Ubuntu Security Notice 6302-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. It was discovered that Vim did not properly perform bounds checks in the diff mode in certain situations. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
99d99c980fb814b5a940e8caef7cb6f9ac4873610d0870a4650486177b144b4c
==========================================================================
Ubuntu Security Notice USN-6302-1
August 21, 2023
vim vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in Vim.
Software Description:
- vim: Vi IMproved - enhanced vi editor
Details:
It was discovered that Vim incorrectly handled memory when opening certain
files. If an attacker could trick a user into opening a specially crafted
file, it could cause Vim to crash, or possibly execute arbitrary code. This
issue only affected Ubuntu 22.04 LTS. (CVE-2022-2522, CVE-2022-2580,
CVE-2022-2817, CVE-2022-2819, CVE-2022-2862, CVE-2022-2889, CVE-2022-2982,
CVE-2022-3134)
It was discovered that Vim did not properly perform bounds checks in the
diff mode in certain situations. An attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-2598)
It was discovered that Vim did not properly perform bounds checks in
certain situations. An attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 22.04 LTS.
(CVE-2022-2816)
It was discovered that Vim incorrectly handled memory when skipping
compiled code. An attacker could possibly use this issue to cause a denial
of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-2874)
It was discovered that Vim incorrectly handled memory when opening certain
files. If an attacker could trick a user into opening a specially crafted
file, it could cause Vim to crash, or possibly execute arbitrary code. This
issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-3016,
CVE-2022-3037)
It was discovered that Vim incorrectly handled memory when invalid line
number on ":for" is ignored. An attacker could possibly use this issue to
cause a denial of service. (CVE-2022-3099)
It was discovered that Vim incorrectly handled memory when passing invalid
arguments to the assert_fails() method. An attacker could possibly use this
issue to cause a denial of service. This issue only affected Ubuntu 22.04
LTS. (CVE-2022-3153)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
vim 2:8.2.3995-1ubuntu2.11
vim-athena 2:8.2.3995-1ubuntu2.11
vim-gtk 2:8.2.3995-1ubuntu2.11
vim-gtk3 2:8.2.3995-1ubuntu2.11
vim-nox 2:8.2.3995-1ubuntu2.11
vim-tiny 2:8.2.3995-1ubuntu2.11
xxd 2:8.2.3995-1ubuntu2.11
Ubuntu 20.04 LTS:
vim 2:8.1.2269-1ubuntu5.17
vim-athena 2:8.1.2269-1ubuntu5.17
vim-gtk 2:8.1.2269-1ubuntu5.17
vim-gtk3 2:8.1.2269-1ubuntu5.17
vim-nox 2:8.1.2269-1ubuntu5.17
vim-tiny 2:8.1.2269-1ubuntu5.17
xxd 2:8.1.2269-1ubuntu5.17
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
vim 2:8.0.1453-1ubuntu1.13+esm4
vim-athena 2:8.0.1453-1ubuntu1.13+esm4
vim-gtk 2:8.0.1453-1ubuntu1.13+esm4
vim-gtk3 2:8.0.1453-1ubuntu1.13+esm4
vim-runtime 2:8.0.1453-1ubuntu1.13+esm4
vim-tiny 2:8.0.1453-1ubuntu1.13+esm4
xxd 2:8.0.1453-1ubuntu1.13+esm4
Ubuntu 14.04 LTS (Available with Ubuntu Pro):
vim 2:7.4.052-1ubuntu3.1+esm12
vim-athena 2:7.4.052-1ubuntu3.1+esm12
vim-gtk 2:7.4.052-1ubuntu3.1+esm12
vim-nox 2:7.4.052-1ubuntu3.1+esm12
vim-tiny 2:7.4.052-1ubuntu3.1+esm12
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6302-1
CVE-2022-2522, CVE-2022-2580, CVE-2022-2598, CVE-2022-2816,
CVE-2022-2817, CVE-2022-2819, CVE-2022-2862, CVE-2022-2874,
CVE-2022-2889, CVE-2022-2982, CVE-2022-3016, CVE-2022-3037,
CVE-2022-3099, CVE-2022-3134, CVE-2022-3153
Package Information:
https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.11
https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.17