From c7efa41e7fed263413d5f55d5ed5d17e874623a3 Mon Sep 17 00:00:00 2001 From: Anuj Mittal Date: Fri, 26 Jul 2019 12:47:24 +0800 Subject: vim: fix CVE-2019-12735 Signed-off-by: Anuj Mittal Signed-off-by: Richard Purdie --- .../recipes-support/vim/files/CVE-2019-12735.patch | 64 ++++++++++++++++++++++ meta/recipes-support/vim/vim_8.1.1017.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2019-12735.patch diff --git a/meta/recipes-support/vim/files/CVE-2019-12735.patch b/meta/recipes-support/vim/files/CVE-2019-12735.patch new file mode 100644 index 0000000000..d8afa1867b --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2019-12735.patch @@ -0,0 +1,64 @@ +From e8197acdd091881fdbf9ed6ca8318f3c96465f0a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 22 May 2019 22:38:25 +0200 +Subject: [PATCH] patch 8.1.1365: source command doesn't check for the sandbox + +Problem: Source command doesn't check for the sandbox. (Armin Razmjou) +Solution: Check for the sandbox when sourcing a file. + +Upstream-Status: Backport +CVE: CVE-2019-12735 +Signed-off-by: Anuj Mittal +--- + src/getchar.c | 6 ++++++ + src/testdir/test_source.vim | 9 +++++++++ + src/version.c | 2 ++ + 3 files changed, 17 insertions(+) + +diff --git a/src/getchar.c b/src/getchar.c +index 0e9942b..475f644 100644 +--- a/src/getchar.c ++++ b/src/getchar.c +@@ -1407,6 +1407,12 @@ openscript( + emsg(_(e_nesting)); + return; + } ++ ++ // Disallow sourcing a file in the sandbox, the commands would be executed ++ // later, possibly outside of the sandbox. ++ if (check_secure()) ++ return; ++ + #ifdef FEAT_EVAL + if (ignore_script) + /* Not reading from script, also don't open one. Warning message? */ +diff --git a/src/testdir/test_source.vim b/src/testdir/test_source.vim +index a33d286..5166baf 100644 +--- a/src/testdir/test_source.vim ++++ b/src/testdir/test_source.vim +@@ -36,3 +36,12 @@ func Test_source_cmd() + au! SourcePre + au! SourcePost + endfunc ++ ++func Test_source_sandbox() ++ new ++ call writefile(["Ohello\"], 'Xsourcehello') ++ source! Xsourcehello | echo ++ call assert_equal('hello', getline(1)) ++ call assert_fails('sandbox source! Xsourcehello', 'E48:') ++ bwipe! ++endfunc +diff --git a/src/version.c b/src/version.c +index a49f6fb..e4f74be 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -780,6 +780,8 @@ static char *(features[]) = + static int included_patches[] = + { /* Add new patch number below this line */ + /**/ ++ 1365, ++/**/ + 1017, + /**/ + 1016, diff --git a/meta/recipes-support/vim/vim_8.1.1017.bb b/meta/recipes-support/vim/vim_8.1.1017.bb index 7627d2844b..e161e12eed 100644 --- a/meta/recipes-support/vim/vim_8.1.1017.bb +++ b/meta/recipes-support/vim/vim_8.1.1017.bb @@ -12,6 +12,7 @@ SRC_URI = "git://github.com/vim/vim.git \ file://disable_acl_header_check.patch;patchdir=.. \ file://vim-add-knob-whether-elf.h-are-checked.patch;patchdir=.. \ file://0001-src-Makefile-improve-reproducibility.patch;patchdir=.. \ + file://CVE-2019-12735.patch;patchdir=.. \ " SRCREV = "493fbe4abee660d30b4f2aef87b754b0a720213c" -- cgit 1.2.3-korg