patch 9.2.0671: [security]: possible out-of-bounds read with sodium encrypted files
Commit: https://github.com/vim/vim/commit/c8777cec25dcfae89c42e9aff51af61f71c5745f Author: Christian Brabandt <[email protected]> Date: Thu Jun 18 18:41:16 2026 +0000 patch 9.2.0671: [security]: possible out-of-bounds read with sodium encrypted files Problem: [security]: possible out-of-bounds read with sodium encrypted files (cipher-creator) Solution: Verify that there is enough space before calling crypto_secretstream_xchacha20poly1305_init_pull() Github Security Advisory: https://github.com/vim/vim/security/advisories/GHSA-c4j9-wr9j-4486 Supported by AI Signed-off-by: Christian Brabandt <[email protected]> diff --git a/src/crypt.c b/src/crypt.c index 2fade5db9..879ecbf6c 100644 --- a/src/crypt.c +++ b/src/crypt.c @@ -1262,7 +1262,8 @@ crypt_sodium_buffer_decode( if (sod_st->count == 0) { - if (crypto_secretstream_xchacha20poly1305_init_pull(&sod_st->state, + if (len < crypto_secretstream_xchacha20poly1305_HEADERBYTES || + crypto_secretstream_xchacha20poly1305_init_pull(&sod_st->state, from, sod_st->key) != 0) { emsg(_(e_libsodium_decryption_failed_header_incomplete)); diff --git a/src/testdir/test_crypt.vim b/src/testdir/test_crypt.vim index d540fbbd6..5c9dfe3ba 100644 --- a/src/testdir/test_crypt.vim +++ b/src/testdir/test_crypt.vim @@ -491,4 +491,28 @@ func Test_crypt_off_by_one() bwipe! endfunc +func Test_crypt_sodium_short_body() + CheckFeature sodium + " A VimCrypt~04! file with a complete 36-byte header (12 magic + 16 salt + + " 8 seed) but a body shorter than one secretstream header (24 bytes) used to + " underflow the body length and crash with a wild out-of-bounds read in + " crypto_secretstream_xchacha20poly1305_pull(). It must now fail cleanly. + " Bytes: "VimCrypt~04!" + 16 salt + 8 seed + 8-byte body = 44 bytes. + call writefile(0z56696D43727970747E303421 + \ + 0zA0A1A2A3A4A5A6A7A8A9AAABACADAEAF + \ + 0zB0B1B2B3B4B5B6B7 + \ + 0z0000000000000000, 'Xtest_sodium_short') + + let v:errmsg = '' + try + call feedkeys(":split Xtest_sodium_short\<CR>foobar\<CR>", "xt") + catch /^Vim\%((\S\+)\)\=:E1198:/ + " no-op + endtry + + bwipe! + call delete('Xtest_sodium_short') + set key= +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 7d1c8885b..ba2f392d1 100644 --- a/src/version.c +++ b/src/version.c @@ -759,6 +759,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 671, /**/ 670, /**/ -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/vim_dev/E1waHy8-004OCV-63%40256bit.org.
