Bug 29972

Summary: vim new security issues CVE-2022-0261, CVE-2022-031[89], CVE-2022-035[189],CVE-2022-036[18],CVE-2022-039[23],CVE-2022-040[78],CVE-2022-041[37],CVE-2022-0443,CVE-2022-0554,CVE-2022-0572,CVE-2022-0629,CVE-2022-0685,CVE-2022-0696,CVE-2022-0714,CVE-2022-0729
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, mageia, sysadmin-bugs, tarazed25, thierry.vignaud
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: vim-8.2.4114-1.mga8.src.rpm CVE: CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-162[019], CVE-2022-1674, CVE-2022-172[05], CVE-2022-173[35], CVE-2022-1769, CVE-2022-1771
Status comment:

Description David Walser 2022-01-30 19:27:34 CET 
Fedora has issued an advisory today (January 30):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7JBXG3MU6EZWJGJD6UTHHONHGJBYPQQT/

The issues are fixed upstream in 8.2.4227.
David Walser 2022-01-30 19:27:47 CET

Status comment: (none) => Fixed upstream in 8.2.4227

Comment 1 Lewis Smith 2022-01-30 21:42:51 CET 
We just have version 8.2.4232 in Cauldron, thanks to tv. Assigning the bug to you as the registered & active 'vim' maintainer.

Assignee: bugsquad => thierry.vignaud

Comment 2 David Walser 2022-02-04 16:27:52 CET 
Fedora has issued an advisory today (February 4):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UCWG5L6CRQWACGVP7CYGESUB3G6QJ3GS/

It adds an additional CVE.

Summary: vim new security issues CVE-2022-0261 and CVE-2022-035[19] => vim new security issues CVE-2022-0261 and CVE-2022-035[189]

Comment 3 David Walser 2022-02-11 21:57:15 CET 
Fedora has issued an advisory today (February 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UFXFAILMLUIK4MBUEZO4HNBNKYZRJ5AP/

It fixes several new CVEs.  They are fixed upstream in 8.2.4286.

Status comment: Fixed upstream in 8.2.4227 => Fixed upstream in 8.2.4286
Summary: vim new security issues CVE-2022-0261 and CVE-2022-035[189] => vim new security issues CVE-2022-0261, CVE-2022-035[189], CVE-2022-0393, CVE-2022-0408, CVE-2022-041[37], CVE-2022-0443

Comment 4 David Walser 2022-02-17 19:04:11 CET 
Fedora has issued an advisory today (February 17):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4GOY5YWTP5QUY2EFLCL7AUWA2CV57C37/

It fixes one new CVE that is fixed upstream in 8.2.4359.

Summary: vim new security issues CVE-2022-0261, CVE-2022-035[189], CVE-2022-0393, CVE-2022-0408, CVE-2022-041[37], CVE-2022-0443 => vim new security issues CVE-2022-0261, CVE-2022-035[189], CVE-2022-0393, CVE-2022-0408, CVE-2022-041[37], CVE-2022-0443, CVE-2022-0572

Comment 5 David Walser 2022-02-23 18:47:46 CET 
Fedora has issued an advisory on February 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UURGABNDL77YR5FRQKTFBYNBDQX2KO7Q/

It fixes one new CVE that is fixed upstream in 8.2.4428.

Summary: vim new security issues CVE-2022-0261, CVE-2022-035[189], CVE-2022-0393, CVE-2022-0408, CVE-2022-041[37], CVE-2022-0443, CVE-2022-0572 => vim new security issues CVE-2022-0261, CVE-2022-035[189], CVE-2022-0393, CVE-2022-0408, CVE-2022-041[37], CVE-2022-0443, CVE-2022-0572, CVE-2022-0629
Status comment: Fixed upstream in 8.2.4286 => Fixed upstream in 8.2.4428

Comment 6 David Walser 2022-02-26 16:49:18 CET 
Fedora has issued advisories on February 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HBUYQBZ6GWAWJRWP7AODJ4KHW5BCKDVP/

They fixes five new CVEs that are fixed upstream in 8.2.4460.

Summary: vim new security issues CVE-2022-0261, CVE-2022-035[189], CVE-2022-0393, CVE-2022-0408, CVE-2022-041[37], CVE-2022-0443, CVE-2022-0572, CVE-2022-0629 => vim new security issues CVE-2022-0261, CVE-2022-035[189], CVE-2022-0393, CVE-2022-0408, CVE-2022-041[37], CVE-2022-0443, CVE-2022-0554, CVE-2022-0572, CVE-2022-0629, CVE-2022-0685, CVE-2022-0696, CVE-2022-0714, CVE-2022-0729
Status comment: Fixed upstream in 8.2.4428 => Fixed upstream in 8.2.4460

Comment 7 David Walser 2022-03-04 19:42:51 CET 
openSUSE has issued an advisory on March 4:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FDNZ3N5S7UGKPUUKPGOQQGPJJK3YTW37/

It fixes these issues and three others fixed upstream in 8.2.4206.

Summary: vim new security issues CVE-2022-0261, CVE-2022-035[189], CVE-2022-0393, CVE-2022-0408, CVE-2022-041[37], CVE-2022-0443, CVE-2022-0554, CVE-2022-0572, CVE-2022-0629, CVE-2022-0685, CVE-2022-0696, CVE-2022-0714, CVE-2022-0729 => vim new security issues CVE-2022-0261, CVE-2022-031[89], CVE-2022-035[189],CVE-2022-0361,CVE-2022-0393, CVE-2022-0408, CVE-2022-041[37], CVE-2022-0443, CVE-2022-0554, CVE-2022-0572, CVE-2022-0629, CVE-2022-0685, CVE-2022-0696, CVE-2022-0714, CVE-2022-0729

Comment 8 David Walser 2022-03-29 15:29:56 CEST 
Fedora has issued an advisory today (March 29):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C3R36VSLO4TRX72SWB6IDJOD24BQXPX2/

It fixes one new CVE that is fixed upstream in 8.2.4563.

The list of CVEs has overflowed from the bug title into the CVEs field.  Can we please update this package?

CVE: (none) => CVE-2022-0943
Status comment: Fixed upstream in 8.2.4460 => Fixed upstream in 8.2.4563

Comment 9 David Walser 2022-04-09 19:31:15 CEST 
Fedora has issued an advisory on April 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C2CQXRLBIC4S7JQVEIN5QXKQPYWB5E3J/

It fixes two new CVEs that are fixed upstream in 8.2.4647.

CVE: CVE-2022-0943 => CVE-2022-0943, CVE-2022-1154, CVE-2022-1160
Status comment: Fixed upstream in 8.2.4563 => Fixed upstream in 8.2.4647

Comment 10 David Walser 2022-04-24 18:17:23 CEST 
Fedora has issued an advisory on April 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X6E457NYOIRWBJHKB7ON44UY5AVTG4HU/

It fixes two new CVEs that are fixed upstream in 8.2.4774.

Status comment: Fixed upstream in 8.2.4647 => Fixed upstream in 8.2.4774
CVE: CVE-2022-0943, CVE-2022-1154, CVE-2022-1160 => CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420

Comment 11 David Walser 2022-05-11 20:20:58 CEST 
Fedora has issued an advisory today (May 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A6BY5P7ERZS7KXSBCGFCOXLMLGWUUJIH/

It fixes three new CVEs that are fixed upstream in 8.2.4901.

Status comment: Fixed upstream in 8.2.4774 => Fixed upstream in 8.2.4901
CVE: CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420 => CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-1620

Comment 12 David Walser 2022-05-17 15:43:50 CEST 
Debian-LTS has issued an advisory on May 16:
https://www.debian.org/lts/security/2022/dla-3011

It fixes one new CVE that is fixed upstream in 8.2.4919:
https://bugzilla.redhat.com/show_bug.cgi?id=2083924

Status comment: Fixed upstream in 8.2.4901 => Fixed upstream in 8.2.4919
CVE: CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-1620 => CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-162[01]

Comment 13 David Walser 2022-05-18 20:26:59 CEST 
Fedora has issued an advisory today (May 18):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/

It fixes the issue from Comment 12 and a new one, fixed upstream in 8.2.4925.

Status comment: Fixed upstream in 8.2.4919 => Fixed upstream in 8.2.4925
CVE: CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-162[01] => CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-162[019]

Comment 14 David Walser 2022-05-19 19:01:42 CEST 
Fedora has issued an advisory today (May 19):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ODXVYZC5Z4XRRZK7CK6B6IURYVYHA25U/

It fixes one new CVE that is fixed upstream in 8.2.4938.

Status comment: Fixed upstream in 8.2.4925 => Fixed upstream in 8.2.4938
CVE: CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-162[019] => CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-162[019], CVE-2022-1674

Comment 15 Nicolas Lécureuil 2022-05-22 07:49:34 CEST 
fixed version pushed into mageia 8:

src:
    - vim-8.2.4975-1.mga8

Assignee: thierry.vignaud => qa-bugs
CC: (none) => mageia, thierry.vignaud

Nicolas Lécureuil 2022-05-22 07:49:40 CEST

Status comment: Fixed upstream in 8.2.4938 => (none)

Comment 16 David Walser 2022-05-22 11:21:56 CEST 
Note that the CVE list is the combination of the bug subject and the CVE field.

vim-X11-8.2.4975-1.mga8
vim-enhanced-8.2.4975-1.mga8
vim-minimal-8.2.4975-1.mga8
vim-common-8.2.4975-1.mga8

from vim-8.2.4975-1.mga8.src.rpm
Comment 17 Len Lawrence 2022-05-23 08:34:28 CEST 
mga8, x64

PoC at https://huntr.dev/bounties/a74ba4a4-7a39-4a22-bde3-d2f8ee07b385/
$ vim -u NONE -X -Z -e -s -S ./poc_n2_s.dat -c :qa!
Segmentation fault (core dumped)

$ cat poc_n2_s.dat
vs00000000000000000000000000
b[0--]\&\zs*\zs*e

Updated the four packages.

$ vim -u NONE -X -Z -e -s -S ./poc_n2_s.dat -c :qa!
$

No regressions noted during various editing operations, as in bug 29586.

Installed nerdtree, an enhancement for vim and modified local .vimrc to start it automatically.
Edited a file to confirm that a split window appears with a tree style display in one pane and the text file in the other.  The tree can be traversed and directories opened.  :q to remove the tree pane.  Leaving it at that.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 18 Thomas Andrews 2022-05-23 14:03:59 CEST 
Wow. More holes than a kitchen strainer. Good to get them plugged.

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 19 David Walser 2022-05-23 20:11:42 CEST 
Fedora has issued an advisory on May 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QKIX5HYKWXWG6QBCPPTPQ53GNOFHSAIS/

It fixes two new security issues, which I've added to the CVE field.  They are also fixed by this update.

CVE: CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-162[019], CVE-2022-1674 => CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-162[019], CVE-2022-1674, CVE-2022-1769, CVE-2022-1733

Comment 20 David Walser 2022-05-23 20:17:02 CEST 
(In reply to David Walser from comment #19)
> Fedora has issued an advisory on May 20:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/QKIX5HYKWXWG6QBCPPTPQ53GNOFHSAIS/
> 
> It fixes two new security issues, which I've added to the CVE field.  They
> are also fixed by this update.

Better advisory for that, with bug references:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IUPOLEX5GXC733HL4EFYMHFU7NISJJZG/

8.2.4975 was the version that fixed both issues.
Dave Hodgins 2022-05-25 02:25:12 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 21 Mageia Robot 2022-05-25 20:47:32 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0203.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 22 David Walser 2022-06-02 23:54:30 CEST 
CVE-2022-0368 was also fixed in this update:
https://ubuntu.com/security/notices/USN-5458-1

Summary: , CVE-2022-0729 vim new security issues CVE-2022-0261, CVE-2022-031[89], CVE-2022-035[189],CVE-2022-0361,CVE-2022-0393, CVE-2022-0408, CVE-2022-041[37], CVE-2022-0443, CVE-2022-0554, CVE-2022-0572, CVE-2022-0629, CVE-2022-0685, CVE-2022-0696, CVE-2022-0714 => , CVE-2022-0729 vim new security issues CVE-2022-0261, CVE-2022-031[89], CVE-2022-035[189],CVE-2022-036[18],CVE-2022-0393,CVE-2022-0408,CVE-2022-041[37],CVE-2022-0443, CVE-2022-0554, CVE-2022-0572, CVE-2022-0629, CVE-2022-0685, CVE-2022-0696, CVE-2022-0714

Comment 23 David Walser 2022-06-16 23:10:16 CEST 
This update also fixed CVE-2022-0392 CVE-2022-0407 CVE-2022-1735 CVE-2022-1771:
https://lists.suse.com/pipermail/sle-security-updates/2022-June/011301.html
Comment 24 David Walser 2022-06-16 23:14:48 CEST 
(In reply to David Walser from comment #23)
> This update also fixed CVE-2022-0392 CVE-2022-0407 CVE-2022-1735
> CVE-2022-1771:
> https://lists.suse.com/pipermail/sle-security-updates/2022-June/011301.html

also:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/A7IIKQP3UXOLJI2SID6AOU2NSGRK776Z/
Comment 25 David Walser 2022-06-21 23:14:07 CEST 
This update also fixed CVE-2022-1720:
https://www.debian.org/lts/security/2022/dla-3053
David Walser 2022-06-30 19:58:08 CEST

Summary: , CVE-2022-0729 => (none)
CVE: CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-162[019], CVE-2022-1674, CVE-2022-1769, CVE-2022-1733 => CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-162[019], CVE-2022-1674, CVE-2022-1720, CVE-2022-173[35], CVE-2022-1769, CVE-2022-1771
Summary: vim new security issues CVE-2022-0261, CVE-2022-031[89], CVE-2022-035[189],CVE-2022-036[18],CVE-2022-0393,CVE-2022-0408,CVE-2022-041[37],CVE-2022-0443, CVE-2022-0554, CVE-2022-0572, CVE-2022-0629, CVE-2022-0685, CVE-2022-0696, CVE-2022-0714 => vim new security issues CVE-2022-0261, CVE-2022-031[89], CVE-2022-035[189],CVE-2022-036[18],CVE-2022-039[23],CVE-2022-040[78],CVE-2022-041[37],CVE-2022-0443,CVE-2022-0554,CVE-2022-0572,CVE-2022-0629,CVE-2022-0685,CVE-2022-0696,CVE-2022-0714,CVE-2022-0729

Comment 26 David Walser 2022-11-15 14:57:51 CET 
This update also fixed CVE-2022-1725:
https://ubuntu.com/security/notices/USN-5723-1

CVE: CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-162[019], CVE-2022-1674, CVE-2022-1720, CVE-2022-173[35], CVE-2022-1769, CVE-2022-1771 => CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-161[69], CVE-2022-162[019], CVE-2022-1674, CVE-2022-172[05], CVE-2022-173[35], CVE-2022-1769, CVE-2022-1771