Bug 31766

Summary: vim new security issue fixed upstream in 9.0.1440
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: vim-9.0.1411-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-04-06 01:24:55 CEST 
I got a heads up on IRC about a security issue fixed upstream in vim:
https://github.com/vim/vim/commit/23a971da506249fc8388f06cd5c011b83406ac5c
"code exec through rvim"

So we'll need to update it again soon (latest is currently 9.0.1441).

I assume a CVE will be assigned at some point (especially since it seems like most vim commits get CVEs lately).
David Walser 2023-04-06 01:25:04 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Salguero 2023-04-06 10:57:47 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

"rvim" can execute a shell through :diffpatch.

References:
https://github.com/vim/vim/commit/23a971da506249fc8388f06cd5c011b83406ac5c
========================

Updated packages in core/updates_testing:
========================
vim-X11-9.0.1441-1.mga8
vim-common-9.0.1441-1.mga8
vim-enhanced-9.0.1441-1.mga8
vim-minimal-9.0.1441-1.mga8

from SRPM:
vim-9.0.1441-1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Assignee: bugsquad => qa-bugs
Source RPM: vim-9.0.1411-1.mga9.src.rpm => vim-9.0.1411-1.mga8.src.rpm
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Version: Cauldron => 8

Comment 2 Len Lawrence 2023-04-08 17:22:52 CEST 
Mageia8, x86_64

Sidestepped the business of executing a shell via :diffpatch.  Not my territory.
The point about rvim is that it involves usage restrictions like not being able to start a shell.
Updated the packages and tested vim much as in bug 31637 and found no regressions.

vim opens a file with the cursor positioned at the last position it occupied if previously edited with vim.  `vim -r` lists all swap files in current directory and various tmp directories.

A previous session may be recovered using
$ vim -r <filename>
e.g.
$ vim -r kernel
Using swap file ".kernel.swp"
Original file "~/text/kernel"
Recovery completed. Buffer contents equals file contents.
You may want to delete the .swp file now.

Press ENTER or type command to continue
--------------------
That worked but the .kernel.swp file in the current directory had not changed, so the swap file must be removed before closing the current edit.

$ex <file>
works.  A search with the / command returns the first match and 'visual' switches to normal mode.  Useful perhaps for checking contents of files without revealing everything.

$ vimdiff kernel kernel.106
2 files to edit
This showed the differences between two files side by side (up to 8 is possible).  `vim -d files...` is the same thing.

$ gvim <file>
displays the file in a gui panel which responds to the mouse for positioning.

evim does not seem to be available (easy mode) but `vim -y` does the same thing but does not seem to be very useful because there is no way apparent to exit.

No regressions as far as can be seen.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 3 Thomas Andrews 2023-04-09 14:41:01 CEST 
Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-04-11 00:58:13 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2023-04-11 21:03:57 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0137.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED