Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <ZVaU5z45gNgRiY1s@256bit.org>
Date: Thu, 16 Nov 2023 23:17:11 +0100
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] several minor security issues in Vim
 v9.0.2106-v9.0.2112

CVE-2023-48231: Use-After-Free in win_close()
=============================================
Date: 16.11.2023
Severity: Low

When closing a window, vim may try to access already freed window
structure. So before trying to access any window related variable
verify that the window to be closed is still valid and if not, return.

Impact is low, since it is not very easy to make use of this
and execute some payload (in particular not, without the
user noticing).

The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2106.

URLs: https://github.com/vim/vim/commit/25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a
      https://github.com/vim/vim/security/advisories/GHSA-8g46-v9ff-c765

--------------------------------------------------------------------------------

CVE-2023-48232: Floating point Exception in adjust_plines_for_skipcol()
=======================================================================
Date: 16.11.2023
Severity: Low

A floating point exception may occur when calculating the line offset for overlong
lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag.

This may happen when a window border is present and when the wrapped line continues
on the next physical line directly in the window border because the 'cpo' setting includes
the 'n' flag.

Impact is rather low, since we do not expect many users to have those non-default setting
set.

The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2107.

URLs: https://github.com/vim/vim/commit/cb0b99f0672d8446585d26e998343dceca17d1ce
      https://github.com/vim/vim/security/advisories/GHSA-f6cx-x634-hqpw


--------------------------------------------------------------------------------

CVE-2023-48233: overflow with count for :s command
==================================================
Date: 16.11.2023
Severity: Low

If the count after the :s command is larger than what fits into a
(signed) long variable, abort with e_value_too_large.

Impact is low, user interaction is required and a crash may not even happen.

The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2108.

URLs: https://github.com/vim/vim/commit/ac63787734fda2e294e477af52b3bd601517fa78
      https://github.com/vim/vim/security/advisories/GHSA-3xx4-hcq6-r2vj


--------------------------------------------------------------------------------

CVE-2023-48234: overflow in nv_z_get_count
==========================================
Date: 16.11.2023
Severity: Low

When getting the count for a normal mode z command, it may overflow for large
counts given. So let's verify that the result can be safely stored, else abort
the z command.

Impact is low, user interaction is required and a crash may not even happen.

The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2109.

URLs: https://github.com/vim/vim/commit/58f9befca1fa172068effad7f2ea5a9d6a7b0cca
      https://github.com/vim/vim/security/advisories/GHSA-59gw-c949-6phq

-------------------------------------------------------------------------------

CVE-2023-48235: overflow in ex address parsing
==============================================
Date: 16.11.2023
Severity: Low

When parsing relative ex addresses one may unintentionally cause an
overflow. Ironacially this happens in the existing overflow check, because
the line number becomes negative and LONG_MAX - lnum will cause the overflow.

So verify that lnum is actually positive before doing the actual overflow
check.

Impact is low, user interaction is required and a crash may not even happen.

The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2110.

URLs: https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200
      https://github.com/vim/vim/security/advisories/GHSA-6g74-hr6q-pr8g

-------------------------------------------------------------------------------

CVE-2023-48236: overflow in get_number
======================================
Date: 16.11.2023
Severity: Low

When using the z= command, we may overflow the count with values larger
than MAX_INT. So verify that we do not overflow and in case when an
overflow is detected, simply return 0

Impact is low, user interaction is required and a crash may not even happen.

The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2111.

URLs: https://github.com/vim/vim/commit/73b2d3790cad5694fc0ed0db2926e4220c48d968
      https://github.com/vim/vim/security/advisories/GHSA-pr4c-932v-8hx5



-------------------------------------------------------------------------------

CVE-2023-48237: overflow in shift_line
======================================
Date: 16.11.2023
Severity: Low

When shifting lines in operator pending mode and using a very large
value, we may overflow the size of integer. Fix this by using a long long
variable, testing if the result would be larger than INT_MAX and if so,
indent by INT_MAX value.

Impact is low, user interaction is required and a crash may not even happen.

The Vim project would like to thank Fabian Toepfer for reporting this issue
which is now fixed in Vim patch 9.0.2112.

URLs: https://github.com/vim/vim/commit/6bf131888a3d1de62bbfa8a7ea03c0ddccfd496e
      https://github.com/vim/vim/security/advisories/GHSA-f2m2-v387-gv87



Thanks,
Christian
-- 
Es gibt Augenblicke, in denen man nicht nur sehen, sondern ein Auge
zudrücken muß.
		-- Benjamin Franklin

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.