Bug#1035509: marked as done (unblock: vim/2:9.0.1378-2)

To: Sebastian Ramacher <sramacher@respighi.debian.org>
Subject: Bug#1035509: marked as done (unblock: vim/2:9.0.1378-2)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 05 May 2023 20:06:03 +0000
Message-id: <[🔎] handler.1035509.D1035509.1683316977103766.ackdone@bugs.debian.org>
Reply-to: 1035509@bugs.debian.org
References: <E1pv1dj-007np9-0b@respighi.debian.org> <[🔎] 168320100157.321256.3821335063859698047.reportbug@localhost>

Your message dated Fri, 05 May 2023 20:02:51 +0000
with message-id <E1pv1dj-007np9-0b@respighi.debian.org>
and subject line unblock vim
has caused the Debian Bug report #1035509,
regarding unblock: vim/2:9.0.1378-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1035509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035509
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [pre-approval] unblock: vim/2:9.0.1378-2
From: James McCoy <jamessan@debian.org>
Date: Thu, 04 May 2023 07:50:01 -0400
Message-id: <[🔎] 168320100157.321256.3821335063859698047.reportbug@localhost>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: vim@packages.debian.org
Control: affects -1 + src:vim

Please unblock package vim

[ Reason ]
- Fix for CVE-2023-2426 (using uninitialized memory)
- Minor fix for indenting of Perl scripts (regression from bullseye)

[ Impact ]
- Shipping with a known CVE, whose fix was requested by the security
  team
- Thousands of wasted keystrokes indenting Perl scripts

[ Tests ]
- New test was added upstream for the CVE, but its mainly useful for
  running under valgrind

[ Risks ]
Fixes are small and straight forward.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock vim/2:9.0.1378-2

diffstat for vim-9.0.1378 vim-9.0.1378

 changelog                                                                    |    7 
 patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch             |   22 +
 patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch |    2 
 patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch      |  147 ++++++++++
 patches/series                                                               |    2 
 5 files changed, 179 insertions(+), 1 deletion(-)

diff -Nru vim-9.0.1378/debian/changelog vim-9.0.1378/debian/changelog
--- vim-9.0.1378/debian/changelog	2023-03-04 14:41:33.000000000 -0500
+++ vim-9.0.1378/debian/changelog	2023-05-04 06:24:44.000000000 -0400
@@ -1,3 +1,10 @@
+vim (2:9.0.1378-2) unstable; urgency=medium
+
+  * Backport 9.0.1499 to fix CVE-2023-2426 (Closes: #1035323)
+  * Backport fix for indenting of Perl subroutines (Closes: #1034529)
+
+ -- James McCoy <jamessan@debian.org>  Thu, 04 May 2023 06:24:44 -0400
+
 vim (2:9.0.1378-1) unstable; urgency=medium
 
   * Merge upstream patch v9.0.1378
diff -Nru vim-9.0.1378/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch vim-9.0.1378/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
--- vim-9.0.1378/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch	2023-03-04 14:41:33.000000000 -0500
+++ vim-9.0.1378/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch	2023-05-04 06:24:44.000000000 -0400
@@ -86,7 +86,7 @@
  # define SYS_VIMRC_FILE "$VIM/vimrc"
  #endif
 diff --git a/src/structs.h b/src/structs.h
-index d020449..dbbecb4 100644
+index 46a71cb..ac661a6 100644
 --- a/src/structs.h
 +++ b/src/structs.h
 @@ -4468,6 +4468,9 @@ typedef struct
diff -Nru vim-9.0.1378/debian/patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch vim-9.0.1378/debian/patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch
--- vim-9.0.1378/debian/patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch	1969-12-31 19:00:00.000000000 -0500
+++ vim-9.0.1378/debian/patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch	2023-05-04 06:24:44.000000000 -0400
@@ -0,0 +1,22 @@
+From: Andy Lester <andy@petdance.com>
+Date: Tue, 26 Apr 2022 20:07:43 -0500
+Subject: Fix GH#267 where indent after a sub would not work
+
+Closes: #1034529
+Signed-off-by: James McCoy <jamessan@debian.org>
+---
+ runtime/indent/perl.vim | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/runtime/indent/perl.vim b/runtime/indent/perl.vim
+index 4c91fa1..bd2a1a9 100644
+--- a/runtime/indent/perl.vim
++++ b/runtime/indent/perl.vim
+@@ -133,6 +133,7 @@ function! GetPerlIndent()
+                         \ || synid == "perlHereDoc"
+                         \ || synid == "perlBraces"
+                         \ || synid == "perlStatementIndirObj"
++                        \ || synid == "perlSubDeclaration"
+                         \ || synid =~ "^perlFiledescStatement"
+                         \ || synid =~ '^perl\(Sub\|Block\|Package\)Fold'
+                 let brace = strpart(line, bracepos, 1)
diff -Nru vim-9.0.1378/debian/patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch vim-9.0.1378/debian/patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch
--- vim-9.0.1378/debian/patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch	1969-12-31 19:00:00.000000000 -0500
+++ vim-9.0.1378/debian/patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch	2023-05-04 06:24:44.000000000 -0400
@@ -0,0 +1,147 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 29 Apr 2023 21:38:04 +0100
+Subject: patch 9.0.1499: using uninitialized memory with fuzzy matching
+
+Problem:    Using uninitialized memory with fuzzy matching.
+Solution:   Initialize the arrays used to store match positions.
+
+Closes: #1035323
+---
+ src/quickfix.c                  |  5 ++++-
+ src/search.c                    | 17 +++++++----------
+ src/testdir/test_matchfuzzy.vim | 27 +++++++++++++++++++++++++++
+ src/version.c                   |  2 ++
+ 4 files changed, 40 insertions(+), 11 deletions(-)
+
+diff --git a/src/quickfix.c b/src/quickfix.c
+index 63dd541..799c243 100644
+--- a/src/quickfix.c
++++ b/src/quickfix.c
+@@ -6058,6 +6058,8 @@ vgr_match_buflines(
+     long	lnum;
+     colnr_T	col;
+     int		pat_len = (int)STRLEN(spat);
++    if (pat_len > MAX_FUZZY_MATCHES)
++	pat_len = MAX_FUZZY_MATCHES;
+ 
+     for (lnum = 1; lnum <= buf->b_ml.ml_line_count && *tomatch > 0; ++lnum)
+     {
+@@ -6066,7 +6068,7 @@ vgr_match_buflines(
+ 	{
+ 	    // Regular expression match
+ 	    while (vim_regexec_multi(regmatch, curwin, buf, lnum,
+-			col, NULL) > 0)
++								col, NULL) > 0)
+ 	    {
+ 		// Pass the buffer number so that it gets used even for a
+ 		// dummy buffer, unless duplicate_name is set, then the
+@@ -6112,6 +6114,7 @@ vgr_match_buflines(
+ 	    int_u   sz = ARRAY_LENGTH(matches);
+ 
+ 	    // Fuzzy string match
++	    CLEAR_FIELD(matches);
+ 	    while (fuzzy_match(str + col, spat, FALSE, &score, matches, sz) > 0)
+ 	    {
+ 		// Pass the buffer number so that it gets used even for a
+diff --git a/src/search.c b/src/search.c
+index 1e4464b..619032c 100644
+--- a/src/search.c
++++ b/src/search.c
+@@ -4422,14 +4422,14 @@ fuzzy_match_recursive(
+ 	// Found match
+ 	if (vim_tolower(c1) == vim_tolower(c2))
+ 	{
+-	    int_u	recursiveMatches[MAX_FUZZY_MATCHES];
+-	    int		recursiveScore = 0;
+-	    char_u	*next_char;
+-
+ 	    // Supplied matches buffer was too short
+ 	    if (nextMatch >= maxMatches)
+ 		return 0;
+ 
++	    int		recursiveScore = 0;
++	    int_u	recursiveMatches[MAX_FUZZY_MATCHES];
++	    CLEAR_FIELD(recursiveMatches);
++
+ 	    // "Copy-on-Write" srcMatches into matches
+ 	    if (first_match && srcMatches)
+ 	    {
+@@ -4438,10 +4438,7 @@ fuzzy_match_recursive(
+ 	    }
+ 
+ 	    // Recursive call that "skips" this match
+-	    if (has_mbyte)
+-		next_char = str + (*mb_ptr2len)(str);
+-	    else
+-		next_char = str + 1;
++	    char_u *next_char = str + (has_mbyte ? (*mb_ptr2len)(str) : 1);
+ 	    if (fuzzy_match_recursive(fuzpat, next_char, strIdx + 1,
+ 			&recursiveScore, strBegin, strLen, matches,
+ 			recursiveMatches,
+@@ -4506,8 +4503,8 @@ fuzzy_match_recursive(
+  * Uses char_u for match indices. Therefore patterns are limited to
+  * MAX_FUZZY_MATCHES characters.
+  *
+- * Returns TRUE if 'pat_arg' matches 'str'. Also returns the match score in
+- * 'outScore' and the matching character positions in 'matches'.
++ * Returns TRUE if "pat_arg" matches "str". Also returns the match score in
++ * "outScore" and the matching character positions in "matches".
+  */
+     int
+ fuzzy_match(
+diff --git a/src/testdir/test_matchfuzzy.vim b/src/testdir/test_matchfuzzy.vim
+index 502d136..43eca8f 100644
+--- a/src/testdir/test_matchfuzzy.vim
++++ b/src/testdir/test_matchfuzzy.vim
+@@ -2,6 +2,7 @@
+ 
+ source shared.vim
+ source check.vim
++source term_util.vim
+ 
+ " Test for matchfuzzy()
+ func Test_matchfuzzy()
+@@ -253,4 +254,30 @@ func Test_matchfuzzy_limit()
+   call assert_equal([{'id': 5, 'val': 'crayon'}], l->matchfuzzy('c', #{key: 'val', limit: 1}))
+ endfunc
+ 
++" This was using uninitialized memory
++func Test_matchfuzzy_initialized()
++  CheckRunVimInTerminal
++
++  " This can take a very long time (esp. when using valgrind).  Run in a
++  " separate Vim instance and kill it after two seconds.  We only check for
++  " memory errors.
++  let lines =<< trim END
++      lvimgrep [ss [fg*
++  END
++  call writefile(lines, 'XTest_matchfuzzy', 'D')
++
++  let buf = RunVimInTerminal('-u NONE -X -Z', {})
++  call term_sendkeys(buf, ":source XTest_matchfuzzy\n")
++  call TermWait(buf, 2000)
++
++  let job = term_getjob(buf)
++  if job_status(job) == "run"
++    call job_stop(job, "int")
++    call TermWait(buf, 50)
++  endif
++
++  " clean up
++  call StopVimInTerminal(buf)
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index c93499c..0e83a6f 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -695,6 +695,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/
++    1499,
+ /**/
+     1378,
+ /**/
diff -Nru vim-9.0.1378/debian/patches/series vim-9.0.1378/debian/patches/series
--- vim-9.0.1378/debian/patches/series	2023-03-04 14:41:33.000000000 -0500
+++ vim-9.0.1378/debian/patches/series	2023-05-04 06:24:44.000000000 -0400
@@ -2,3 +2,5 @@
 debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
 debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
 debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
+patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch
+Fix-GH-267-where-indent-after-a-sub-would-not-work.patch

--- End Message ---

--- Begin Message ---

To: 1035509-done@bugs.debian.org

Subject: unblock vim

From: Sebastian Ramacher <sramacher@respighi.debian.org>

Date: Fri, 05 May 2023 20:02:51 +0000

Message-id: <E1pv1dj-007np9-0b@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#1035509: [pre-approval] unblock: vim/2:9.0.1378-2
  - From: James McCoy <jamessan@debian.org>

Prev by Date: Processed: Re: unblock: telegram-desktop/4.6.5+ds-2, libtgowt/0~git20230105.5098730+dfsg-2
Next by Date: Bug#1035590: unblock: chromium/113.0.5672.63-2
Previous by thread: Bug#1035509: [pre-approval] unblock: vim/2:9.0.1378-2
Next by thread: Bug#1035510: unblock: waylandpp/1.0.0-4
Index(es):
- Date
- Thread