fix-CVE-2024-47814

backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end-of-line.patch

@@ -11,7 +11,7 @@ Solution:   Only check cursor line number.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/move.c b/src/move.c
-index 6c654ac..4123ca8 100644
+index 1d7bcfb..3760042 100644
 --- a/src/move.c
 +++ b/src/move.c
 @@ -652,7 +652,7 @@ cursor_valid(void)
@@ -24,5 +24,5 @@ index 6c654ac..4123ca8 100644
      if ((curwin->w_valid & (VALID_WCOL|VALID_WROW)) != (VALID_WCOL|VALID_WROW))
  	curs_columns(TRUE);
 -- 
-2.27.0
+2.33.0
 

backport-CVE-2022-2264.patch

@@ -12,7 +12,7 @@ Solution:   Adjust the end mark position.
  2 files changed, 14 insertions(+)
 
 diff --git a/src/register.c b/src/register.c
-index 93860ba..30e2001 100644
+index 87689f7..51c14b8 100644
 --- a/src/register.c
 +++ b/src/register.c
 @@ -1918,6 +1918,8 @@ do_put(
@@ -25,7 +25,7 @@ index 93860ba..30e2001 100644
  
  	    // may insert some spaces after the new text
 diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim
-index aa5aa2b..66438bd 100644
+index 6df04cf..c8d306a 100644
 --- a/src/testdir/test_put.vim
 +++ b/src/testdir/test_put.vim
 @@ -219,5 +219,17 @@ func Test_put_empty_register()

fix-CVE-2024-47814.patch

@@ -0,0 +1,118 @@
+From 51b62387be93c65fa56bbabe1c3c1ea5df187641 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 8 Oct 2024 09:09:11 +0800
+Subject: [PATCH] fix CVE-2024-47814
+
+Problem:  [security]: use-after-free when closing a buffer
+Solution: When splitting the window and editing a new buffer,
+          check whether the newly to be edited buffer has been marked
+          for deletion and abort in this case
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+---
+ src/buffer.c                 |  7 +++++++
+ src/ex_cmds.c                | 12 ++++++++++++
+ src/proto/buffer.pro         |  1 +
+ src/testdir/test_autocmd.vim | 19 +++++++++++++++++++
+ src/version.c                |  2 ++
+ 5 files changed, 41 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 8ea57f7..1f71e38 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -470,6 +470,13 @@ can_unload_buffer(buf_T *buf)
+     return can_unload;
+ }
+ 
++    int
++buf_locked(buf_T *buf)
++{
++    return buf->b_locked || buf->b_locked_split;
++}
++
++
+ /*
+  * Close the link to a buffer.
+  * "action" is used when there is no longer a window for the buffer.
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 853df4b..92b5e9f 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -2692,6 +2692,18 @@ do_ecmd(
+ 	}
+ 	if (buf == NULL)
+ 	    goto theend;
++	// autocommands try to edit a file that is goind to be removed,
++	// abort
++	if (buf_locked(buf))
++	{
++	    // window was split, but not editing the new buffer,
++	    // reset b_nwindows again
++	    if (oldwin == NULL
++		    && curwin->w_buffer != NULL
++		    && curwin->w_buffer->b_nwindows > 1)
++		--curwin->w_buffer->b_nwindows;
++	    goto theend;
++	}
+ 	if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
+ 	    // reusing the buffer, keep the old alternate file
+ 	    curwin->w_alt_fnum = prev_alt_fnum;
+diff --git a/src/proto/buffer.pro b/src/proto/buffer.pro
+index 094feed..031e64a 100644
+--- a/src/proto/buffer.pro
++++ b/src/proto/buffer.pro
+@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
+ void set_buflisted(int on);
+ int buf_contents_changed(buf_T *buf);
+ void wipe_buffer(buf_T *buf, int aucmd);
++int buf_locked(buf_T *buf);
+ /* vim: set ft=c : */
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index d8738c8..e251112 100644
+--- a/src/testdir/test_autocmd.vim
++++ b/src/testdir/test_autocmd.vim
+@@ -3633,4 +3633,23 @@ func Test_autocmd_split_dummy()
+   call delete('Xerr')
+ endfunc
+ 
++" This was using freed memory
++func Test_autocmd_BufWinLeave_with_vsp()
++  new
++  let fname = 'XXXBufWinLeaveUAF.txt'
++  let dummy = 'XXXDummy.txt'
++  call writefile([], fname)
++  call writefile([], dummy)
++  defer delete(fname)
++  defer delete(dummy)
++  exe "e " fname
++  vsp
++  augroup testing
++    exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
++  augroup END
++  bw
++  call CleanUpTestAuGroup()
++  exe "bw! " .. dummy
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 2de8fd2..5946644 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -735,6 +735,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/
++    679,
+ /**/
+     678,
+ /**/
+-- 
+2.43.0
+

vim-Add-sw64-architecture.patch

@@ -0,0 +1,42 @@
+From 5c8a08bf2260585ffd0202f3506456e53b74e987 Mon Sep 17 00:00:00 2001
+From: wzx <wuzx1226@qq.com>
+Date: Thu, 24 Nov 2022 14:10:28 +0800
+Subject: [PATCH] Add sw64 architecture
+
+Add sw64 architecture in file runtime/syntax/debcontrol.vim and src/osdef1.h.in to support sw64 architecture.
+
+Signed-off-by: wzx <wuzx1226@qq.com>
+---
+ runtime/syntax/debcontrol.vim | 2 +-
+ src/osdef1.h.in               | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/runtime/syntax/debcontrol.vim b/runtime/syntax/debcontrol.vim
+index 9085cd0..5c945c4 100644
+--- a/runtime/syntax/debcontrol.vim
++++ b/runtime/syntax/debcontrol.vim
+@@ -28,7 +28,7 @@ syn match debControlSpace "[ \t]"
+ 
+ let s:kernels = ['linux', 'hurd', 'kfreebsd', 'knetbsd', 'kopensolaris', 'netbsd']
+ let s:archs = [
+-      \ 'alpha', 'amd64', 'armeb', 'armel', 'armhf', 'arm64', 'avr32', 'hppa'
++      \ 'alpha', 'sw_64', 'amd64', 'armeb', 'armel', 'armhf', 'arm64', 'avr32', 'hppa'
+       \, 'i386', 'ia64', 'lpia', 'm32r', 'm68k', 'mipsel', 'mips64el', 'mips'
+       \, 'powerpcspe', 'powerpc', 'ppc64el', 'ppc64', 'riscv64', 's390x', 's390', 'sh3eb'
+       \, 'sh3', 'sh4eb', 'sh4', 'sh', 'sparc64', 'sparc', 'x32'
+diff --git a/src/osdef1.h.in b/src/osdef1.h.in
+index 825fe94..f8c3b9d 100644
+--- a/src/osdef1.h.in
++++ b/src/osdef1.h.in
+@@ -132,7 +132,7 @@ extern char	*getcwd(char *, int);
+ #else
+ extern char	*getwd(char *);
+ #endif
+-#ifndef __alpha	/* suggested by Campbell */
++#if !defined __alpha && !defined __sw_64 /* suggested by Campbell */
+ extern int	ioctl(int, int, ...);
+ #endif
+ extern int	chmod(const char *, mode_t);
+-- 
+2.33.0
+

vim.spec

@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        26
+Release:        28
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -128,6 +128,8 @@ Patch6098:      backport-CVE-2024-43374.patch
 Patch6099:      backport-CVE-2024-43802.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
+Patch9001:      vim-Add-sw64-architecture.patch
+Patch9002:      fix-CVE-2024-47814.patch
 
 BuildRequires:  autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
 BuildRequires:  perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
@@ -414,7 +416,7 @@ touch %{buildroot}%{_datadir}/%{name}/vimfiles/doc/tags
 
 chrpath -d %{buildroot}%{_bindir}/vim
 chrpath -d %{buildroot}%{_bindir}/xxd
- 
+
 mkdir -p %{buildroot}/etc/ld.so.conf.d
 echo "%{_libdir}/perl5/CORE" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 
@@ -432,7 +434,7 @@ popd
 %check
 %if "%{_gpg_name}" == "private OBS"
 export TERM=xterm
-LC_ALL=en_US.UTF-8 make -j1 test
+LANG=en_US.UTF-8 make -j1 test
 %endif
 
 %files common
@@ -535,6 +537,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Tue Oct 08 2024 changtao <changtao@kylinos.cn> - 2:9.0-28
+- Type:CVE
+- ID:CVE-2024-47814
+- SUG:NA
+- DESC:fix CVE-2024-47814
+
 * Thu Aug 29 2024 wangjiang <app@cameyan.com> - 2:9.0-26
 - Type:CVE
 - ID:CVE-2024-43802

vim.yaml

@@ -0,0 +1,4 @@
+version_control: github
+src_repo: vim/vim
+tag_prefix: ^v
+seperator: .