Opened 5 years ago
Last modified 12 months ago
#4500 new task
vim-9.1.???? (Update before release)
Reported by: | Bruce Dubbs | Owned by: | lfs-book |
---|---|---|---|
Priority: | normal | Milestone: | Hold |
Component: | Book | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
Update vim to latest patch version before release.
Change History (33)
comment:1 by , 5 years ago
comment:2 by , 5 years ago
Milestone: | Future → 9.1 |
---|---|
Summary: | vim-8.1.???? (Update before release) → vim-8.2.???? (Update before release) |
vim-8.2.0000 is available.
Promoting to milestone 9.1 so we put it in now, but should probably move the ticket back to future after that update.
comment:4 by , 5 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:6 by , 5 years ago
Owner: | changed from | to
---|---|
Status: | assigned → new |
comment:7 by , 5 years ago
Milestone: | 9.1 → Future |
---|
comment:10 by , 4 years ago
Milestone: | Future → Hold |
---|
comment:11 by , 3 years ago
Version: | SVN → git |
---|
follow-up: 13 comment:12 by , 3 years ago
Updating vim again at the next LFS update would be a good idea.
On 10/4/21 08:48, Alan Coopersmith wrote: > On 9/30/2021 7:39 PM, Alan Coopersmith wrote: >> I haven't seen these make it to the list yet, but three CVE's were >> recently assigned for bugs in vim. [I personally don't see how >> there's a security boundary crossed in normal vim usage here, but >> could see issues if someone had configured vim to run with raised >> privileges for editing system/application configuration files or >> similar.] > > I do note all three of these were submitted via huntr.dev, which offers > bounties for both reporting & fixing security bugs. As a maintainer of > an upstream open source project which is struggling with finding people > to fix reported security bugs [1], I do appreciate the additional > incentive to provide fixes here. But as a maintainer of a distro, I see > a mismatch with the incentives here, as you get bounties for accepting > everything as a security bug and not pushing back, and flooding the > distros with CVE's - even if your distro policy isn't to handle every > CVE that applies, security auditors will often make your users query > about every CVE that they think applies, costing your time to respond. > > [1] https://indico.freedesktop.org/event/1/contributions/28/ > https://www.youtube.com/watch?v=IU3NeVvDSp0 This has continued with many more CVE's issued for vim: CVE-2022-0213 vim is vulnerable to Heap-based Buffer Overflow CVE-2022-0158 vim is vulnerable to Heap-based Buffer Overflow CVE-2022-0156 vim is vulnerable to Use After Free CVE-2022-0128 vim is vulnerable to Out-of-bounds Read CVE-2021-46059 A Pointer Dereference vulnerability exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which causes a denial of service. CVE-2021-4193 vim is vulnerable to Out-of-bounds Read CVE-2021-4192 vim is vulnerable to Use After Free CVE-2021-4187 vim is vulnerable to Use After Free CVE-2021-4173 vim is vulnerable to Use After Free CVE-2021-4166 vim is vulnerable to Out-of-bounds Read CVE-2021-4136 vim is vulnerable to Heap-based Buffer Overflow CVE-2021-4069 vim is vulnerable to Use After Free CVE-2021-4019 vim is vulnerable to Heap-based Buffer Overflow CVE-2021-3984 vim is vulnerable to Heap-based Buffer Overflow CVE-2021-3974 vim is vulnerable to Use After Free CVE-2021-3973 vim is vulnerable to Heap-based Buffer Overflow CVE-2021-3968 vim is vulnerable to Heap-based Buffer Overflow CVE-2021-3928 vim is vulnerable to Use of Uninitialized Variable CVE-2021-3927 vim is vulnerable to Heap-based Buffer Overflow CVE-2021-3903 vim is vulnerable to Heap-based Buffer Overflow CVE-2021-3875 vim is vulnerable to Heap-based Buffer Overflow
comment:13 by , 3 years ago
Replying to Douglas R. Reno:
Updating vim again at the next LFS update would be a good idea.
On 10/4/21 08:48, Alan Coopersmith wrote: > On 9/30/2021 7:39 PM, Alan Coopersmith wrote:
[snip]
CVE-2021-46059 A Pointer Dereference vulnerability exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which causes a denial of service.
CVE-2021-46059 has been rejected.
comment:14 by , 3 years ago
It turns out that 8.2.4383 also contained a security update (applied in 8.2.4359) for a crash when repeatedly using :retab. https://github.com/vim/vim/commit/6e28703a8e41f775f64e442c5d11ce1ff599aa3f Not yet analyzed at NVD.
follow-up: 16 comment:15 by , 3 years ago
I'll update to 8.2.4489 for 4 CVEs (2022-0685,0714,0696,0729). Not sure how severe they are: their CVSS score are high but the upstream claims the worst thing could happen is a crash.
follow-up: 17 comment:16 by , 3 years ago
Replying to Xi Ruoyao:
I'll update to 8.2.4489 for 4 CVEs (2022-0685,0714,0696,0729). Not sure how severe they are: their CVSS score are high but the upstream claims the worst thing could happen is a crash.
We've labelled application crashes, as well as lack of information on the consequences or severity, as High.
comment:17 by , 3 years ago
Replying to ken@…:
Replying to Xi Ruoyao:
I'll update to 8.2.4489 for 4 CVEs (2022-0685,0714,0696,0729). Not sure how severe they are: their CVSS score are high but the upstream claims the worst thing could happen is a crash.
We've labelled application crashes, as well as lack of information on the consequences or severity, as High.
SA 11.1-001 published with severity High.
comment:18 by , 3 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
CVE-2022-0943 is published with 8.4 HIGH.
comment:21 by , 3 years ago
Priority: | normal → high |
---|
- CVE-2022-1154: Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646. (CVSS2 7.5 HIGH)
- CVE-2022-1160: heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647. (CVSS2 6.8 MEDIUM)
comment:23 by , 3 years ago
- CVE-2022-1381: global heap buffer overflow in skip_range in GitHub repository vim/vim prior to 8.2.4763. (CVSS2 6.8 MEDIUM)
comment:24 by , 3 years ago
I have vim-8.2.4814 ready for inclusion in the next update. I plan on a full update of current tickets on April 30.
comment:26 by , 3 years ago
Owner: | changed from | to
---|---|
Priority: | normal → high |
Status: | new → assigned |
- CVE-2022-1616: Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution (6.8 MEDIUM)
- CVE-2022-1620: NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input. (5.0 MEDIUM)
- CVE-2022-1621: Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution (6.8 MEDIUM)
- CVE-2022-1629: Buffer Over-read in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution (6.8 MEDIUM)
- CVE-2022-1674: NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in GitHub repository vim/vim prior to 8.2.4938. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 allows attackers to cause a denial of service (application crash) via a crafted input. (4.3 MEDIUM)
I'm going to build LFS for my old system (for testing latest Mesa with crocus, mainly) so I can update vim BTW.
comment:27 by , 3 years ago
- CVE-2022-1733: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4968. (4.6 MEDIUM)
- CVE-2022-1735: Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969. (6.8 MEDIUM)
- CVE-2022-1769: Buffer Over-read in GitHub repository vim/vim prior to 8.2.4974. (4.6 MEDIUM)
- CVE-2022-1771: Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975. (4.3 MEDIUM)
- CVE-2022-1785: Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977. (4.6 MEDIUM)
- CVE-2022-1796: Use After Free in GitHub repository vim/vim prior to 8.2.4979. (6.8 MEDIUM)
comment:30 by , 3 years ago
Owner: | changed from | to
---|---|
Priority: | high → normal |
Status: | assigned → new |
follow-up: 32 comment:31 by , 2 years ago
Summary: | vim-8.2.???? (Update before release) → vim-9.0.???? (Update before release) |
---|
Now 9.0.0001.
comment:32 by , 2 years ago
Replying to Xi Ruoyao:
Now 9.0.0001.
It's up to 9.0.0006 already. Seems to be some changes in scripting.
https://github.com/brammool/vim9/blob/master/README.md
The date of this file is about 2 months ago.
comment:33 by , 12 months ago
Summary: | vim-9.0.???? (Update before release) → vim-9.1.???? (Update before release) |
---|
Now 9.1.
Updated to vim-8.1.1846 at revision 11656.
Leaving ticket open.