Bug#1035509: [pre-approval] unblock: vim/2:9.0.1378-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: vim@packages.debian.org
Control: affects -1 + src:vim
Please unblock package vim
[ Reason ]
- Fix for CVE-2023-2426 (using uninitialized memory)
- Minor fix for indenting of Perl scripts (regression from bullseye)
[ Impact ]
- Shipping with a known CVE, whose fix was requested by the security
team
- Thousands of wasted keystrokes indenting Perl scripts
[ Tests ]
- New test was added upstream for the CVE, but its mainly useful for
running under valgrind
[ Risks ]
Fixes are small and straight forward.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock vim/2:9.0.1378-2
diffstat for vim-9.0.1378 vim-9.0.1378
changelog | 7
patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch | 22 +
patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch | 2
patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch | 147 ++++++++++
patches/series | 2
5 files changed, 179 insertions(+), 1 deletion(-)
diff -Nru vim-9.0.1378/debian/changelog vim-9.0.1378/debian/changelog
--- vim-9.0.1378/debian/changelog 2023-03-04 14:41:33.000000000 -0500
+++ vim-9.0.1378/debian/changelog 2023-05-04 06:24:44.000000000 -0400
@@ -1,3 +1,10 @@
+vim (2:9.0.1378-2) unstable; urgency=medium
+
+ * Backport 9.0.1499 to fix CVE-2023-2426 (Closes: #1035323)
+ * Backport fix for indenting of Perl subroutines (Closes: #1034529)
+
+ -- James McCoy <jamessan@debian.org> Thu, 04 May 2023 06:24:44 -0400
+
vim (2:9.0.1378-1) unstable; urgency=medium
* Merge upstream patch v9.0.1378
diff -Nru vim-9.0.1378/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch vim-9.0.1378/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
--- vim-9.0.1378/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch 2023-03-04 14:41:33.000000000 -0500
+++ vim-9.0.1378/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch 2023-05-04 06:24:44.000000000 -0400
@@ -86,7 +86,7 @@
# define SYS_VIMRC_FILE "$VIM/vimrc"
#endif
diff --git a/src/structs.h b/src/structs.h
-index d020449..dbbecb4 100644
+index 46a71cb..ac661a6 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -4468,6 +4468,9 @@ typedef struct
diff -Nru vim-9.0.1378/debian/patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch vim-9.0.1378/debian/patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch
--- vim-9.0.1378/debian/patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch 1969-12-31 19:00:00.000000000 -0500
+++ vim-9.0.1378/debian/patches/Fix-GH-267-where-indent-after-a-sub-would-not-work.patch 2023-05-04 06:24:44.000000000 -0400
@@ -0,0 +1,22 @@
+From: Andy Lester <andy@petdance.com>
+Date: Tue, 26 Apr 2022 20:07:43 -0500
+Subject: Fix GH#267 where indent after a sub would not work
+
+Closes: #1034529
+Signed-off-by: James McCoy <jamessan@debian.org>
+---
+ runtime/indent/perl.vim | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/runtime/indent/perl.vim b/runtime/indent/perl.vim
+index 4c91fa1..bd2a1a9 100644
+--- a/runtime/indent/perl.vim
++++ b/runtime/indent/perl.vim
+@@ -133,6 +133,7 @@ function! GetPerlIndent()
+ \ || synid == "perlHereDoc"
+ \ || synid == "perlBraces"
+ \ || synid == "perlStatementIndirObj"
++ \ || synid == "perlSubDeclaration"
+ \ || synid =~ "^perlFiledescStatement"
+ \ || synid =~ '^perl\(Sub\|Block\|Package\)Fold'
+ let brace = strpart(line, bracepos, 1)
diff -Nru vim-9.0.1378/debian/patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch vim-9.0.1378/debian/patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch
--- vim-9.0.1378/debian/patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch 1969-12-31 19:00:00.000000000 -0500
+++ vim-9.0.1378/debian/patches/patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch 2023-05-04 06:24:44.000000000 -0400
@@ -0,0 +1,147 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 29 Apr 2023 21:38:04 +0100
+Subject: patch 9.0.1499: using uninitialized memory with fuzzy matching
+
+Problem: Using uninitialized memory with fuzzy matching.
+Solution: Initialize the arrays used to store match positions.
+
+Closes: #1035323
+---
+ src/quickfix.c | 5 ++++-
+ src/search.c | 17 +++++++----------
+ src/testdir/test_matchfuzzy.vim | 27 +++++++++++++++++++++++++++
+ src/version.c | 2 ++
+ 4 files changed, 40 insertions(+), 11 deletions(-)
+
+diff --git a/src/quickfix.c b/src/quickfix.c
+index 63dd541..799c243 100644
+--- a/src/quickfix.c
++++ b/src/quickfix.c
+@@ -6058,6 +6058,8 @@ vgr_match_buflines(
+ long lnum;
+ colnr_T col;
+ int pat_len = (int)STRLEN(spat);
++ if (pat_len > MAX_FUZZY_MATCHES)
++ pat_len = MAX_FUZZY_MATCHES;
+
+ for (lnum = 1; lnum <= buf->b_ml.ml_line_count && *tomatch > 0; ++lnum)
+ {
+@@ -6066,7 +6068,7 @@ vgr_match_buflines(
+ {
+ // Regular expression match
+ while (vim_regexec_multi(regmatch, curwin, buf, lnum,
+- col, NULL) > 0)
++ col, NULL) > 0)
+ {
+ // Pass the buffer number so that it gets used even for a
+ // dummy buffer, unless duplicate_name is set, then the
+@@ -6112,6 +6114,7 @@ vgr_match_buflines(
+ int_u sz = ARRAY_LENGTH(matches);
+
+ // Fuzzy string match
++ CLEAR_FIELD(matches);
+ while (fuzzy_match(str + col, spat, FALSE, &score, matches, sz) > 0)
+ {
+ // Pass the buffer number so that it gets used even for a
+diff --git a/src/search.c b/src/search.c
+index 1e4464b..619032c 100644
+--- a/src/search.c
++++ b/src/search.c
+@@ -4422,14 +4422,14 @@ fuzzy_match_recursive(
+ // Found match
+ if (vim_tolower(c1) == vim_tolower(c2))
+ {
+- int_u recursiveMatches[MAX_FUZZY_MATCHES];
+- int recursiveScore = 0;
+- char_u *next_char;
+-
+ // Supplied matches buffer was too short
+ if (nextMatch >= maxMatches)
+ return 0;
+
++ int recursiveScore = 0;
++ int_u recursiveMatches[MAX_FUZZY_MATCHES];
++ CLEAR_FIELD(recursiveMatches);
++
+ // "Copy-on-Write" srcMatches into matches
+ if (first_match && srcMatches)
+ {
+@@ -4438,10 +4438,7 @@ fuzzy_match_recursive(
+ }
+
+ // Recursive call that "skips" this match
+- if (has_mbyte)
+- next_char = str + (*mb_ptr2len)(str);
+- else
+- next_char = str + 1;
++ char_u *next_char = str + (has_mbyte ? (*mb_ptr2len)(str) : 1);
+ if (fuzzy_match_recursive(fuzpat, next_char, strIdx + 1,
+ &recursiveScore, strBegin, strLen, matches,
+ recursiveMatches,
+@@ -4506,8 +4503,8 @@ fuzzy_match_recursive(
+ * Uses char_u for match indices. Therefore patterns are limited to
+ * MAX_FUZZY_MATCHES characters.
+ *
+- * Returns TRUE if 'pat_arg' matches 'str'. Also returns the match score in
+- * 'outScore' and the matching character positions in 'matches'.
++ * Returns TRUE if "pat_arg" matches "str". Also returns the match score in
++ * "outScore" and the matching character positions in "matches".
+ */
+ int
+ fuzzy_match(
+diff --git a/src/testdir/test_matchfuzzy.vim b/src/testdir/test_matchfuzzy.vim
+index 502d136..43eca8f 100644
+--- a/src/testdir/test_matchfuzzy.vim
++++ b/src/testdir/test_matchfuzzy.vim
+@@ -2,6 +2,7 @@
+
+ source shared.vim
+ source check.vim
++source term_util.vim
+
+ " Test for matchfuzzy()
+ func Test_matchfuzzy()
+@@ -253,4 +254,30 @@ func Test_matchfuzzy_limit()
+ call assert_equal([{'id': 5, 'val': 'crayon'}], l->matchfuzzy('c', #{key: 'val', limit: 1}))
+ endfunc
+
++" This was using uninitialized memory
++func Test_matchfuzzy_initialized()
++ CheckRunVimInTerminal
++
++ " This can take a very long time (esp. when using valgrind). Run in a
++ " separate Vim instance and kill it after two seconds. We only check for
++ " memory errors.
++ let lines =<< trim END
++ lvimgrep [ss [fg*
++ END
++ call writefile(lines, 'XTest_matchfuzzy', 'D')
++
++ let buf = RunVimInTerminal('-u NONE -X -Z', {})
++ call term_sendkeys(buf, ":source XTest_matchfuzzy\n")
++ call TermWait(buf, 2000)
++
++ let job = term_getjob(buf)
++ if job_status(job) == "run"
++ call job_stop(job, "int")
++ call TermWait(buf, 50)
++ endif
++
++ " clean up
++ call StopVimInTerminal(buf)
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index c93499c..0e83a6f 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -695,6 +695,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 1499,
+ /**/
+ 1378,
+ /**/
diff -Nru vim-9.0.1378/debian/patches/series vim-9.0.1378/debian/patches/series
--- vim-9.0.1378/debian/patches/series 2023-03-04 14:41:33.000000000 -0500
+++ vim-9.0.1378/debian/patches/series 2023-05-04 06:24:44.000000000 -0400
@@ -2,3 +2,5 @@
debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
+patch-9.0.1499-using-uninitialized-memory-with-fuzzy-matc.patch
+Fix-GH-267-where-indent-after-a-sub-would-not-work.patch
Reply to: