Bug 58103 - vim: Multiple issues (5.2)
Summary: vim: Multiple issues (5.2)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Security updates
Version: UCS 5.2
Hardware: All Linux
: P3 normal
Target Milestone: UCS 5.2-1-errata
Assignee: Quality Assurance
QA Contact: Felix Botner
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-03-24 15:36 CET by Quality Assurance
Modified: 2025-03-26 16:47 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score: 8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2025-03-24 15:36:07 CET 
New Debian vim 2:9.0.1378-2+deb12u2 fixes:
This update addresses the following issues:
* vim: integer overflow vulnerability in vim (CVE-2023-2610)
* vim: heap-buffer-overflow in vim_regsub_both in vim/vim (CVE-2023-4738)
* vim: use-after-free in function ins_compl_get_exp in vim/vim  (CVE-2023-4752)
* vim: heap-buffer-overflow in function vim_regsub_both in vim/vim  (CVE-2023-4781)
* vim: Heap-based Buffer Overflow in trunc_string() (CVE-2023-5344)
* vim: Stack buffer over flow in did_set_langmap function in map.c  (CVE-2024-22667)
* vim: Heap Buffer Overflow in Vim's Typeahead Buffer Handling  (CVE-2024-43802)
* vim: use-after-free when closing buffers in Vim (CVE-2024-47814)
Comment 1 Quality Assurance univentionstaff 2025-03-24 16:00:27 CET 
--- mirror/ftp/pool/main/v/vim/vim_9.0.1378-2.dsc
+++ apt/ucs_5.2-0-errata5.2-1/source/vim_9.0.1378-2+deb12u2.dsc
@@ -1,3 +1,26 @@
+2:9.0.1378-2+deb12u2 [Sun, 16 Feb 2025 13:23:41 +0800] Sean Whitton <spwhitton@spwhitton.name>:
+
+  * Drop test case from CVE-2023-2610.patch.
+    This test was breaking the build on a number of architectures.
+    The test was removed upstream for similar reasons.
+    Thanks to James McCoy for reporting the problem.
+
+2:9.0.1378-2+deb12u1 [Thu, 23 Jan 2025 13:00:20 +0000] Sean Whitton <spwhitton@spwhitton.name>:
+
+  * Backport security fixes:
+    - 9.0.1532: Crash when expanding "~" in substitute
+      (Closes: #1035955, CVE-2023-2610)
+    - 9.0.1848: buffer-overflow in vim_regsub_both() (CVE-2023-4738)
+    - 9.0.1858: heap use after free in ins_compl_get_exp() (CVE-2023-4752)
+    - 9.0.1873: heap-buffer-overflow in vim_regsub_both (CVE-2023-4781)
+    - 9.0.1969: buffer-overflow in trunc_string()
+      (Closes: #1053694, CVE-2023-5344)
+    - 9.0.2142: stack-buffer-overflow in option callback functions
+      (CVE-2024-22667)
+    - 9.1.0697: heap-buffer-overflow in ins_typebuf (CVE-2024-43802)
+    - 9.1.0764: use-after-free when closing a buffer
+      (Closes: #1084806, CVE-2024-47814).
+
 2:9.0.1378-2 [Thu, 04 May 2023 06:24:44 -0400] James McCoy <jamessan@debian.org>:
 
   * Backport 9.0.1499 to fix CVE-2023-2426 (Closes: #1035323)

<http://piuparts.knut.univention.de/5.2-1/#743133255412248920>
Comment 2 Felix Botner univentionstaff 2025-03-24 17:13:06 CET 
OK: bug
OK: yaml
OK: announce_errata
OK: patch
~OK: piuparts

[5.2-1] 2fa0a035b50 Bug #58103: vim 2:9.0.1378-2+deb12u2
 doc/errata/staging/vim.yaml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)