| Summary: | vim new security issues CVE-2022-47024 and CVE-2023-0433 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | vim-9.0.1221-1.mga8.src.rpm | CVE: | CVE-2022-47024, CVE-2023-0433 |
| Status comment: | |||
|
Description
David Walser
2023-02-01 17:14:49 CET
David Walser
2023-02-01 17:15:01 CET
Status comment:
(none) =>
Fixed upstream in 9.0.1225 openSUSE has issued an advisory for this on January 30: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YTSMWBSYCUOQ5M745FWM6JT2JSX5KYBG/ Assigning to our registered maintainer. CC:
(none) =>
marja11 Fedora has issued an advisory today (February 13): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PZWIJBSQX53P7DHV77KRXJIXA4GH7XHC/ It fixes a new issue that is fixed upstream in 9.0.1292. Mageia 8 is also affected. Status comment:
Fixed upstream in 9.0.1225 =>
Fixed upstream in 9.0.1292 Suggested advisory: ======================== The updated packages fix security vulnerabilities: A null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339 allows attackers to cause denial of service or other unspecified impacts. (CVE-2022-47024) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225. (CVE-2023-0433) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47024 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0433 https://ubuntu.com/security/notices/USN-5836-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YTSMWBSYCUOQ5M745FWM6JT2JSX5KYBG/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PZWIJBSQX53P7DHV77KRXJIXA4GH7XHC/ ======================== Updated packages in core/updates_testing: ======================== vim-X11-9.0.1314-1.mga8 vim-common-9.0.1314-1.mga8 vim-enhanced-9.0.1314-1.mga8 vim-minimal-9.0.1314-1.mga8 from SRPM: vim-9.0.1314-1.mga8.src.rpm Version:
Cauldron =>
8 MGA8-64 MATE on Acer Aspire 5253 No installation issues Created new txt file by $ vi pruts.txt Added, inserted,deleted characters and complete lines, saved and reopened the file several times in between the operations, all wal aboard. CC:
(none) =>
herman.viaene Midair collision here! mga8, x64 Updated the packages and put vim through its paces in normal (default) mode using a simple range of commands, switching between modes insertion and command, accessing onboard help, exit without saving changes.... Checked the man pages. Tried the graphical version using $ gvim gview and that worked fine as well, saving current file as gview if no file has been specified. Files can be opened from the menu and edited OK. $ view starts vim in readonly mode, which is not particularly useful. Easy mode is started with $ vim -y starts vim in easy mode, that is insert mode where the user can no longer use Esc to switch modes or anything ele. Ctrl-q allows exit with a choice of saving current work or not. Everything seems to work as before. CC:
(none) =>
tarazed25 Validating. Advisory in comment 4. Keywords:
(none) =>
validated_update
Dave Hodgins
2023-03-01 17:45:48 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0075.html Status:
ASSIGNED =>
RESOLVED This update also fixed CVE-2023-0512: https://lists.suse.com/pipermail/sle-security-updates/2023-March/014068.html |