[AUTO-CHERRYPICK] Patch vim for CVE-2025-26603 & CVE-2025-1215 [Medium] - branch main (#12584)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/vim/CVE-2025-1215.patch

@@ -0,0 +1,117 @@
+From 551f761329a71fa4e55582b09714411adc6b6bb9 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Sat, 22 Feb 2025 21:56:18 +0000
+Subject: [PATCH] CVE-2025-1215
+
+---
+ src/main.c                   | 21 +++++++++++++++++----
+ src/message_test.c           |  3 ++-
+ src/proto/main.pro           |  3 ++-
+ src/testdir/test_startup.vim |  7 +++++++
+ 4 files changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/src/main.c b/src/main.c
+index e5faaa7..223f4cc 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -144,6 +144,11 @@ main
+     atexit(vim_mem_profile_dump);
+ #endif
+ 
++    /*
++     * Various initialisations #1 shared with tests.
++     */
++    common_init_1();
++
+ #if defined(STARTUPTIME) || defined(FEAT_JOB_CHANNEL)
+     // Need to find "--startuptime" and "--log" before actually parsing
+     // arguments.
+@@ -185,9 +190,9 @@ main
+ #endif
+ 
+     /*
+-     * Various initialisations shared with tests.
++     * Various initialisations #2 shared with tests.
+      */
+-    common_init(&params);
++    common_init_2(&params);
+ 
+ #ifdef VIMDLL
+     // Check if the current executable file is for the GUI subsystem.
+@@ -900,10 +905,10 @@ vim_main2(void)
+ }
+ 
+ /*
+- * Initialisation shared by main() and some tests.
++ * Initialisation #1 shared by main() and some tests.
+  */
+     void
+-common_init(mparm_T *paramp)
++common_init_1(void)
+ {
+     estack_init();
+     cmdline_init();
+@@ -925,7 +930,15 @@ common_init(mparm_T *paramp)
+ 	    || (NameBuff = alloc(MAXPATHL)) == NULL)
+ 	mch_exit(0);
+     TIME_MSG("Allocated generic buffers");
++}
++
+ 
++/*
++ * Initialisation #2 shared by main() and some tests.
++ */
++    void
++common_init_2(mparm_T *paramp)
++{
+ #ifdef NBDEBUG
+     // Wait a moment for debugging NetBeans.  Must be after allocating
+     // NameBuff.
+diff --git a/src/message_test.c b/src/message_test.c
+index 62f7772..83767ec 100644
+--- a/src/message_test.c
++++ b/src/message_test.c
+@@ -508,7 +508,8 @@ main(int argc, char **argv)
+     CLEAR_FIELD(params);
+     params.argc = argc;
+     params.argv = argv;
+-    common_init(&params);
++    common_init_1();
++    common_init_2(&params);
+ 
+     set_option_value_give_err((char_u *)"encoding", 0, (char_u *)"utf-8", 0);
+     init_chartab();
+diff --git a/src/proto/main.pro b/src/proto/main.pro
+index 496fe66..7e4c508 100644
+--- a/src/proto/main.pro
++++ b/src/proto/main.pro
+@@ -1,6 +1,7 @@
+ /* main.c */
+ int vim_main2(void);
+-void common_init(mparm_T *paramp);
++void common_init_1(void);
++void common_init_2(mparm_T *paramp);
+ int is_not_a_term(void);
+ int is_not_a_term_or_gui(void);
+ void free_vbuf(void);
+diff --git a/src/testdir/test_startup.vim b/src/testdir/test_startup.vim
+index 7c70391..c16e4ae 100644
+--- a/src/testdir/test_startup.vim
++++ b/src/testdir/test_startup.vim
+@@ -740,6 +740,13 @@ func Test_log()
+   call delete('Xlogfile')
+ endfunc
+ 
++func Test_log_nonexistent()
++  " this used to crash Vim
++  CheckFeature channel
++  let result = join(systemlist(GetVimCommand() .. ' --log /X/Xlogfile -c qa!'))
++  call assert_match("E484: Can't open file", result)
++endfunc
++
+ func Test_read_stdin()
+   let after =<< trim [CODE]
+     write Xtestout
+-- 
+2.45.2
+

SPECS/vim/CVE-2025-26603.patch

@@ -0,0 +1,27 @@
+From c3e55ce51cef3a3292b2431bf6f5a9026eb410a7 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Sat, 22 Feb 2025 21:53:16 +0000
+Subject: [PATCH] CVE-2025-26603
+
+Upstream Reference : https://github.com/vim/vim/commit/c0f0e2380e5954f4a52a131bf6b8
+---
+ src/register.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/register.c b/src/register.c
+index 47ed218..26fbc27 100644
+--- a/src/register.c
++++ b/src/register.c
+@@ -2356,7 +2356,8 @@ ex_display(exarg_T *eap)
+ 
+ #ifdef FEAT_EVAL
+ 	if (name == MB_TOLOWER(redir_reg)
+-		|| (redir_reg == '"' && yb == y_previous))
++		|| (vim_strchr((char_u *)"\"*+", redir_reg) != NULL &&
++		    (yb == y_previous || yb == &y_regs[0])))
+ 	    continue;	    // do not list register being written to, the
+ 			    // pointer can be freed
+ #endif
+-- 
+2.45.2
+

SPECS/vim/vim.spec

@@ -2,7 +2,7 @@
 Summary:        Text editor
 Name:           vim
 Version:        9.1.0791
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        Vim
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -11,6 +11,8 @@ URL:            https://www.vim.org
 Source0:        https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Patch0:         CVE-2025-22134.patch
 Patch1:         CVE-2025-24014.patch
+Patch2:         CVE-2025-26603.patch
+Patch3:         CVE-2025-1215.patch
 
 BuildRequires:  ncurses-devel
 BuildRequires:  python3-devel
@@ -201,6 +203,9 @@ fi
 %{_bindir}/vimdiff
 
 %changelog
+* Sun Feb 23 2025 Kanishk Bansal <kanbansal@microsoft.com> - 9.1.0791-4
+- Patch CVE-2025-26603 & CVE-2025-1215
+
 * Thu Jan 23 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 9.1.0791-3
 - Patch to fix CVE-2025-24014.