Bug 29891

Summary: vim new security issues CVE-2022-01[25]8, CVE-2022-0156, CVE-2022-0213
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs, thierry.vignaud
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: vim-8.2.4006-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-01-15 00:57:23 CET 
Fedora has issued an advisory today (January 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HD5S2FC2HF22A7XQXK2XXIR46EARVWIM/

The issues are fixed upstream in 8.2.4049.
David Walser 2022-01-15 00:57:38 CET

Status comment: (none) => Fixed upstream in 8.2.4049

Comment 1 David Walser 2022-01-15 00:59:18 CET 
CVE-2021-46059 is already fixed in Bug 29856.

Summary: vim new security issues CVE-2021-46059, CVE-2022-0158, CVE-2022-0156 => vim new security issues CVE-2022-0158 and CVE-2022-0156

Comment 2 David Walser 2022-01-15 16:56:39 CET 
Two more CVEs fixed upstream...

CVE-2022-0213 	vim is vulnerable to Heap-based Buffer Overflow
8.2.4074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0213

CVE-2022-0128 	vim is vulnerable to Out-of-bounds Read
8.2.4009
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0128

Status comment: Fixed upstream in 8.2.4049 => Fixed upstream in 8.2.4074
Summary: vim new security issues CVE-2022-0158 and CVE-2022-0156 => vim new security issues CVE-2022-01[25]8, CVE-2022-0156, CVE-2022-0213

Comment 3 Lewis Smith 2022-01-15 20:51:29 CET 
This security update is clearly for Thierry.

Assignee: bugsquad => thierry.vignaud

Comment 4 Nicolas Lécureuil 2022-01-16 20:28:49 CET 
updated to 4114

src:
    - vim-8.2.4114-1.mga8

Status comment: Fixed upstream in 8.2.4074 => (none)
CC: (none) => mageia, thierry.vignaud
Assignee: thierry.vignaud => qa-bugs

Comment 5 David Walser 2022-01-16 22:02:34 CET 
vim-X11-8.2.4114-1.mga8
vim-enhanced-8.2.4114-1.mga8
vim-minimal-8.2.4114-1.mga8
vim-common-8.2.4114-1.mga8

from vim-8.2.4114-1.mga8.src.rpm
Comment 6 Herman Viaene 2022-01-18 14:55:36 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Used vimx to edit some text file using commands i , a, dd, x wq: works OK

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2022-01-18 17:44:40 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-01-18 19:09:10 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-01-18 20:30:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0023.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 9 David Walser 2023-07-05 22:56:51 CEST 
This update also fixed CVE-2022-0158:
https://ubuntu.com/security/notices/USN-6195-1