SB2022071905 - Multiple vulnerabilities in Vim
Published: July 19, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2022-2343)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in ins_compl_add() function at insexpand.c:751. A remote attacker can trick the victim into opening a specially crafted data, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Heap-based buffer overflow (CVE-ID: CVE-2022-2344)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in ins_compl_add() function at insexpand.c:751. A remote attacker can trick the victim into opening a specially crafted data, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) NULL pointer dereference (CVE-ID: CVE-2022-2231)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in skipwhite() function at charset.c:1428. A remote attacker can trick the victim into opening a specially crafted file to perform a denial of service (DoS) attack.
4) Out-of-bounds read (CVE-ID: CVE-2022-2257)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in msg_outtrans_special() function at message.c:1716. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
5) Heap-based buffer overflow (CVE-ID: CVE-2022-2264)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim into opening a specially crafted data, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
6) Heap-based buffer overflow (CVE-ID: CVE-2022-2284)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in utfc_ptr2len() function at mbyte.c:2113. A remote attacker can trick the victim into opening a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
7) Integer overflow (CVE-ID: CVE-2022-2285)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in del_typebuf() function at getchar.c:1204. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
8) Out-of-bounds read (CVE-ID: CVE-2022-2286)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in ins_bytes() function at change.c:968. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
9) Out-of-bounds read (CVE-ID: CVE-2022-2287)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in suggest_trie_walk() function abusing array byts in line spellsuggest.c:1925. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
10) Out-of-bounds write (CVE-ID: CVE-2022-2288)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to a boundary error in parse_command_modifiers() function at ex_docmd.c:3123. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
11) Use-after-free (CVE-ID: CVE-2022-2289)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in ex_diffgetput() function at diff.c:2790. A remote attacker can trick the victim into opening a specially crafted file and compromise vulnerable system.
12) Stack-based buffer overflow (CVE-ID: CVE-2022-2304)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in spell_dump_compl() function at spell.c:4038. A remote unauthenticated attacker can trick the victim into opening a specially crafted file to trigger stack-based buffer overflow and execute arbitrary code on the target system.
13) Use-after-free (CVE-ID: CVE-2022-2345)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in function skipwhite at charset.c:1428. A remote attacker can trick the victim to open a specially crafted file and compromise vulnerable system.
Remediation
Install update from vendor's website.
References
- https://huntr.dev/bounties/2ecb4345-2fc7-4e7f-adb0-83a20bb458f5
- https://github.com/vim/vim/commit/caea66442d86e7bbba3bf3dc202c3c0d549b9853
- https://github.com/vim/vim/commit/baefde14550231f6468ac2ed2ed495bc381c0c92
- https://huntr.dev/bounties/4a095ed9-3125-464a-b656-c31b437e1996
- https://huntr.dev/bounties/8dae6ab4-7a7a-4716-a65c-9b090fa057b5
- https://github.com/vim/vim/commit/79481367a457951aabd9501b510fd7e3eb29c3d8
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/
- https://github.com/vim/vim/commit/083692d598139228e101b8c521aaef7bcf256e9a
- https://huntr.dev/bounties/ca581f80-03ba-472a-b820-78f7fd05fe89
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/
- https://github.com/vim/vim/commit/d25f003342aca9889067f2e839963dfeccf1fe05
- https://huntr.dev/bounties/2241c773-02c9-4708-b63e-54aef99afa6c
- https://huntr.dev/bounties/571d25ce-8d53-4fa0-b620-27f2a8a14874
- https://github.com/vim/vim/commit/3d51ce18ab1be4f9f6061568a4e7fabf00b21794
- https://github.com/vim/vim/commit/27efc62f5d86afcb2ecb7565587fe8dea4b036fe
- https://huntr.dev/bounties/64574b28-1779-458d-a221-06c434042736
- https://huntr.dev/bounties/fe7681fb-2318-436b-8e65-daf66cd597d8
- https://github.com/vim/vim/commit/f12129f1714f7d2301935bb21d896609bdac221c
- https://github.com/vim/vim/commit/5e59ea54c0c37c2f84770f068d95280069828774
- https://huntr.dev/bounties/654aa069-3a9d-45d3-9a52-c1cf3490c284
- https://huntr.dev/bounties/a71bdcb7-4e9b-4650-ab6a-fe8e3e9852ad
- https://github.com/vim/vim/commit/c6fdb15d423df22e1776844811d082322475e48a
- https://github.com/vim/vim/commit/c5274dd12224421f2430b30c53b881b9403d649e
- https://huntr.dev/bounties/7447d2ea-db5b-4883-adf4-1eaf7deace64
- https://github.com/vim/vim/commit/54e5fed6d27b747ff152cdb6edfb72ff60e70939
- https://huntr.dev/bounties/eb7402f3-025a-402f-97a7-c38700d9548a
- https://huntr.dev/bounties/1eed7009-db6d-487b-bc41-8f2fd260483f
- https://github.com/vim/vim/commit/32acf1f1a72ebb9d8942b9c9d80023bf1bb668ea