[USN-5723-1] Vim vulnerabilities
Mark Esler
mark.esler at canonical.com
Mon Nov 14 23:52:47 UTC 2022
==========================================================================
Ubuntu Security Notice USN-5723-1
November 14, 2022
vim vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in Vim.
Software Description:
- vim: Vi IMproved - enhanced vi editor
Details:
It was discovered that Vim could be made to crash when searching specially
crafted patterns. An attacker could possibly use this to crash Vim and
cause denial of service. (CVE-2022-1674)
It was discovered that there existed a NULL pointer dereference in Vim. An
attacker could possibly use this to crash Vim and cause denial of service.
(CVE-2022-1725)
It was discovered that there existed a buffer over-read in Vim when
searching specially crafted patterns. An attacker could possibly use this
to crash Vim and cause denial of service. (CVE-2022-2124)
It was discovered that there existed a heap buffer overflow in Vim when
auto-indenting lisp. An attacker could possibly use this to crash Vim and
cause denial of service. (CVE-2022-2125)
It was discovered that there existed an out of bounds read in Vim when
performing spelling suggestions. An attacker could possibly use this to
crash Vim and cause denial of service. (CVE-2022-2126)
It was discovered that Vim accessed invalid memory when executing specially
crafted command line expressions. An attacker could possibly use this to
crash Vim, access or modify memory, or execute arbitrary commands.
(CVE-2022-2175)
It was discovered that there existed an out-of-bounds read in Vim when
auto-indenting lisp. An attacker could possibly use this to crash Vim,
access or modify memory, or execute arbitrary commands. (CVE-2022-2183)
It was discovered that Vim accessed invalid memory when terminal size
changed. An attacker could possibly use this to crash Vim, access or modify
memory, or execute arbitrary commands. (CVE-2022-2206)
It was discovered that there existed a stack buffer overflow in Vim's
spelldump. An attacker could possibly use this to crash Vim and cause
denial of service. (CVE-2022-2304)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
vim 2:7.4.1689-3ubuntu1.5+esm13
vim-athena 2:7.4.1689-3ubuntu1.5+esm13
vim-athena-py2 2:7.4.1689-3ubuntu1.5+esm13
vim-gnome 2:7.4.1689-3ubuntu1.5+esm13
vim-gnome-py2 2:7.4.1689-3ubuntu1.5+esm13
vim-gtk 2:7.4.1689-3ubuntu1.5+esm13
vim-gtk-py2 2:7.4.1689-3ubuntu1.5+esm13
vim-gtk3 2:7.4.1689-3ubuntu1.5+esm13
vim-gtk3-py2 2:7.4.1689-3ubuntu1.5+esm13
vim-nox 2:7.4.1689-3ubuntu1.5+esm13
vim-nox-py2 2:7.4.1689-3ubuntu1.5+esm13
vim-tiny 2:7.4.1689-3ubuntu1.5+esm13
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5723-1
CVE-2022-1674, CVE-2022-1725, CVE-2022-2124, CVE-2022-2125,
CVE-2022-2126, CVE-2022-2175, CVE-2022-2183, CVE-2022-2206,
CVE-2022-2304
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xD60B83C90513BD4F.asc
Type: application/pgp-keys
Size: 4646 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20221114/37f6e7a2/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20221114/37f6e7a2/attachment.sig>
More information about the ubuntu-security-announce
mailing list