Headline
CVE-2022-1621: Heap buffer overflow in vim_strncpy find_word in vim
Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
✍️ Description
When fuzzing vim commit fc78a0369 (works with latest build and latest commit 202b4bd3a per this time of this report) with clang 13 and ASan, I discovered a buffer overflow.
Proof of Concept
Here is the poc
https://drive.google.com/file/d/11yaq4umocSbwphl7o31r50it0IP2bYGE/view?usp=sharing
How to build
LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
make -j$(nproc)
Proof of Concept
Run crafted file with this command
./vim -u NONE -X -Z -e -s -S poc_vim_strncpy_min -c :qa!
ASan stack trace:
aldo@vps:~/vimbaru/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_vim_strncpy_min -c :qa!
=================================================================
==2676390==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000007032 at pc 0x000000485f0d bp 0x7fffffff8810 sp 0x7fffffff7fc8
READ of size 1 at 0x602000007032 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x485f0c (/home/aldo/vimtes/src/vim+0x485f0c)
#1 0xbd6554 (/home/aldo/vimtes/src/vim+0xbd6554)
#2 0xbb8e32 (/home/aldo/vimtes/src/vim+0xbb8e32)
#3 0xbb3d63 (/home/aldo/vimtes/src/vim+0xbb3d63)
#4 0xbb0303 (/home/aldo/vimtes/src/vim+0xbb0303)
#5 0xbaccac (/home/aldo/vimtes/src/vim+0xbaccac)
#6 0x928db0 (/home/aldo/vimtes/src/vim+0x928db0)
#7 0x8fa54d (/home/aldo/vimtes/src/vim+0x8fa54d)
#8 0x6fba0d (/home/aldo/vimtes/src/vim+0x6fba0d)
#9 0x6fb613 (/home/aldo/vimtes/src/vim+0x6fb613)
#10 0x6fb373 (/home/aldo/vimtes/src/vim+0x6fb373)
#11 0x6d6a92 (/home/aldo/vimtes/src/vim+0x6d6a92)
#12 0x6ca7c2 (/home/aldo/vimtes/src/vim+0x6ca7c2)
#13 0xafe285 (/home/aldo/vimtes/src/vim+0xafe285)
#14 0xafbcd0 (/home/aldo/vimtes/src/vim+0xafbcd0)
#15 0xafb809 (/home/aldo/vimtes/src/vim+0xafb809)
#16 0xafb2ed (/home/aldo/vimtes/src/vim+0xafb2ed)
#17 0x6d6a92 (/home/aldo/vimtes/src/vim+0x6d6a92)
#18 0x6ca7c2 (/home/aldo/vimtes/src/vim+0x6ca7c2)
#19 0x6cda50 (/home/aldo/vimtes/src/vim+0x6cda50)
#20 0xed9214 (/home/aldo/vimtes/src/vim+0xed9214)
#21 0xed6f49 (/home/aldo/vimtes/src/vim+0xed6f49)
#22 0xed0830 (/home/aldo/vimtes/src/vim+0xed0830)
#23 0x7ffff78240b2 (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#24 0x41edcd (/home/aldo/vimtes/src/vim+0x41edcd)
0x602000007032 is located 0 bytes to the right of 2-byte region [0x602000007030,0x602000007032)
allocated by thread T0 here:
#0 0x499c8d (/home/aldo/vimtes/src/vim+0x499c8d)
#1 0x4cb0e0 (/home/aldo/vimtes/src/vim+0x4cb0e0)
#2 0x4cb039 (/home/aldo/vimtes/src/vim+0x4cb039)
#3 0xbd3c05 (/home/aldo/vimtes/src/vim+0xbd3c05)
#4 0xbacb21 (/home/aldo/vimtes/src/vim+0xbacb21)
#5 0x928db0 (/home/aldo/vimtes/src/vim+0x928db0)
#6 0x8fa54d (/home/aldo/vimtes/src/vim+0x8fa54d)
#7 0x6fba0d (/home/aldo/vimtes/src/vim+0x6fba0d)
#8 0x6fb613 (/home/aldo/vimtes/src/vim+0x6fb613)
#9 0x6fb373 (/home/aldo/vimtes/src/vim+0x6fb373)
#10 0x6d6a92 (/home/aldo/vimtes/src/vim+0x6d6a92)
#11 0x6ca7c2 (/home/aldo/vimtes/src/vim+0x6ca7c2)
#12 0xafe285 (/home/aldo/vimtes/src/vim+0xafe285)
#13 0xafbcd0 (/home/aldo/vimtes/src/vim+0xafbcd0)
#14 0xafb809 (/home/aldo/vimtes/src/vim+0xafb809)
#15 0xafb2ed (/home/aldo/vimtes/src/vim+0xafb2ed)
#16 0x6d6a92 (/home/aldo/vimtes/src/vim+0x6d6a92)
#17 0x6ca7c2 (/home/aldo/vimtes/src/vim+0x6ca7c2)
#18 0x6cda50 (/home/aldo/vimtes/src/vim+0x6cda50)
#19 0xed9214 (/home/aldo/vimtes/src/vim+0xed9214)
#20 0xed6f49 (/home/aldo/vimtes/src/vim+0xed6f49)
#21 0xed0830 (/home/aldo/vimtes/src/vim+0xed0830)
#22 0x7ffff78240b2 (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/vimtes/src/vim+0x485f0c)
Shadow bytes around the buggy address:
0x0c047fff8db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff8dc0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 01 fa
0x0c047fff8dd0: fa fa 00 00 fa fa 01 fa fa fa 02 fa fa fa 05 fa
0x0c047fff8de0: fa fa fd fa fa fa 00 06 fa fa 00 07 fa fa fd fa
0x0c047fff8df0: fa fa fd fd fa fa fd fa fa fa 01 fa fa fa 02 fa
=>0x0c047fff8e00: fa fa fd fa fa fa[02]fa fa fa 02 fa fa fa 05 fa
0x0c047fff8e10: fa fa 04 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2676390==ABORTING
Aborted
valgrind output on vim no asan build
==2678356== Memcheck, a memory error detector
==2678356== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2678356== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==2678356== Command: ./vim -u NONE -X -Z -e -s -S poc_vim_strncpy_min -c :qa! output/
==2678356==
==2678356== Conditional jump or move depends on uninitialised value(s)
==2678356== at 0x5B8652: find_word (spell.c:476)
==2678356== by 0x5B7C78: spell_check (spell.c:282)
==2678356== by 0x5B9D25: spell_move_to (spell.c:1363)
==2678356== by 0x5CB5A4: spell_suggest (spellsuggest.c:515)
==2678356== by 0x500C8F: nv_zet (normal.c:2998)
==2678356== by 0x4F8E73: normal_cmd (normal.c:930)
==2678356== by 0x47E82C: exec_normal (ex_docmd.c:0)
==2678356== by 0x47E6F1: exec_normal_cmd (ex_docmd.c:8720)
==2678356== by 0x47E6F1: ex_normal (ex_docmd.c:8638)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x5A5144: do_source_ext (scriptfile.c:1674)
==2678356== by 0x5A47E6: do_source (scriptfile.c:1801)
==2678356== by 0x5A47E6: cmd_source (scriptfile.c:1174)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356==
==2678356== Conditional jump or move depends on uninitialised value(s)
==2678356== at 0x5B867E: find_word (spell.c:490)
==2678356== by 0x5B7C78: spell_check (spell.c:282)
==2678356== by 0x5B9D25: spell_move_to (spell.c:1363)
==2678356== by 0x5CB5A4: spell_suggest (spellsuggest.c:515)
==2678356== by 0x500C8F: nv_zet (normal.c:2998)
==2678356== by 0x4F8E73: normal_cmd (normal.c:930)
==2678356== by 0x47E82C: exec_normal (ex_docmd.c:0)
==2678356== by 0x47E6F1: exec_normal_cmd (ex_docmd.c:8720)
==2678356== by 0x47E6F1: ex_normal (ex_docmd.c:8638)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x5A5144: do_source_ext (scriptfile.c:1674)
==2678356== by 0x5A47E6: do_source (scriptfile.c:1801)
==2678356== by 0x5A47E6: cmd_source (scriptfile.c:1174)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356==
==2678356== Conditional jump or move depends on uninitialised value(s)
==2678356== at 0x5B86BA: find_word (spell.c:495)
==2678356== by 0x5B7C78: spell_check (spell.c:282)
==2678356== by 0x5B9D25: spell_move_to (spell.c:1363)
==2678356== by 0x5CB5A4: spell_suggest (spellsuggest.c:515)
==2678356== by 0x500C8F: nv_zet (normal.c:2998)
==2678356== by 0x4F8E73: normal_cmd (normal.c:930)
==2678356== by 0x47E82C: exec_normal (ex_docmd.c:0)
==2678356== by 0x47E6F1: exec_normal_cmd (ex_docmd.c:8720)
==2678356== by 0x47E6F1: ex_normal (ex_docmd.c:8638)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x5A5144: do_source_ext (scriptfile.c:1674)
==2678356== by 0x5A47E6: do_source (scriptfile.c:1801)
==2678356== by 0x5A47E6: cmd_source (scriptfile.c:1174)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356==
==2678356== Conditional jump or move depends on uninitialised value(s)
==2678356== at 0x5B8925: find_word (spell.c:591)
==2678356== by 0x5B7C78: spell_check (spell.c:282)
==2678356== by 0x5B9D25: spell_move_to (spell.c:1363)
==2678356== by 0x5CB5A4: spell_suggest (spellsuggest.c:515)
==2678356== by 0x500C8F: nv_zet (normal.c:2998)
==2678356== by 0x4F8E73: normal_cmd (normal.c:930)
==2678356== by 0x47E82C: exec_normal (ex_docmd.c:0)
==2678356== by 0x47E6F1: exec_normal_cmd (ex_docmd.c:8720)
==2678356== by 0x47E6F1: ex_normal (ex_docmd.c:8638)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x5A5144: do_source_ext (scriptfile.c:1674)
==2678356== by 0x5A47E6: do_source (scriptfile.c:1801)
==2678356== by 0x5A47E6: cmd_source (scriptfile.c:1174)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356==
==2678356== Conditional jump or move depends on uninitialised value(s)
==2678356== at 0x5B8652: find_word (spell.c:476)
==2678356== by 0x5B7C78: spell_check (spell.c:282)
==2678356== by 0x5CBD27: spell_find_suggest (spellsuggest.c:796)
==2678356== by 0x5CB74B: spell_suggest (spellsuggest.c:554)
==2678356== by 0x500C8F: nv_zet (normal.c:2998)
==2678356== by 0x4F8E73: normal_cmd (normal.c:930)
==2678356== by 0x47E82C: exec_normal (ex_docmd.c:0)
==2678356== by 0x47E6F1: exec_normal_cmd (ex_docmd.c:8720)
==2678356== by 0x47E6F1: ex_normal (ex_docmd.c:8638)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x5A5144: do_source_ext (scriptfile.c:1674)
==2678356== by 0x5A47E6: do_source (scriptfile.c:1801)
==2678356== by 0x5A47E6: cmd_source (scriptfile.c:1174)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356==
==2678356== Conditional jump or move depends on uninitialised value(s)
==2678356== at 0x5B867E: find_word (spell.c:490)
==2678356== by 0x5B7C78: spell_check (spell.c:282)
==2678356== by 0x5CBD27: spell_find_suggest (spellsuggest.c:796)
==2678356== by 0x5CB74B: spell_suggest (spellsuggest.c:554)
==2678356== by 0x500C8F: nv_zet (normal.c:2998)
==2678356== by 0x4F8E73: normal_cmd (normal.c:930)
==2678356== by 0x47E82C: exec_normal (ex_docmd.c:0)
==2678356== by 0x47E6F1: exec_normal_cmd (ex_docmd.c:8720)
==2678356== by 0x47E6F1: ex_normal (ex_docmd.c:8638)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x5A5144: do_source_ext (scriptfile.c:1674)
==2678356== by 0x5A47E6: do_source (scriptfile.c:1801)
==2678356== by 0x5A47E6: cmd_source (scriptfile.c:1174)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356==
==2678356== Conditional jump or move depends on uninitialised value(s)
==2678356== at 0x5B86BA: find_word (spell.c:495)
==2678356== by 0x5B7C78: spell_check (spell.c:282)
==2678356== by 0x5CBD27: spell_find_suggest (spellsuggest.c:796)
==2678356== by 0x5CB74B: spell_suggest (spellsuggest.c:554)
==2678356== by 0x500C8F: nv_zet (normal.c:2998)
==2678356== by 0x4F8E73: normal_cmd (normal.c:930)
==2678356== by 0x47E82C: exec_normal (ex_docmd.c:0)
==2678356== by 0x47E6F1: exec_normal_cmd (ex_docmd.c:8720)
==2678356== by 0x47E6F1: ex_normal (ex_docmd.c:8638)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x5A5144: do_source_ext (scriptfile.c:1674)
==2678356== by 0x5A47E6: do_source (scriptfile.c:1801)
==2678356== by 0x5A47E6: cmd_source (scriptfile.c:1174)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356==
==2678356== Conditional jump or move depends on uninitialised value(s)
==2678356== at 0x5B8925: find_word (spell.c:591)
==2678356== by 0x5B7C78: spell_check (spell.c:282)
==2678356== by 0x5CBD27: spell_find_suggest (spellsuggest.c:796)
==2678356== by 0x5CB74B: spell_suggest (spellsuggest.c:554)
==2678356== by 0x500C8F: nv_zet (normal.c:2998)
==2678356== by 0x4F8E73: normal_cmd (normal.c:930)
==2678356== by 0x47E82C: exec_normal (ex_docmd.c:0)
==2678356== by 0x47E6F1: exec_normal_cmd (ex_docmd.c:8720)
==2678356== by 0x47E6F1: ex_normal (ex_docmd.c:8638)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x5A5144: do_source_ext (scriptfile.c:1674)
==2678356== by 0x5A47E6: do_source (scriptfile.c:1801)
==2678356== by 0x5A47E6: cmd_source (scriptfile.c:1174)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356==
==2678356== Conditional jump or move depends on uninitialised value(s)
==2678356== at 0x5CF62E: suggest_trie_walk (spellsuggest.c:1433)
==2678356== by 0x5CC469: suggest_try_change (spellsuggest.c:1212)
==2678356== by 0x5CC469: spell_suggest_intern (spellsuggest.c:1008)
==2678356== by 0x5CC469: spell_find_suggest (spellsuggest.c:883)
==2678356== by 0x5CB74B: spell_suggest (spellsuggest.c:554)
==2678356== by 0x500C8F: nv_zet (normal.c:2998)
==2678356== by 0x4F8E73: normal_cmd (normal.c:930)
==2678356== by 0x47E82C: exec_normal (ex_docmd.c:0)
==2678356== by 0x47E6F1: exec_normal_cmd (ex_docmd.c:8720)
==2678356== by 0x47E6F1: ex_normal (ex_docmd.c:8638)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x5A5144: do_source_ext (scriptfile.c:1674)
==2678356== by 0x5A47E6: do_source (scriptfile.c:1801)
==2678356== by 0x5A47E6: cmd_source (scriptfile.c:1174)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x6795DC: exe_commands (main.c:3108)
==2678356== by 0x6795DC: vim_main2 (main.c:780)
==2678356==
==2678356== Conditional jump or move depends on uninitialised value(s)
==2678356== at 0x5CE30F: suggest_trie_walk (spellsuggest.c:1892)
==2678356== by 0x5CC469: suggest_try_change (spellsuggest.c:1212)
==2678356== by 0x5CC469: spell_suggest_intern (spellsuggest.c:1008)
==2678356== by 0x5CC469: spell_find_suggest (spellsuggest.c:883)
==2678356== by 0x5CB74B: spell_suggest (spellsuggest.c:554)
==2678356== by 0x500C8F: nv_zet (normal.c:2998)
==2678356== by 0x4F8E73: normal_cmd (normal.c:930)
==2678356== by 0x47E82C: exec_normal (ex_docmd.c:0)
==2678356== by 0x47E6F1: exec_normal_cmd (ex_docmd.c:8720)
==2678356== by 0x47E6F1: ex_normal (ex_docmd.c:8638)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x5A5144: do_source_ext (scriptfile.c:1674)
==2678356== by 0x5A47E6: do_source (scriptfile.c:1801)
==2678356== by 0x5A47E6: cmd_source (scriptfile.c:1174)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x6795DC: exe_commands (main.c:3108)
==2678356== by 0x6795DC: vim_main2 (main.c:780)
==2678356==
==2678356== Invalid read of size 1
==2678356== at 0x483F269: strncpy (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2678356== by 0x5D357E: strncpy (string_fortified.h:106)
==2678356== by 0x5D357E: vim_strncpy (strings.c:505)
==2678356== by 0x5CDE42: check_suggestions (spellsuggest.c:3653)
==2678356== by 0x5CC981: spell_suggest_intern (spellsuggest.c:1068)
==2678356== by 0x5CC981: spell_find_suggest (spellsuggest.c:883)
==2678356== by 0x5CB74B: spell_suggest (spellsuggest.c:554)
==2678356== by 0x500C8F: nv_zet (normal.c:2998)
==2678356== by 0x4F8E73: normal_cmd (normal.c:930)
==2678356== by 0x47E82C: exec_normal (ex_docmd.c:0)
==2678356== by 0x47E6F1: exec_normal_cmd (ex_docmd.c:8720)
==2678356== by 0x47E6F1: ex_normal (ex_docmd.c:8638)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x5A5144: do_source_ext (scriptfile.c:1674)
==2678356== by 0x5A47E6: do_source (scriptfile.c:1801)
==2678356== by 0x5A47E6: cmd_source (scriptfile.c:1174)
==2678356== Address 0x5159872 is 0 bytes after a block of size 2 alloc'd
==2678356== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2678356== by 0x406567: lalloc (alloc.c:246)
==2678356== by 0x5D2C1B: vim_strsave (strings.c:27)
==2678356== by 0x5CB700: spell_suggest (spellsuggest.c:544)
==2678356== by 0x500C8F: nv_zet (normal.c:2998)
==2678356== by 0x4F8E73: normal_cmd (normal.c:930)
==2678356== by 0x47E82C: exec_normal (ex_docmd.c:0)
==2678356== by 0x47E6F1: exec_normal_cmd (ex_docmd.c:8720)
==2678356== by 0x47E6F1: ex_normal (ex_docmd.c:8638)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356== by 0x5A5144: do_source_ext (scriptfile.c:1674)
==2678356== by 0x5A47E6: do_source (scriptfile.c:1801)
==2678356== by 0x5A47E6: cmd_source (scriptfile.c:1174)
==2678356== by 0x477523: do_one_cmd (ex_docmd.c:2567)
==2678356== by 0x477523: do_cmdline (ex_docmd.c:992)
==2678356==
==2678356==
==2678356== HEAP SUMMARY:
==2678356== in use at exit: 140,324,083 bytes in 398 blocks
==2678356== total heap usage: 1,309 allocs, 911 frees, 280,939,794 bytes allocated
==2678356==
==2678356== LEAK SUMMARY:
==2678356== definitely lost: 0 bytes in 0 blocks
==2678356== indirectly lost: 0 bytes in 0 blocks
==2678356== possibly lost: 0 bytes in 0 blocks
==2678356== still reachable: 140,324,083 bytes in 398 blocks
==2678356== suppressed: 0 bytes in 0 blocks
==2678356== Reachable blocks (those to which a pointer was found) are not shown.
==2678356== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==2678356==
==2678356== Use --track-origins=yes to see where uninitialised values come from
==2678356== For lists of detected and suppressed errors, rerun with: -s
==2678356== ERROR SUMMARY: 11 errors from 11 contexts (suppressed: 0 from 0)
Impact
This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
Related news
Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.
Ubuntu Security Notice 5613-1 - It was discovered that Vim was not properly performing bounds checks when executing spell suggestion commands. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim was using freed memory when dealing with regular expressions through its old regular expression engine. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution.
Red Hat OpenShift Virtualization release 4.11.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2021-44716: golang: net/http: limit growth of header canonicalization cache * CVE-2021-44717: golang: syscall: don't close fd 0 on ForkExec error * CVE-2022-1798: kubeVirt: Arbitrary file read on t...
Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.
Red Hat Security Advisory 2022-5069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.0. Issues addressed include code execution, cross site scripting, denial of service, information leakage, and traversal vulnerabilities.
Red Hat Security Advisory 2022-5070-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.0. Issues addressed include denial of service, out of bounds read, and traversal vulnerabilities.
Red Hat OpenShift Container Platform release 4.11.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23566: nanoid: Information disclosure via valueOf() function * CVE-2021-23648: sanitize-url: XSS * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2021-44906:...
Red Hat Security Advisory 2022-5909-01 - Openshift Logging Bug Fix Release. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat Security Advisory 2022-5908-01 - Openshift Logging Bug Fix Release. Issues addressed include denial of service and out of bounds read vulnerabilities.
Openshift Logging Bug Fix Release (5.2.13) Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS
Openshift Logging Bug Fix Release (5.3.10) Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS
The Migration Toolkit for Containers (MTC) 1.7.3 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1365: cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-29526: golang: syscall: faccessat checks wrong group
Red Hat Security Advisory 2022-5531-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.1 General Availability release images, which fix security issues and bugs.
Red Hat Security Advisory 2022-5556-01 - Logging Subsystem 5.4.3 has security updates. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat Security Advisory 2022-5704-01 - Updated images are now available for Red Hat Advanced Cluster Security. Issues addressed include a privilege escalation vulnerability.
Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes bug fixes and feature improvements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29173: go-tuf: No protection against rollback attacks for roles other than root
Red Hat Security Advisory 2022-5673-01 - Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview. Issues addressed include a code execution vulnerability.
Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41103: containerd: insufficiently restricted permissions on container root and plugin directories * CVE-2021-43565: golang.org/x/crypto: empty plaintext packet causes panic * CVE-2022-26945: go-getter: command injection vulnerability * CVE-2022-30321: go-getter: unsafe download (issue 1 of 3) * CVE-2022-30322: go-getter: unsafe download (issue 2 of 3) * CVE-2022-30323: go-getter: unsafe download (issue 3 of 3)
Logging Subsystem 5.4.3 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS
Red Hat Advanced Cluster Management for Kubernetes 2.5.1 General Availability release images, which fix security issues and bugs. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24450: nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account
Red Hat Security Advisory 2022-5242-01 - Vim is an updated and improved version of the vi editor. Issues addressed include buffer over-read, buffer overflow, and use-after-free vulnerabilities.
An update for vim is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0554: vim: Use of Out-of-range Pointer Offset in vim * CVE-2022-0943: vim: Heap-based Buffer Overflow occurs in vim * CVE-2022-1154: vim: use after free in utf_ptr2char * CVE-2022-1420: vim: Out-of-range Pointer Offset * CVE-2022-1621: vim: heap buffer overflow * CVE-2022-1629: vim: buffer over-read
An update for vim is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1621: vim: heap buffer overflow * CVE-2022-1629: vim: buffer over-read
Ubuntu Security Notice 5460-1 - It was discovered that Vim was incorrectly processing Vim buffers. An attacker could possibly use this issue to perform illegal memory access and expose sensitive information. It was discovered that Vim was not properly performing bounds checks for column numbers when replacing tabs with spaces or spaces with tabs, which could cause a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution