Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-2206: Out-of-bound read in function msg_outtrans_attr in vim

Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.

CVE
Open in Source
#linux#git

Description

Out-of-bound read in function msg_outtrans_attr at message.c:1551

Version

commit 8eba2bd291b347e3008aa9e565652d51ad638cfa (HEAD -> master, tag: v8.2.5151)

Proof of Concept

./vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S poc_vim01 -c :qa!
=================================================================
==21232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000981 at pc 0x7faf43c4f66e bp 0x7ffd3a3d8b10 sp 0x7ffd3a3d82b8
READ of size 620 at 0x619000000981 thread T0
    #0 0x7faf43c4f66d  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)
    #1 0x562f077dacc5 in msg_outtrans_attr /home/guest/trung/vim/src/message.c:1551
    #2 0x562f077d4777 in msg_attr_keep /home/guest/trung/vim/src/message.c:176
    #3 0x562f077d4550 in msg_attr /home/guest/trung/vim/src/message.c:123
    #4 0x562f077d7aec in msg_trunc_attr /home/guest/trung/vim/src/message.c:933
    #5 0x562f072d8239 in process_next_cpt_value /home/guest/trung/vim/src/insexpand.c:3271
    #6 0x562f072daed2 in ins_compl_get_exp /home/guest/trung/vim/src/insexpand.c:3743
    #7 0x562f072dbba5 in find_next_completion_match /home/guest/trung/vim/src/insexpand.c:3992
    #8 0x562f072dbf6e in ins_compl_next /home/guest/trung/vim/src/insexpand.c:4093
    #9 0x562f072df01d in ins_complete /home/guest/trung/vim/src/insexpand.c:4944
    #10 0x562f0713b591 in edit /home/guest/trung/vim/src/edit.c:1281
    #11 0x562f073ac613 in invoke_edit /home/guest/trung/vim/src/normal.c:7035
    #12 0x562f073a7135 in n_opencmd /home/guest/trung/vim/src/normal.c:6279
    #13 0x562f073aeb89 in nv_open /home/guest/trung/vim/src/normal.c:7416
    #14 0x562f073843de in normal_cmd /home/guest/trung/vim/src/normal.c:939
    #15 0x562f0720b759 in exec_normal /home/guest/trung/vim/src/ex_docmd.c:8812
    #16 0x562f0720b535 in exec_normal_cmd /home/guest/trung/vim/src/ex_docmd.c:8775
    #17 0x562f0720add6 in ex_normal /home/guest/trung/vim/src/ex_docmd.c:8693
    #18 0x562f071e76d6 in do_one_cmd /home/guest/trung/vim/src/ex_docmd.c:2570
    #19 0x562f071dea5c in do_cmdline /home/guest/trung/vim/src/ex_docmd.c:992
    #20 0x562f074ff9cb in do_source_ext /home/guest/trung/vim/src/scriptfile.c:1674
    #21 0x562f07500b0d in do_source /home/guest/trung/vim/src/scriptfile.c:1801
    #22 0x562f074fd646 in cmd_source /home/guest/trung/vim/src/scriptfile.c:1174
    #23 0x562f074fd6a7 in ex_source /home/guest/trung/vim/src/scriptfile.c:1200
    #24 0x562f071e76d6 in do_one_cmd /home/guest/trung/vim/src/ex_docmd.c:2570
    #25 0x562f071dea5c in do_cmdline /home/guest/trung/vim/src/ex_docmd.c:992
    #26 0x562f071dce5b in do_cmdline_cmd /home/guest/trung/vim/src/ex_docmd.c:586
    #27 0x562f077cda63 in exe_commands /home/guest/trung/vim/src/main.c:3133
    #28 0x562f077c6c58 in vim_main2 /home/guest/trung/vim/src/main.c:780
    #29 0x562f077c6514 in main /home/guest/trung/vim/src/main.c:432
    #30 0x7faf42e5ac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #31 0x562f07068a99 in _start (/home/guest/trung/vim/src/vim+0x137a99)

0x619000000981 is located 0 bytes to the right of 1025-byte region [0x619000000580,0x619000000981)
allocated by thread T0 here:
    #0 0x7faf43cdcb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x562f07068edf in lalloc /home/guest/trung/vim/src/alloc.c:246
    #2 0x562f07068ce4 in alloc /home/guest/trung/vim/src/alloc.c:151
    #3 0x562f077c6e7c in common_init /home/guest/trung/vim/src/main.c:914
    #4 0x562f077c6222 in main /home/guest/trung/vim/src/main.c:185
    #5 0x7faf42e5ac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)
Shadow bytes around the buggy address:
  0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8130:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21232==ABORTING

Attachment

poc_vim01

Impact

This may result in corruption of sensitive information, a crash, or code execution among other things.

Related news

Gentoo Linux Security Advisory 202305-16

Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.

Ubuntu Security Notice USN-5995-1

Ubuntu Security Notice 5995-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

CVE-2022-46756: DSA-2022-335: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities

Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

Gentoo Linux Security Advisory 202208-32

Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE