Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-6154-1

Ubuntu Security Notice 6154-1 - It was discovered that Vim was using uninitialized memory when fuzzy matching, which could lead to invalid memory access. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 22.10 and Ubuntu 23.04. It was discovered that Vim was not properly performing bounds checks when processing register contents, which could lead to a NULL pointer dereference. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

Packet Storm
#vulnerability#ubuntu#dos#perl

==========================================================================
Ubuntu Security Notice USN-6154-1
June 12, 2023

vim vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 23.04
  • Ubuntu 22.10
  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS (Available with Ubuntu Pro)
  • Ubuntu 16.04 LTS (Available with Ubuntu Pro)
  • Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Vim.

Software Description:

  • vim: Vi IMproved - enhanced vi editor

Details:

It was discovered that Vim was using uninitialized memory when fuzzy
matching, which could lead to invalid memory access. An attacker could
possibly use this issue to cause a denial of service or execute arbitrary
code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 22.10 and Ubuntu
23.04. (CVE-2023-2426)

It was discovered that Vim was not properly performing bounds checks when
processing register contents, which could lead to a NULL pointer
dereference. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. (CVE-2023-2609)

It was discovered that Vim was not properly limiting the length of
substitution expression strings, which could lead to excessive memory
consumption. An attacker could possibly use this issue to cause a denial
of service. (CVE-2023-2610)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
vim 2:9.0.1000-4ubuntu3.1
vim-tiny 2:9.0.1000-4ubuntu3.1

Ubuntu 22.10:
vim 2:9.0.0242-1ubuntu1.4
vim-tiny 2:9.0.0242-1ubuntu1.4

Ubuntu 22.04 LTS:
vim 2:8.2.3995-1ubuntu2.8
vim-tiny 2:8.2.3995-1ubuntu2.8

Ubuntu 20.04 LTS:
vim 2:8.1.2269-1ubuntu5.15
vim-tiny 2:8.1.2269-1ubuntu5.15

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
vim 2:8.0.1453-1ubuntu1.13+esm1
vim-tiny 2:8.0.1453-1ubuntu1.13+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
vim 2:7.4.1689-3ubuntu1.5+esm18
vim-tiny 2:7.4.1689-3ubuntu1.5+esm18

Ubuntu 14.04 LTS (Available with Ubuntu Pro):
vim 2:7.4.052-1ubuntu3.1+esm10
vim-tiny 2:7.4.052-1ubuntu3.1+esm10

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6154-1
CVE-2023-2426, CVE-2023-2609, CVE-2023-2610

Package Information:
https://launchpad.net/ubuntu/+source/vim/2:9.0.1000-4ubuntu3.1
https://launchpad.net/ubuntu/+source/vim/2:9.0.0242-1ubuntu1.4
https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.8
https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.15

Related news

CVE-2023-2610: patch 9.0.1532: crash when expanding "~" in substitute causes very lo… · vim/vim@ab9a2d8

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532.

CVE-2023-2609: patch 9.0.1531: crash when register contents ends up being invalid · vim/vim@d1ae836

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1531.

CVE-2023-2426

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.

Packet Storm: Latest News

ABB Cylon Aspect 3.08.01 vstatConfigurationDownload.php Configuration Download