Import Debian changes 2:8.2.3995-1ubuntu2.16

vim (2:8.2.3995-1ubuntu2.16) jammy-security; urgency=medium

  * SECURITY UPDATE: stack based buffer overflow
    - debian/patches/CVE-2024-22667.patch: passes error buffer length down
      through option callback functions.
    - debian/patches/remove-flaky-matchfuzzy-test.patch: removing flaky test
      initially introduced in d/p/CVE-2023-2426.patch due to long run time
      causing the test and builds to fail.
    - CVE-2024-22667

debian/changelog

@@ -1,3 +1,15 @@
+vim (2:8.2.3995-1ubuntu2.16) jammy-security; urgency=medium
+
+  * SECURITY UPDATE: stack based buffer overflow
+    - debian/patches/CVE-2024-22667.patch: passes error buffer length down
+      through option callback functions.
+    - debian/patches/remove-flaky-matchfuzzy-test.patch: removing flaky test
+      initially introduced in d/p/CVE-2023-2426.patch due to long run time
+      causing the test and builds to fail.
+    - CVE-2024-22667
+
+ -- Ian Constantin <ian.constantin@canonical.com>  Thu, 14 Mar 2024 11:05:11 +0200
+
 vim (2:8.2.3995-1ubuntu2.15) jammy-security; urgency=medium
 
   * SECURITY UPDATE: NULL pointer dereference

debian/patches/CVE-2024-22667.patch

@@ -0,0 +1,202 @@
+Backport of:
+
+---
+
+From b39b240c386a5a29241415541f1c99e2e6b8ce47 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Wed, 29 Nov 2023 11:34:05 +0100
+Subject: [PATCH] patch 9.0.2142: [security]: stack-buffer-overflow in option
+ callback functions
+
+Problem:  [security]: stack-buffer-overflow in option callback functions
+Solution: pass size of errbuf down the call stack, use snprintf()
+          instead of sprintf()
+
+We pass the error buffer down to the option callback functions, but in
+some parts of the code, we simply use sprintf(buf) to write into the error
+buffer, which can overflow.
+
+So let's pass down the length of the error buffer and use sprintf(buf, size)
+instead.
+
+Reported by @henices, thanks!
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+---
+
+ src/map.c                             |  2 +-
+ src/option.c                          | 14 ++++---
+ src/option.h                          |  2 +
+ src/optionstr.c                       | 59 +++++++++++++++++----------
+ src/proto/optionstr.pro               |  4 +-
+ src/structs.h                         |  2 +
+ src/testdir/crash/poc_did_set_langmap |  1 +
+ src/testdir/test_crash.vim            |  8 ++++
+ src/version.c                         |  2 +
+ 9 files changed, 63 insertions(+), 31 deletions(-)
+ create mode 100644 src/testdir/crash/poc_did_set_langmap
+
+Index: vim-8.2.3995/src/option.c
+===================================================================
+--- vim-8.2.3995.orig/src/option.c
++++ vim-8.2.3995/src/option.c
+@@ -1235,7 +1235,7 @@ do_set(
+     char_u	*arg = arg_start;
+     int		opt_idx;
+     char	*errmsg;
+-    char	errbuf[80];
++    char	errbuf[ERR_BUFLEN];
+     char_u	*startarg;
+     int		prefix;	// 1: nothing, 0: "no", 2: "inv" in front of name
+     int		nextchar;	    // next non-white char after option name
+@@ -1699,7 +1699,7 @@ do_set(
+ 			if (removing)
+ 			    value = *(long *)varp - value;
+ 			errmsg = set_num_option(opt_idx, varp, value,
+-					   errbuf, sizeof(errbuf), opt_flags);
++					   errbuf, ERR_BUFLEN, opt_flags);
+ 		    }
+ 		    else if (opt_idx >= 0)		    // string
+ 		    {
+@@ -2113,7 +2113,7 @@ do_set(
+ 			    errmsg = did_set_string_option(
+ 				    opt_idx, (char_u **)varp,
+ 				    new_value_alloced, oldval, errbuf,
+-				    opt_flags, &value_checked);
++				    ERR_BUFLEN, opt_flags, &value_checked);
+
+ 			    secure = secure_saved;
+ 			}
+Index: vim-8.2.3995/src/option.h
+===================================================================
+--- vim-8.2.3995.orig/src/option.h
++++ vim-8.2.3995/src/option.h
+@@ -1329,4 +1329,6 @@ enum
+ // Value for b_p_ul indicating the global value must be used.
+ #define NO_LOCAL_UNDOLEVEL -123456
+
++#define ERR_BUFLEN 80
++
+ #endif // _OPTION_H_
+Index: vim-8.2.3995/src/optionstr.c
+===================================================================
+--- vim-8.2.3995.orig/src/optionstr.c
++++ vim-8.2.3995/src/optionstr.c
+@@ -189,11 +189,12 @@ trigger_optionsset_string(
+ #endif
+
+     static char *
+-illegal_char(char *errbuf, int c)
++illegal_char(char *errbuf, int errbuflen, int c)
+ {
+     if (errbuf == NULL)
+ 	return "";
+-    sprintf((char *)errbuf, _(e_illegal_character_str), (char *)transchar(c));
++    snprintf((char *)errbuf, errbuflen, _(e_illegal_character_str),
++		    (char *)transchar(c));
+     return errbuf;
+ }
+
+@@ -540,7 +541,7 @@ set_string_option(
+ 	}
+ #endif
+ 	if ((r = did_set_string_option(opt_idx, varp, TRUE, oldval, NULL,
+-					   opt_flags, &value_checked)) == NULL)
++					   0, opt_flags, &value_checked)) == NULL)
+ 	    did_set_option(opt_idx, opt_flags, TRUE, value_checked);
+
+ #if defined(FEAT_EVAL)
+@@ -577,7 +578,8 @@ valid_filetype(char_u *val)
+ check_stl_option(char_u *s)
+ {
+     int		groupdepth = 0;
+-    static char errbuf[80];
++    static char errbuf[ERR_BUFLEN];
++    int		errbuflen = ERR_BUFLEN;
+
+     while (*s)
+     {
+@@ -618,7 +620,7 @@ check_stl_option(char_u *s)
+ 	}
+ 	if (vim_strchr(STL_ALL, *s) == NULL)
+ 	{
+-	    return illegal_char(errbuf, *s);
++	    return illegal_char(errbuf, errbuflen, *s);
+ 	}
+ 	if (*s == '{')
+ 	{
+@@ -648,6 +650,7 @@ did_set_string_option(
+     int		new_value_alloced,	// new value was allocated
+     char_u	*oldval,		// previous value of the option
+     char	*errbuf,		// buffer for errors, or NULL
++    int		errbuflen,		// length of error buffer
+     int		opt_flags,		// OPT_LOCAL and/or OPT_GLOBAL
+     int		*value_checked)		// value was checked to be save, no
+ 					// need to set P_INSECURE
+@@ -1289,7 +1292,7 @@ ambw_end:
+ 		if (vim_strchr((char_u *)COM_ALL, *s) == NULL
+ 					     && !VIM_ISDIGIT(*s) && *s != '-')
+ 		{
+-		    errmsg = illegal_char(errbuf, *s);
++		    errmsg = illegal_char(errbuf, errbuflen, *s);
+ 		    break;
+ 		}
+ 		++s;
+@@ -1367,7 +1370,7 @@ ambw_end:
+ 	    // Check it's a valid character
+ 	    if (vim_strchr((char_u *)"!\"%'/:<@cfhnrs", *s) == NULL)
+ 	    {
+-		errmsg = illegal_char(errbuf, *s);
++		errmsg = illegal_char(errbuf, errbuflen, *s);
+ 		break;
+ 	    }
+ 	    if (*s == 'n')	// name is always last one
+@@ -1394,7 +1397,7 @@ ambw_end:
+ 		{
+ 		    if (errbuf != NULL)
+ 		    {
+-			sprintf(errbuf,
++			snprintf(errbuf, errbuflen,
+ 				_(e_missing_number_after_angle_str_angle),
+ 						    transchar_byte(*(s - 1)));
+ 			errmsg = errbuf;
+@@ -1840,7 +1843,7 @@ ambw_end:
+ 		break;
+ 	    if (vim_strchr((char_u *)".wbuksid]tU", *s) == NULL)
+ 	    {
+-		errmsg = illegal_char(errbuf, *s);
++		errmsg = illegal_char(errbuf, errbuflen, *s);
+ 		break;
+ 	    }
+ 	    if (*++s != NUL && *s != ',' && *s != ' ')
+@@ -1859,7 +1862,7 @@ ambw_end:
+ 		{
+ 		    if (errbuf != NULL)
+ 		    {
+-			sprintf((char *)errbuf,
++			snprintf((char *)errbuf, errbuflen,
+ 				       _(e_illegal_character_after_chr), *--s);
+ 			errmsg = errbuf;
+ 		    }
+@@ -2478,7 +2481,7 @@ ambw_end:
+ 	    for (s = *varp; *s; ++s)
+ 		if (vim_strchr(p, *s) == NULL)
+ 		{
+-		    errmsg = illegal_char(errbuf, *s);
++		    errmsg = illegal_char(errbuf, errbuflen, *s);
+ 		    break;
+ 		}
+ 	}
+Index: vim-8.2.3995/src/proto/optionstr.pro
+===================================================================
+--- vim-8.2.3995.orig/src/proto/optionstr.pro
++++ vim-8.2.3995/src/proto/optionstr.pro
+@@ -9,6 +9,6 @@ void set_string_option_direct(char_u *na
+ void set_string_option_direct_in_win(win_T *wp, char_u *name, int opt_idx, char_u *val, int opt_flags, int set_sid);
+ void set_string_option_direct_in_buf(buf_T *buf, char_u *name, int opt_idx, char_u *val, int opt_flags, int set_sid);
+ char *set_string_option(int opt_idx, char_u *value, int opt_flags);
+-char *did_set_string_option(int opt_idx, char_u **varp, int new_value_alloced, char_u *oldval, char *errbuf, int opt_flags, int *value_checked);
++char *did_set_string_option(int opt_idx, char_u **varp, int new_value_alloced, char_u *oldval, char *errbuf, int errbuflen, int opt_flags, int *value_checked);
+ int check_ff_value(char_u *p);
+ /* vim: set ft=c : */

debian/patches/remove-flaky-matchfuzzy-test.patch

@@ -0,0 +1,37 @@
+Description: remove flaky Test_matchfuzzy_initialized()
+Reviewed-By: ian.constantin@canonical.com
+Last-Update: 2024-03-14
+
+--- vim-8.2.3995.orig/src/testdir/test_matchfuzzy.vim
++++ vim-8.2.3995/src/testdir/test_matchfuzzy.vim
+@@ -231,30 +231,4 @@ func Test_matchfuzzypos_mbyte()
+   call assert_equal([['xффйд'], [[2, 3, 4]], [168]], matchfuzzypos(['xффйд'], 'фйд'))
+ endfunc
+
+-" This was using uninitialized memory
+-func Test_matchfuzzy_initialized()
+-  CheckRunVimInTerminal
+-
+-  " This can take a very long time (esp. when using valgrind).  Run in a
+-  " separate Vim instance and kill it after two seconds.  We only check for
+-  " memory errors.
+-  let lines =<< trim END
+-      lvimgrep [ss [fg*
+-  END
+-  call writefile(lines, 'XTest_matchfuzzy', 'D')
+-
+-  let buf = RunVimInTerminal('-u NONE -X -Z', {})
+-  call term_sendkeys(buf, ":source XTest_matchfuzzy\n")
+-  call TermWait(buf, 2000)
+-
+-  let job = term_getjob(buf)
+-  if job_status(job) == "run"
+-    call job_stop(job, "int")
+-    call TermWait(buf, 50)
+-  endif
+-
+-  " clean up
+-  call StopVimInTerminal(buf)
+-endfunc
+-
+ " vim: shiftwidth=2 sts=2 expandtab

debian/patches/series

@@ -154,3 +154,5 @@ CVE-2023-48235.patch
 CVE-2023-48236.patch
 CVE-2023-48237.patch
 CVE-2023-48706.patch
+CVE-2024-22667.patch
+remove-flaky-matchfuzzy-test.patch