Bug 55417 – vim: Multiple issues (5.0)

Bug 55417 - vim: Multiple issues (5.0)


Summary:	vim: Multiple issues (5.0)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 5.0
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 5.0-2-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-11-14 06:54 CET by Quality Assurance
Modified:	2022-11-16 18:04 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2022-11-14 06:54:44 CET

New Debian vim 2:8.1.0875-5+deb10u3 fixes:
This update addresses the following issues:
* heap-based buffer overflow in gchar_cursor() in misc1.c (CVE-2021-3927)
* stack-based buffer overflow in spell_iswordp() in spell.c (CVE-2021-3928)
* Use after free in regexp_nfa.c (CVE-2021-3974)
* illegal memory access in find_start_brace() in cindent.c when C-indenting  (CVE-2021-3984)
* heap-based buffer overflow in find_help_tags() in help.c (CVE-2021-4019)
* use-after-free in ex_open() in src/ex_docmd.c (CVE-2021-4069)
* use-after-free in win_linetabsize() (CVE-2021-4192)
* out-of-bound read in getvcol() (CVE-2021-4193)
* vim is vulnerable to out of bounds read (CVE-2022-0213)
* Heap-based buffer overflow in block_insert() in src/ops.c (CVE-2022-0261)
* heap-based out-of-bounds read (CVE-2022-0319)
* access of memory location before start of buffer (CVE-2022-0351)
* Heap-based buffer overflow in init_ccline() in ex_getln.c (CVE-2022-0359)
* Illegal memory access when copying lines in visual mode leads to heap  buffer overflow (CVE-2022-0361)
* Out-of-bounds Read in vim (CVE-2022-0368)
* Stack-based Buffer Overflow in spellsuggest.c (CVE-2022-0408)
* Use after free in src/ex_cmds.c (CVE-2022-0413)
* heap-based-buffer-overflow in ex_retab() of src/indent.c (CVE-2022-0417)
* heap-use-after-free in enter_buffer() of src/buffer.c (CVE-2022-0443)
* Use of Out-of-range Pointer Offset in vim (CVE-2022-0554)
* heap overflow in ex_retab() may lead to crash (CVE-2022-0572)
* CVE-2022-0685 : vim: Use of Out-of-range Pointer Offset in vim  (CVE-2022-0685)
* buffer overflow (CVE-2022-0714)
* Use of Out-of-range Pointer Offset (CVE-2022-0729)
* Heap-based Buffer Overflow occurs in vim (CVE-2022-0943)
* use after free in utf_ptr2char (CVE-2022-1154)
* heap-buffer-overflow in append_command of src/ex_docmd.c (CVE-2022-1616)
* buffer over-read in grab_file_name() in findfile.c (CVE-2022-1720)
* out-of-bounds read in gchar_cursor() in misc1.c (CVE-2022-1851)
* use-after-free in find_pattern_in_path() in search.c (CVE-2022-1898)
* use-after-free in function utf_ptr2char at mbyte.c:1794 (CVE-2022-1968)
* integer overflow in del_typebuf() at getchar.c (CVE-2022-2285)
* stack buffer overflow in spell_dump_compl() at spell.c (CVE-2022-2304)
* Undefined Behavior for Input to API in vim (CVE-2022-2598)
* use after free in function vim_vsnprintf_typval (CVE-2022-2946)
* Use After Free in do_cmdline() in ex_docmd.c (CVE-2022-3099)
* heap use-after-free in do_tag() at src/tag.c (CVE-2022-3134)
* Heap-based Buffer Overflow (CVE-2022-3234)
* stack buffer overflow in win_redr_ruler() at drawscreen.c (CVE-2022-3324)
* a use after free in the function qf_update_buffer (CVE-2022-3705)

Comment 1 Quality Assurance

2022-11-14 07:00:15 CET

--- mirror/ftp/pool/main/v/vim/vim_8.1.0875-5+deb10u2.dsc
+++ apt/ucs_5.0-0-errata5.0-2/source/vim_8.1.0875-5+deb10u3.dsc
@@ -1,3 +1,21 @@
+2:8.1.0875-5+deb10u3 [Tue, 08 Nov 2022 13:53:29 +0100] Markus Koschany <apo@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2021-3927, CVE-2021-3928, CVE-2021-3974, CVE-2021-3984,
+    CVE-2021-4019, CVE-2021-4069, CVE-2021-4192, CVE-2021-4193,
+    CVE-2022-0213, CVE-2022-0261, CVE-2022-0319, CVE-2022-0351,
+    CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0408,
+    CVE-2022-0413, CVE-2022-0417, CVE-2022-0443, CVE-2022-0554,
+    CVE-2022-0572, CVE-2022-0685, CVE-2022-0714, CVE-2022-0729,
+    CVE-2022-0943, CVE-2022-1154, CVE-2022-1616, CVE-2022-1720,
+    CVE-2022-1851, CVE-2022-1898, CVE_2022-1968, CVE-2022-2285,
+    CVE-2022-2304, CVE-2022-2598, CVE-2022-2946, CVE-2022-3099,
+    CVE-2022-3134, CVE-2022-3234, CVE-2022-3324, CVE-2022-3705
+    Multiple security vulnerabilities have been discovered in vim, an enhanced
+    vi editor. Buffer overflows, out-of-bounds reads and use-after-free may
+    lead to a denial-of-service (application crash) or other unspecified
+    impact.
+
 2:8.1.0875-5+deb10u2 [Sat, 25 Dec 2021 10:48:51 -0500] James McCoy <jamessan@debian.org>:
 
   * Revert unintentional inclusion of v8.2.3489, which is only relevant to Vim

<http://piuparts.knut.univention.de/5.0-2/#7984252947266720562>

Comment 2 Philipp Hahn

2022-11-16 10:45:15 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.0-2] ad216bf989 Bug #55417: vim 2:8.1.0875-5+deb10u3
 doc/errata/staging/vim.yaml | 86 ++++++++++++++++++++++++---------------------
 1 file changed, 45 insertions(+), 41 deletions(-)

[5.0-2] 2b9b9246b0 Bug #55417: vim 2:8.1.0875-5+deb10u3
 doc/errata/staging/vim.yaml | 93 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 93 insertions(+)

Comment 3 Philipp Hahn

2022-11-16 18:04:04 CET

<https://errata.software-univention.de/#/?erratum=5.0x487>