[ubuntu/mantic-security] vim 2:9.0.1672-1ubuntu2.2 (Accepted)

Fabian Toepfer fabian.toepfer at canonical.com
Thu Dec 14 15:23:48 UTC 2023 

vim (2:9.0.1672-1ubuntu2.2) mantic-security; urgency=medium

  * SECURITY UPDATE: use-after-free vulnerability
    - debian/patches/CVE-2023-46246.patch: Check that the return value from the
      vim_str2nr() function is not larger than INT_MAX and if yes, bail out with
      an error.
    - CVE-2023-46246
  * SECURITY UPDATE: use-after-free vulnerability
    - debian/patches/CVE-2023-48231.patch: If the current window structure is
      no longer valid, fail and return before attempting to set win->w_closing
      variable.
    - CVE-2023-48231
  * SECURITY UPDATE: division by zero 
    - debian/patches/CVE-2023-48232-*.patch: Prevent a floating point exception
      when calculating w_skipcol (which can happen with a small window when the
      number option is set and cpo+=n).
    - CVE-2023-48232
  * SECURITY UPDATE: integer overflow
    - debian/patches/CVE-2023-48233.patch: If the count after the :s command is
      larger than what fits into a (signed) long variable, abort with
      e_value_too_large.
    - CVE-2023-48233
  * SECURITY UPDATE: integer overflow
    - debian/patches/CVE-2023-48234.patch: When getting the count for a normal z
      command, it may overflow for large counts given. So verify, that we can
      safely store the result in a long.
    - CVE-2023-48234
  * SECURITY UPDATE: integer overflow
    - debian/patches/CVE-2023-48235.patch: When parsing relative ex addresses
      one may unintentionally cause an overflow (because LONG_MAX - lnum will
      overflow for negative addresses).
    - CVE-2023-48235
  * SECURITY UPDATE: integer overflow
    - debian/patches/CVE-2023-48236.patch: When using the z= command, we may
      overflow the count with values larger than MAX_INT. So verify that we do
      not overflow and in case when an overflow is detected, simply return 0.
    - CVE-2023-48236
  * SECURITY UPDATE: integer overflow
    - debian/patches/CVE-2023-48237.patch: When shifting lines in operator
      pending mode and using a very large value, we may overflow the size of
      integer. Fix this by using a long variable, testing if the result would
      be larger than INT_MAX and if so, indent by INT_MAX value.
    - CVE-2023-48237
  * SECURITY UPDATE: use-after-free vulnerability
    - debian/patches/CVE-2023-48706.patch: ensure that the sub var always using
      allocated memory.
    - CVE-2023-48706

Date: 2023-12-08 20:27:09.786811+00:00
Changed-By: Fabian Toepfer <fabian.toepfer at canonical.com>
https://launchpad.net/ubuntu/+source/vim/2:9.0.1672-1ubuntu2.2
-------------- next part --------------
Sorry, changesfile not available.

More information about the mantic-changes mailing list