Skip to content

Commit 17f1826

Browse files
[AUTO-CHERRYPICK] Patch vim for CVE-2025-26603 & CVE-2025-1215 [Medium] - branch main (#12584)
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
1 parent 35d7618 commit 17f1826

3 files changed

Lines changed: 150 additions & 1 deletion

File tree

SPECS/vim/CVE-2025-1215.patch

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
From 551f761329a71fa4e55582b09714411adc6b6bb9 Mon Sep 17 00:00:00 2001
2+
From: Kanishk-Bansal <kbkanishk975@gmail.com>
3+
Date: Sat, 22 Feb 2025 21:56:18 +0000
4+
Subject: [PATCH] CVE-2025-1215
5+
6+
---
7+
src/main.c | 21 +++++++++++++++++----
8+
src/message_test.c | 3 ++-
9+
src/proto/main.pro | 3 ++-
10+
src/testdir/test_startup.vim | 7 +++++++
11+
4 files changed, 28 insertions(+), 6 deletions(-)
12+
13+
diff --git a/src/main.c b/src/main.c
14+
index e5faaa7..223f4cc 100644
15+
--- a/src/main.c
16+
+++ b/src/main.c
17+
@@ -144,6 +144,11 @@ main
18+
atexit(vim_mem_profile_dump);
19+
#endif
20+
21+
+ /*
22+
+ * Various initialisations #1 shared with tests.
23+
+ */
24+
+ common_init_1();
25+
+
26+
#if defined(STARTUPTIME) || defined(FEAT_JOB_CHANNEL)
27+
// Need to find "--startuptime" and "--log" before actually parsing
28+
// arguments.
29+
@@ -185,9 +190,9 @@ main
30+
#endif
31+
32+
/*
33+
- * Various initialisations shared with tests.
34+
+ * Various initialisations #2 shared with tests.
35+
*/
36+
- common_init(&params);
37+
+ common_init_2(&params);
38+
39+
#ifdef VIMDLL
40+
// Check if the current executable file is for the GUI subsystem.
41+
@@ -900,10 +905,10 @@ vim_main2(void)
42+
}
43+
44+
/*
45+
- * Initialisation shared by main() and some tests.
46+
+ * Initialisation #1 shared by main() and some tests.
47+
*/
48+
void
49+
-common_init(mparm_T *paramp)
50+
+common_init_1(void)
51+
{
52+
estack_init();
53+
cmdline_init();
54+
@@ -925,7 +930,15 @@ common_init(mparm_T *paramp)
55+
|| (NameBuff = alloc(MAXPATHL)) == NULL)
56+
mch_exit(0);
57+
TIME_MSG("Allocated generic buffers");
58+
+}
59+
+
60+
61+
+/*
62+
+ * Initialisation #2 shared by main() and some tests.
63+
+ */
64+
+ void
65+
+common_init_2(mparm_T *paramp)
66+
+{
67+
#ifdef NBDEBUG
68+
// Wait a moment for debugging NetBeans. Must be after allocating
69+
// NameBuff.
70+
diff --git a/src/message_test.c b/src/message_test.c
71+
index 62f7772..83767ec 100644
72+
--- a/src/message_test.c
73+
+++ b/src/message_test.c
74+
@@ -508,7 +508,8 @@ main(int argc, char **argv)
75+
CLEAR_FIELD(params);
76+
params.argc = argc;
77+
params.argv = argv;
78+
- common_init(&params);
79+
+ common_init_1();
80+
+ common_init_2(&params);
81+
82+
set_option_value_give_err((char_u *)"encoding", 0, (char_u *)"utf-8", 0);
83+
init_chartab();
84+
diff --git a/src/proto/main.pro b/src/proto/main.pro
85+
index 496fe66..7e4c508 100644
86+
--- a/src/proto/main.pro
87+
+++ b/src/proto/main.pro
88+
@@ -1,6 +1,7 @@
89+
/* main.c */
90+
int vim_main2(void);
91+
-void common_init(mparm_T *paramp);
92+
+void common_init_1(void);
93+
+void common_init_2(mparm_T *paramp);
94+
int is_not_a_term(void);
95+
int is_not_a_term_or_gui(void);
96+
void free_vbuf(void);
97+
diff --git a/src/testdir/test_startup.vim b/src/testdir/test_startup.vim
98+
index 7c70391..c16e4ae 100644
99+
--- a/src/testdir/test_startup.vim
100+
+++ b/src/testdir/test_startup.vim
101+
@@ -740,6 +740,13 @@ func Test_log()
102+
call delete('Xlogfile')
103+
endfunc
104+
105+
+func Test_log_nonexistent()
106+
+ " this used to crash Vim
107+
+ CheckFeature channel
108+
+ let result = join(systemlist(GetVimCommand() .. ' --log /X/Xlogfile -c qa!'))
109+
+ call assert_match("E484: Can't open file", result)
110+
+endfunc
111+
+
112+
func Test_read_stdin()
113+
let after =<< trim [CODE]
114+
write Xtestout
115+
--
116+
2.45.2
117+

SPECS/vim/CVE-2025-26603.patch

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
From c3e55ce51cef3a3292b2431bf6f5a9026eb410a7 Mon Sep 17 00:00:00 2001
2+
From: Kanishk-Bansal <kbkanishk975@gmail.com>
3+
Date: Sat, 22 Feb 2025 21:53:16 +0000
4+
Subject: [PATCH] CVE-2025-26603
5+
6+
Upstream Reference : https://github.com/vim/vim/commit/c0f0e2380e5954f4a52a131bf6b8
7+
---
8+
src/register.c | 3 ++-
9+
1 file changed, 2 insertions(+), 1 deletion(-)
10+
11+
diff --git a/src/register.c b/src/register.c
12+
index 47ed218..26fbc27 100644
13+
--- a/src/register.c
14+
+++ b/src/register.c
15+
@@ -2356,7 +2356,8 @@ ex_display(exarg_T *eap)
16+
17+
#ifdef FEAT_EVAL
18+
if (name == MB_TOLOWER(redir_reg)
19+
- || (redir_reg == '"' && yb == y_previous))
20+
+ || (vim_strchr((char_u *)"\"*+", redir_reg) != NULL &&
21+
+ (yb == y_previous || yb == &y_regs[0])))
22+
continue; // do not list register being written to, the
23+
// pointer can be freed
24+
#endif
25+
--
26+
2.45.2
27+

SPECS/vim/vim.spec

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
Summary: Text editor
33
Name: vim
44
Version: 9.1.0791
5-
Release: 3%{?dist}
5+
Release: 4%{?dist}
66
License: Vim
77
Vendor: Microsoft Corporation
88
Distribution: Mariner
@@ -11,6 +11,8 @@ URL: https://www.vim.org
1111
Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
1212
Patch0: CVE-2025-22134.patch
1313
Patch1: CVE-2025-24014.patch
14+
Patch2: CVE-2025-26603.patch
15+
Patch3: CVE-2025-1215.patch
1416

1517
BuildRequires: ncurses-devel
1618
BuildRequires: python3-devel
@@ -201,6 +203,9 @@ fi
201203
%{_bindir}/vimdiff
202204

203205
%changelog
206+
* Sun Feb 23 2025 Kanishk Bansal <kanbansal@microsoft.com> - 9.1.0791-4
207+
- Patch CVE-2025-26603 & CVE-2025-1215
208+
204209
* Thu Jan 23 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 9.1.0791-3
205210
- Patch to fix CVE-2025-24014.
206211

0 commit comments

Comments
 (0)