Описание
Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.
A vulnerability was found in the VIM package. When performing a search and displaying the search count message is disabled, the search pattern is shown at the bottom of the screen, and this text is stored in an internal buffer. The search pattern is reversed when using the right-left search mode, and a new internal buffer will be created. If the original search pattern contains NULL characters, the newly allocated buffer will be smaller than the required size, leading to a head-based out-of-bounds read. This flaw allows an attacker to trick the user into running the malicious search pattern and execute all the steps required to cause the out-of-bounds read.
Отчет
Red Hat Product Security has rated this issue as having a Low security impact because the "victim" has to run an untrusted file IN SCRIPT MODE. Someone who is running untrusted files in script mode is equivalent to someone just taking a random Python script and running it. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | vim | Not affected | ||
| Red Hat Enterprise Linux 6 | vim | Out of support scope | ||
| Red Hat Enterprise Linux 7 | vim | Out of support scope | ||
| Red Hat Enterprise Linux 8 | vim | Not affected | ||
| Red Hat Enterprise Linux 9 | vim | Not affected | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Will not fix |
Показывать по
Дополнительная информация
Статус:
4.2 Medium
CVSS3
Связанные уязвимости
Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.
Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.
Vim is an open source command line text editor. When performing a sear ...
Уязвимость функции do_search() текстового редактора vim, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
4.2 Medium
CVSS3