[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 16 Nov 2023 23:17:11 +0100
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] several minor security issues in Vim
v9.0.2106-v9.0.2112
CVE-2023-48231: Use-After-Free in win_close()
=============================================
Date: 16.11.2023
Severity: Low
When closing a window, vim may try to access already freed window
structure. So before trying to access any window related variable
verify that the window to be closed is still valid and if not, return.
Impact is low, since it is not very easy to make use of this
and execute some payload (in particular not, without the
user noticing).
The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2106.
URLs: https://github.com/vim/vim/commit/25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a
https://github.com/vim/vim/security/advisories/GHSA-8g46-v9ff-c765
--------------------------------------------------------------------------------
CVE-2023-48232: Floating point Exception in adjust_plines_for_skipcol()
=======================================================================
Date: 16.11.2023
Severity: Low
A floating point exception may occur when calculating the line offset for overlong
lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag.
This may happen when a window border is present and when the wrapped line continues
on the next physical line directly in the window border because the 'cpo' setting includes
the 'n' flag.
Impact is rather low, since we do not expect many users to have those non-default setting
set.
The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2107.
URLs: https://github.com/vim/vim/commit/cb0b99f0672d8446585d26e998343dceca17d1ce
https://github.com/vim/vim/security/advisories/GHSA-f6cx-x634-hqpw
--------------------------------------------------------------------------------
CVE-2023-48233: overflow with count for :s command
==================================================
Date: 16.11.2023
Severity: Low
If the count after the :s command is larger than what fits into a
(signed) long variable, abort with e_value_too_large.
Impact is low, user interaction is required and a crash may not even happen.
The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2108.
URLs: https://github.com/vim/vim/commit/ac63787734fda2e294e477af52b3bd601517fa78
https://github.com/vim/vim/security/advisories/GHSA-3xx4-hcq6-r2vj
--------------------------------------------------------------------------------
CVE-2023-48234: overflow in nv_z_get_count
==========================================
Date: 16.11.2023
Severity: Low
When getting the count for a normal mode z command, it may overflow for large
counts given. So let's verify that the result can be safely stored, else abort
the z command.
Impact is low, user interaction is required and a crash may not even happen.
The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2109.
URLs: https://github.com/vim/vim/commit/58f9befca1fa172068effad7f2ea5a9d6a7b0cca
https://github.com/vim/vim/security/advisories/GHSA-59gw-c949-6phq
-------------------------------------------------------------------------------
CVE-2023-48235: overflow in ex address parsing
==============================================
Date: 16.11.2023
Severity: Low
When parsing relative ex addresses one may unintentionally cause an
overflow. Ironacially this happens in the existing overflow check, because
the line number becomes negative and LONG_MAX - lnum will cause the overflow.
So verify that lnum is actually positive before doing the actual overflow
check.
Impact is low, user interaction is required and a crash may not even happen.
The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2110.
URLs: https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200
https://github.com/vim/vim/security/advisories/GHSA-6g74-hr6q-pr8g
-------------------------------------------------------------------------------
CVE-2023-48236: overflow in get_number
======================================
Date: 16.11.2023
Severity: Low
When using the z= command, we may overflow the count with values larger
than MAX_INT. So verify that we do not overflow and in case when an
overflow is detected, simply return 0
Impact is low, user interaction is required and a crash may not even happen.
The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2111.
URLs: https://github.com/vim/vim/commit/73b2d3790cad5694fc0ed0db2926e4220c48d968
https://github.com/vim/vim/security/advisories/GHSA-pr4c-932v-8hx5
-------------------------------------------------------------------------------
CVE-2023-48237: overflow in shift_line
======================================
Date: 16.11.2023
Severity: Low
When shifting lines in operator pending mode and using a very large
value, we may overflow the size of integer. Fix this by using a long long
variable, testing if the result would be larger than INT_MAX and if so,
indent by INT_MAX value.
Impact is low, user interaction is required and a crash may not even happen.
The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2112.
URLs: https://github.com/vim/vim/commit/6bf131888a3d1de62bbfa8a7ea03c0ddccfd496e
https://github.com/vim/vim/security/advisories/GHSA-f2m2-v387-gv87
Thanks,
Christian
--
Es gibt Augenblicke, in denen man nicht nur sehen, sondern ein Auge
zudrücken muß.
-- Benjamin Franklin
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
