| Summary: | vim new security issue CVE-2023-1127, CVE-2023-117[05], and CVE-2023-1264 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | vim-9.0.1314-1.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2023-03-04 23:05:14 CET
David Walser
2023-03-04 23:05:40 CET
Status comment:
(none) =>
Fixed upstream in 9.0.1367 Vim is tv's baby, so assigning this update to you. Assignee:
bugsquad =>
thierry.vignaud SUSE has issued an advisory on March 16: https://lists.suse.com/pipermail/sle-security-updates/2023-March/014068.html Two new issues are fixed upstream in 9.0.1378. Mageia 8 is also affected. Status comment:
Fixed upstream in 9.0.1367 =>
Fixed upstream in 9.0.1378 Suggested advisory: ======================== The updated packages fix security vulnerabilities: Divide By Zero in GitHub repository vim/vim prior to 9.0.1367. (CVE-2023-1127) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376. (CVE-2023-1170) Incorrect Calculation of Buffer Size in GitHub repository vim/vim prior to 9.0.1378. (CVE-2023-1175) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1127 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1170 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1175 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PDVN5HSWPNVP4QXBPCEGZDLZKURLJWTE/ https://lists.suse.com/pipermail/sle-security-updates/2023-March/014068.html ======================== Updated packages in core/updates_testing: ======================== vim-X11-9.0.1411-1.mga8 vim-common-9.0.1411-1.mga8 vim-enhanced-9.0.1411-1.mga8 vim-minimal-9.0.1411-1.mga8 from SRPM: vim-9.0.1411-1.mga8.src.rpm CC:
(none) =>
nicolas.salguero Note that this is still pending a freeze move in Cauldron. Mageia8, x86_64 Updated the packages. Edited a sample weather report in command and insertion modes. Removed and replaced lines in overwrite. Exercised the search function using command /. Repeated search using / and Return. In insertion mode Esc returns to command mode. The degree symbol ° could be typed in as key combination and characters like € could be cut and pasted in insert mode. Tried editing a list of files, using the :next command in vim. That worked. $ vim + servercheck starts up with the cursor positioned at the end of the file. At this basic level there are no obvious regressions. Whiteboard:
(none) =>
MGA8-64-OK This update also fixes CVE-2023-1264: https://ubuntu.com/security/notices/USN-5963-1 Validating. Advisory in Comment 3, with an additional CVE reference in Comment 6. Keywords:
(none) =>
validated_update (In reply to David Walser from comment #6) > This update also fixes CVE-2023-1264: > https://ubuntu.com/security/notices/USN-5963-1 Fedora reference for the newer CVEs: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DIAKPMKJ4OZ6NYRZJO7YWMNQL2BICLYV/ Summary:
vim new security issue CVE-2023-1127 and CVE-2023-117[05] =>
vim new security issue CVE-2023-1127, CVE-2023-117[05], and CVE-2023-1264
Dave Hodgins
2023-03-24 00:27:01 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0110.html Resolution:
(none) =>
FIXED This update also fixed CVE-2023-1355: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IE44W6WMMREYCW3GJHPSYP7NK2VT5NY6/ |