Mercurial > vim
view uninstall.txt @ 33811:06219b3bdaf3 v9.0.2121
patch 9.0.2121: [security]: use-after-free in ex_substitute
Commit: https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb
Author: Christian Brabandt <cb@256bit.org>
Date: Wed Nov 22 21:26:41 2023 +0100
patch 9.0.2121: [security]: use-after-free in ex_substitute
Problem: [security]: use-after-free in ex_substitute
Solution: always allocate memory
closes: #13552
A recursive :substitute command could cause a heap-use-after free in Vim
(CVE-2023-48706).
The whole reproducible test is a bit tricky, I can only reproduce this
reliably when no previous substitution command has been used yet
(which is the reason, the test needs to run as first one in the
test_substitute.vim file) and as a combination of the `:~` command
together with a :s command that contains the special substitution atom `~\=`
which will make use of a sub-replace special atom and calls a vim script
function.
There was a comment in the existing :s code, that already makes the
`sub` variable allocate memory so that a recursive :s call won't be able
to cause any issues here, so this was known as a potential problem
already. But for the current test-case that one does not work, because
the substitution does not start with `\=` but with `~\=` (and since
there does not yet exist a previous substitution atom, Vim will simply
increment the `sub` pointer (which then was not allocated dynamically)
and later one happily use a sub-replace special expression (which could
then free the `sub` var).
The following commit fixes this, by making the sub var always using
allocated memory, which also means we need to free the pointer whenever
we leave the function. Since sub is now always an allocated variable,
we also do no longer need the sub_copy variable anymore, since this one
was used to indicated when sub pointed to allocated memory (and had
therefore to be freed on exit) and when not.
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Wed, 22 Nov 2023 22:15:05 +0100 |
| parents | 645722244c3f |
| children |
line wrap: on
line source
Uninstalling Vim on MS-Windows. There are three ways to remove Vim: 1. With the GUI uninstaller. This is only available when Vim was installed with the self-installing executable. This has a minimal number of questions. It can delete everything that was installed. 2. With uninstall.exe. This removes most installed items, but does not delete the files you unpacked. 3. By hand. This is a bit more work, but you can decide exactly what you want to remove. For uninstalling the "Edit with Vim" popup menu entry you still have to use uninstall.exe. It's recommended to use the method that matches with how you installed Vim. Thus if you installed Vim by hand, delete it by hand. The first two methods should be available from the Add/Remove software window and the Vim entry in the Start menu. If these have been removed already, find "uninstall-gui.exe" or "uninstall.exe" in the Vim directory. Running these programs should be self-explanatory. Carefully read the messages to avoid deleting something you want to keep. Here are guidelines for removing Vim by hand: 1. Remove the "Edit with Vim" popup menu entry, if it exists. This is done by running the uninstall.exe program. It removes the registry entries for the "Edit with Vim" popup menu entry. You only need to run uninstall.exe when you have installed the menu entry. You can also run uninstall.exe from the Control panel with the Add/Remove programs application. Note that uninstall.exe offers you the option to uninstall other items. You can skip this. 2. Only if you have used the OLE version of gvim: Remove the registration of this program by running "gvim -unregister" in a console window. 3. Delete the executables. If you copied the executables to another location, you will have to delete them from where you copied them to. If you don't remember where they are, look in the directories from the $PATH environment variable. If you created .bat files when installing Vim, also search for vim.bat, gvim.bat, etc. 4. If you want to completely delete vim, and are not going to install another version, you can delete the vimrc files that you created. These are normally located in a directory like "C:\vim". If the $VIM environment variable is set, it will tell the name of the directory. Normally you can delete everything in this directory. Warning: You might have put some files there that you would like to save. If you did remove it all, you can skip the next step. 5. Delete the distributed files. If you followed the directions, these will be located in a directory like "C:\vim\vim81". If the $VIM environment variable is set, the directory will be $VIM\vim81. Delete the "vim81" directory and all that is in it. Warning: If you changed any of the distributed files, or added some of your own files, you might want to save these first. But normally you would not have changed or added files here. 6. Remove setting the $VIM and $VIMRUNTIME environment variable and adjust $PATH. $VIM only needs to be removed if you are not going to install another version of Vim. $VIMRUNTIME is mostly not set. Check if $PATH contains the path of the vim directory. Note that $PATH may be set in several places, you will have to find the right one, and only delete the Vim path from it. You might need to use the "System Properties" editor to change the environment variables. You can start it by selecting Start/Settings/Control Panel and then "System". 7. If you added a Vim entry in the start menu, delete it. 8. If you created icons for Vim on the desktop, delete them. Vim does not use .ini files. The above should remove all Vim files, except the ones that you moved elsewhere yourself.