Ubuntu Security Notice 6154-1 - It was discovered that Vim was using uninitialized memory when fuzzy matching, which could lead to invalid memory access. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 22.10 and Ubuntu 23.04. It was discovered that Vim was not properly performing bounds checks when processing register contents, which could lead to a NULL pointer dereference. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
8848b18b0396acfc52a2563f943aabe12e20a60d1698fb46840f08bf54c7de10==========================================================================
Ubuntu Security Notice USN-6154-1
June 12, 2023
vim vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in Vim.
Software Description:
- vim: Vi IMproved - enhanced vi editor
Details:
It was discovered that Vim was using uninitialized memory when fuzzy
matching, which could lead to invalid memory access. An attacker could
possibly use this issue to cause a denial of service or execute arbitrary
code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 22.10 and Ubuntu
23.04. (CVE-2023-2426)
It was discovered that Vim was not properly performing bounds checks when
processing register contents, which could lead to a NULL pointer
dereference. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. (CVE-2023-2609)
It was discovered that Vim was not properly limiting the length of
substitution expression strings, which could lead to excessive memory
consumption. An attacker could possibly use this issue to cause a denial
of service. (CVE-2023-2610)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
vim 2:9.0.1000-4ubuntu3.1
vim-tiny 2:9.0.1000-4ubuntu3.1
Ubuntu 22.10:
vim 2:9.0.0242-1ubuntu1.4
vim-tiny 2:9.0.0242-1ubuntu1.4
Ubuntu 22.04 LTS:
vim 2:8.2.3995-1ubuntu2.8
vim-tiny 2:8.2.3995-1ubuntu2.8
Ubuntu 20.04 LTS:
vim 2:8.1.2269-1ubuntu5.15
vim-tiny 2:8.1.2269-1ubuntu5.15
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
vim 2:8.0.1453-1ubuntu1.13+esm1
vim-tiny 2:8.0.1453-1ubuntu1.13+esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
vim 2:7.4.1689-3ubuntu1.5+esm18
vim-tiny 2:7.4.1689-3ubuntu1.5+esm18
Ubuntu 14.04 LTS (Available with Ubuntu Pro):
vim 2:7.4.052-1ubuntu3.1+esm10
vim-tiny 2:7.4.052-1ubuntu3.1+esm10
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6154-1
CVE-2023-2426, CVE-2023-2609, CVE-2023-2610
Package Information:
https://launchpad.net/ubuntu/+source/vim/2:9.0.1000-4ubuntu3.1
https://launchpad.net/ubuntu/+source/vim/2:9.0.0242-1ubuntu1.4
https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.8
https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.15
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed