From: Christian Brabandt Date: Thu, 18 Jun 2026 18:41:16 +0000 (+0000) Subject: patch 9.2.0671: [security]: possible out-of-bounds read with sodium encrypted files X-Git-Tag: v9.2.0671^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c8777cec25dcfae89c42e9aff51af61f71c5745f;p=thirdparty%2Fvim.git patch 9.2.0671: [security]: possible out-of-bounds read with sodium encrypted files Problem: [security]: possible out-of-bounds read with sodium encrypted files (cipher-creator) Solution: Verify that there is enough space before calling crypto_secretstream_xchacha20poly1305_init_pull() Github Security Advisory: https://github.com/vim/vim/security/advisories/GHSA-c4j9-wr9j-4486 Supported by AI Signed-off-by: Christian Brabandt --- diff --git a/src/crypt.c b/src/crypt.c index 2fade5db9d..879ecbf6ce 100644 --- a/src/crypt.c +++ b/src/crypt.c @@ -1262,7 +1262,8 @@ crypt_sodium_buffer_decode( if (sod_st->count == 0) { - if (crypto_secretstream_xchacha20poly1305_init_pull(&sod_st->state, + if (len < crypto_secretstream_xchacha20poly1305_HEADERBYTES || + crypto_secretstream_xchacha20poly1305_init_pull(&sod_st->state, from, sod_st->key) != 0) { emsg(_(e_libsodium_decryption_failed_header_incomplete)); diff --git a/src/testdir/test_crypt.vim b/src/testdir/test_crypt.vim index d540fbbd62..5c9dfe3baf 100644 --- a/src/testdir/test_crypt.vim +++ b/src/testdir/test_crypt.vim @@ -491,4 +491,28 @@ func Test_crypt_off_by_one() bwipe! endfunc +func Test_crypt_sodium_short_body() + CheckFeature sodium + " A VimCrypt~04! file with a complete 36-byte header (12 magic + 16 salt + + " 8 seed) but a body shorter than one secretstream header (24 bytes) used to + " underflow the body length and crash with a wild out-of-bounds read in + " crypto_secretstream_xchacha20poly1305_pull(). It must now fail cleanly. + " Bytes: "VimCrypt~04!" + 16 salt + 8 seed + 8-byte body = 44 bytes. + call writefile(0z56696D43727970747E303421 + \ + 0zA0A1A2A3A4A5A6A7A8A9AAABACADAEAF + \ + 0zB0B1B2B3B4B5B6B7 + \ + 0z0000000000000000, 'Xtest_sodium_short') + + let v:errmsg = '' + try + call feedkeys(":split Xtest_sodium_short\foobar\", "xt") + catch /^Vim\%((\S\+)\)\=:E1198:/ + " no-op + endtry + + bwipe! + call delete('Xtest_sodium_short') + set key= +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 7d1c8885b6..ba2f392d18 100644 --- a/src/version.c +++ b/src/version.c @@ -759,6 +759,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 671, /**/ 670, /**/