SB2023032308 - Amazon Linux AMI update for vim
Published: March 23, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2023-0288)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the ml_append_int() function in memline.c. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Heap-based buffer overflow (CVE-ID: CVE-2023-0433)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the same_leader() and utfc_ptr2len() function. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Division by zero (CVE-ID: CVE-2023-0512)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a divide by zero in the adjust_skipcol() function in move.c. A remote attacker can trick the victim to open a specially crafted file and crash the editor.
4) Division by zero (CVE-ID: CVE-2023-1127)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a divide by zero error within the scrolldown() function in move.c. A remote attacker can trick the victim to open a specially crafted file and crash the editor.
Remediation
Install update from vendor's website.