#4500 (vim-9.1.???? (Update before release)) – LFS Trac

comment:1 by Bruce Dubbs, 5 years ago

Updated to vim-8.1.1846 at revision 11656.

Leaving ticket open.

comment:2 by Bruce Dubbs, 5 years ago

Milestone:	Future → 9.1
Summary:	vim-8.1.???? (Update before release) → vim-8.2.???? (Update before release)

vim-8.2.0000 is available.

Promoting to milestone 9.1 so we but it in now, but should probably move the ticket back to future after that update.

Version 0, edited 5 years ago by Bruce Dubbs (next)

comment:3 by Bruce Dubbs, 5 years ago

Release notes for 8.2 are at

https://www.vim.org/vim-8.2-released.php

comment:4 by Pierre Labastie, 5 years ago

Owner:	changed from lfs-book to Pierre Labastie
Status:	new → assigned

comment:5 by Pierre Labastie, 5 years ago

Updated to 8.2.0024 at r11711

comment:6 by Pierre Labastie, 5 years ago

Owner:	changed from Pierre Labastie to lfs-book
Status:	assigned → new

comment:7 by Bruce Dubbs, 5 years ago

Milestone:	9.1 → Future

comment:8 by Bruce Dubbs, 5 years ago

Updated to version 8.2.0129 at revision 11731.

comment:9 by Bruce Dubbs, 5 years ago

Updated to version 8.2.0190 at revision 11738.

comment:10 by Bruce Dubbs, 4 years ago

Milestone:	Future → Hold

comment:11 by Douglas R. Reno, 3 years ago

Version:	SVN → git

follow-up: 13 comment:12 by Douglas R. Reno, 3 years ago

Updating vim again at the next LFS update would be a good idea.

On 10/4/21 08:48, Alan Coopersmith wrote:
> On 9/30/2021 7:39 PM, Alan Coopersmith wrote:
>> I haven't seen these make it to the list yet, but three CVE's were
>> recently assigned for bugs in vim.  [I personally don't see how
>> there's a security boundary crossed in normal vim usage here, but
>> could see issues if someone had configured vim to run with raised
>> privileges for editing system/application configuration files or
>> similar.]
>
> I do note all three of these were submitted via huntr.dev, which offers
> bounties for both reporting & fixing security bugs.  As a maintainer of
> an upstream open source project which is struggling with finding people
> to fix reported security bugs [1], I do appreciate the additional
> incentive to provide fixes here.  But as a maintainer of a distro, I see
> a mismatch with the incentives here, as you get bounties for accepting
> everything as a security bug and not pushing back, and flooding the
> distros with CVE's - even if your distro policy isn't to handle every
> CVE that applies, security auditors will often make your users query
> about every CVE that they think applies, costing your time to respond.
>
> [1] https://indico.freedesktop.org/event/1/contributions/28/
> https://www.youtube.com/watch?v=IU3NeVvDSp0

This has continued with many more CVE's issued for vim:

CVE-2022-0213     vim is vulnerable to Heap-based Buffer Overflow
CVE-2022-0158     vim is vulnerable to Heap-based Buffer Overflow
CVE-2022-0156     vim is vulnerable to Use After Free
CVE-2022-0128     vim is vulnerable to Out-of-bounds Read
CVE-2021-46059     A Pointer Dereference vulnerability exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which causes a denial of service.
CVE-2021-4193     vim is vulnerable to Out-of-bounds Read
CVE-2021-4192     vim is vulnerable to Use After Free
CVE-2021-4187     vim is vulnerable to Use After Free
CVE-2021-4173     vim is vulnerable to Use After Free
CVE-2021-4166     vim is vulnerable to Out-of-bounds Read
CVE-2021-4136     vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-4069     vim is vulnerable to Use After Free
CVE-2021-4019     vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-3984     vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-3974     vim is vulnerable to Use After Free
CVE-2021-3973     vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-3968     vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-3928     vim is vulnerable to Use of Uninitialized Variable
CVE-2021-3927     vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-3903     vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-3875     vim is vulnerable to Heap-based Buffer Overflow

in reply to: 12 comment:13 by ken@…, 3 years ago

Replying to Douglas R. Reno:

Updating vim again at the next LFS update would be a good idea.
On 10/4/21 08:48, Alan Coopersmith wrote:
> On 9/30/2021 7:39 PM, Alan Coopersmith wrote:

[snip]

CVE-2021-46059 A Pointer Dereference vulnerability exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which causes a denial of service.

CVE-2021-46059 has been rejected.

comment:14 by ken@…, 3 years ago

It turns out that 8.2.4383 also contained a security update (applied in 8.2.4359) for a crash when repeatedly using :retab. https://github.com/vim/vim/commit/6e28703a8e41f775f64e442c5d11ce1ff599aa3f Not yet analyzed at NVD.

follow-up: 16 comment:15 by Xi Ruoyao, 3 years ago

I'll update to 8.2.4489 for 4 CVEs (2022-0685,0714,0696,0729). Not sure how severe they are: their CVSS score are high but the upstream claims the worst thing could happen is a crash.

in reply to: 15 ; follow-up: 17 comment:16 by ken@…, 3 years ago

Replying to Xi Ruoyao:

I'll update to 8.2.4489 for 4 CVEs (2022-0685,0714,0696,0729). Not sure how severe they are: their CVSS score are high but the upstream claims the worst thing could happen is a crash.

We've labelled application crashes, as well as lack of information on the consequences or severity, as High.

in reply to: 16 comment:17 by Xi Ruoyao, 3 years ago

Replying to ken@…:

Replying to Xi Ruoyao:

I'll update to 8.2.4489 for 4 CVEs (2022-0685,0714,0696,0729). Not sure how severe they are: their CVSS score are high but the upstream claims the worst thing could happen is a crash.

We've labelled application crashes, as well as lack of information on the consequences or severity, as High.

SA 11.1-001 published with severity High.

comment:18 by Xi Ruoyao, 3 years ago

Owner:	changed from lfs-book to Xi Ruoyao
Status:	new → assigned

CVE-2022-0943 is published with 8.4 HIGH.

comment:19 by Xi Ruoyao, 3 years ago

CVE-2022-0943 fixed at f7ac150c8. Leave this assigned for SA.

comment:20 by Xi Ruoyao, 3 years ago

Owner:	changed from Xi Ruoyao to lfs-book
Status:	assigned → new

SA 11.1-010 issued.

comment:21 by Xi Ruoyao, 3 years ago

Priority:	normal → high

CVE-2022-1154: Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646. (CVSS2 7.5 HIGH)
CVE-2022-1160: heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647. (CVSS2 6.8 MEDIUM)

comment:22 by Bruce Dubbs, 3 years ago

I'll update vim next week at my bi-monthly update.

comment:23 by Xi Ruoyao, 3 years ago

CVE-2022-1381: global heap buffer overflow in skip_range in GitHub repository vim/vim prior to 8.2.4763. (CVSS2 6.8 MEDIUM)

comment:24 by Bruce Dubbs, 3 years ago

I have vim-8.2.4814 ready for inclusion in the next update. I plan on a full update of current tickets on April 30.

comment:25 by Xi Ruoyao, 3 years ago

Priority:	high → normal

SA 11.1-037 issued.

comment:26 by Xi Ruoyao, 2 years ago

Owner:	changed from lfs-book to Xi Ruoyao
Priority:	normal → high
Status:	new → assigned

CVE-2022-1616: Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution (6.8 MEDIUM)
CVE-2022-1620: NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input. (5.0 MEDIUM)
CVE-2022-1621: Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution (6.8 MEDIUM)
CVE-2022-1629: Buffer Over-read in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution (6.8 MEDIUM)
CVE-2022-1674: NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in GitHub repository vim/vim prior to 8.2.4938. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 allows attackers to cause a denial of service (application crash) via a crafted input. (4.3 MEDIUM)

I'm going to build LFS for my old system (for testing latest Mesa with crocus, mainly) so I can update vim BTW.

comment:27 by Xi Ruoyao, 2 years ago

CVE-2022-1733: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4968. (4.6 MEDIUM)
CVE-2022-1735: Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969. (6.8 MEDIUM)
CVE-2022-1769: Buffer Over-read in GitHub repository vim/vim prior to 8.2.4974. (4.6 MEDIUM)
CVE-2022-1771: Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975. (4.3 MEDIUM)
CVE-2022-1785: Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977. (4.6 MEDIUM)
CVE-2022-1796: Use After Free in GitHub repository vim/vim prior to 8.2.4979. (6.8 MEDIUM)

comment:28 by Xi Ruoyao, 2 years ago

Fixed at r11.1-129-ge6e8f0047. Vim left assigned for SA.

comment:29 by Xi Ruoyao, 2 years ago

SA 11.1-053 done.

comment:30 by Xi Ruoyao, 2 years ago

Owner:	changed from Xi Ruoyao to lfs-book
Priority:	high → normal
Status:	assigned → new

follow-up: 32 comment:31 by Xi Ruoyao, 2 years ago

Summary:	vim-8.2.???? (Update before release) → vim-9.0.???? (Update before release)

Now 9.0.0001.

in reply to: 31 comment:32 by Bruce Dubbs, 2 years ago