USN-5460-1: Vim vulnerabilities
6 June 2022
Several security issues were fixed in Vim.
Releases
Packages
- vim - Vi IMproved - enhanced vi editor
Details
It was discovered that Vim was incorrectly processing Vim buffers.
An attacker could possibly use this issue to perform illegal memory
access and expose sensitive information. (CVE-2022-0554)
It was discovered that Vim was not properly performing bounds checks
for column numbers when replacing tabs with spaces or spaces with
tabs, which could cause a heap buffer overflow. An attacker could
possibly use this issue to cause a denial of service or execute
arbitrary code. (CVE-2022-0572)
It was discovered that Vim was not properly performing validation of
data that contained special multi-byte characters, which could cause
an out-of-bounds read. An attacker could possibly use this issue to
cause a denial of service. (CVE-2022-0685)
It was discovered that Vim was incorrectly processing data used to
define indentation in a file, which could cause a heap buffer
overflow. An attacker could possibly use this issue to cause a denial
of service. (CVE-2022-0714)
It was discovered that Vim was incorrectly processing certain regular
expression patterns and strings, which could cause an out-of-bounds
read. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-0729)
It was discovered that Vim was not properly performing bounds checks
when executing spell suggestion commands, which could cause a heap
buffer overflow. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2022-0943)
It was discovered that Vim was incorrectly performing bounds checks
when processing invalid commands with composing characters in Ex
mode, which could cause a buffer overflow. An attacker could possibly
use this issue to cause a denial of service or execute arbitrary
code. (CVE-2022-1616)
It was discovered that Vim was not properly processing latin1 data
when issuing Ex commands, which could cause a heap buffer overflow.
An attacker could possibly use this issue to cause a denial of
service or execute arbitrary code. (CVE-2022-1619)
It was discovered that Vim was not properly performing memory
management when dealing with invalid regular expression patterns in
buffers, which could cause a NULL pointer dereference. An attacker
could possibly use this issue to cause a denial of service.
(CVE-2022-1620)
It was discovered that Vim was not properly processing invalid bytes
when performing spell check operations, which could cause a heap
buffer overflow. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2022-1621)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04
-
vim
-
2:7.4.1689-3ubuntu1.5+esm6
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
Related notices
- USN-5613-1: vim-gnome, vim-common, vim-gtk3, vim-athena, vim-runtime, xxd, vim-doc, vim-gui-common, vim-nox, vim, vim-tiny, vim-gtk, vim-lesstif
- USN-5613-2: vim-common, vim-gtk3, vim-athena, vim-runtime, xxd, vim-doc, vim-gui-common, vim-nox, vim, vim-tiny, vim-gtk
- USN-6026-1: vim-gnome, vim-common, vim-gtk3, vim-athena, vim-runtime, xxd, vim-doc, vim-gui-common, vim-nox, vim, vim-tiny, vim-gtk, vim-lesstif