
> ++ call TermWait(buf, 50)
> ++ endif
> ++
> ++ " clean up
> ++ call StopVimInTerminal(buf)
> ++endfunc
> ++
> + " vim: shiftwidth=2 sts=2 expandtab
> +diff --git a/src/version.c b/src/version.c
> +index c93499c..0e83a6f 100644
> +--- a/src/version.c
> ++++ b/src/version.c
> +@@ -695,6 +695,8 @@ static char *(features[]) =
> +
> + static int included_patches[] =
> + { /* Add new patch number below this line */
> ++/**/
> ++ 1499,
> + /**/
> + 1378,
> + /**/
> diff -Nru vim-9.0.1378/debian/patches/series vim-9.0.1378/debian/patches/series
> --- vim-9.0.1378/debian/patches/series 2023-03-04 14:41:33.000000000 -0500
> +++ vim-9.0.1378/debian/patches/series 2023-05-04 06:24:44.000000000 -0400
> @@ -2,3 +2,5 @@
> debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
> debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
> debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
> +patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch
> +Fix-GH-267-where-indent-after-a-sub-would-not-work.patch
--
Sebastian Ramacher
Reply to: