Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <51bbd9bf-fa31-a1ac-a667-7b4b9b425623@oracle.com>
Date: Thu, 30 Sep 2021 19:39:07 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: 3 new CVE's in vim

I haven't seen these make it to the list yet, but three CVE's were
recently assigned for bugs in vim.  [I personally don't see how
there's a security boundary crossed in normal vim usage here, but
could see issues if someone had configured vim to run with raised
privileges for editing system/application configuration files or
similar.]

     -Alan Coopersmith-               alan.coopersmith@...cle.com
      Oracle Solaris Engineering - https://blogs.oracle.com/alanc

CVE-2021-3770: vim: Heap-based Buffer Overflow in ex_retab()
Report: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/
Fix: patch 8.2.3402: invalid memory access when using :retab with large value
https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9

When vim 8.1 or 8.2 is built with --with-features=huge --enable-gui=none
and address sanitizer, a heap-buffer overflow occurs when running:

echo "bGMKc2YICnJldDgwMDAwMDAwMDAwMDAwMDAwMDAw" | base64 -d \
   > fuzz448.txt
vim -u NONE -X -Z -e -s -S fuzz448.txt -c :qa!

-----------------------------------------------------------------------
CVE-2021-3778: vim: Heap-based Buffer Overflow in utf_ptr2char()
Report: https://huntr.dev/bounties/d9c17308-2c99-4f9f-a706-f7f72c24c273/
Fix: patch 8.2.3409: reading beyond end of line with invalid utf-8 character
https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f

When vim 8.2 is built with --with-features=huge --enable-gui=none
and address sanitizer, a heap-buffer overflow occurs when running:

echo "Ywp2XTCqCi4KeQpAMA==" | base64 -d > fuzz000.txt
vim -u NONE -X -Z -e -s -S fuzz000.txt -c :qa!

-----------------------------------------------------------------------

CVE-2021-3796: vim: Use After Free in nv_replace()
Report: https://huntr.dev/bounties/ab60b7f3-6fb1-4ac2-a4fa-4d592e08008d/
Fix: patch 8.2.3428: using freed memory when replacing
https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3

When vim 8.2 is built with --with-features=huge --enable-gui=none
and address sanitizer, a use-after-free occurs when running:

LC_ALL=C vim -U NONE -X -Z -e -s -S poc -c :qa!

with the poc file provided in the report.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.