Bug 32428

Summary: vim new security issues CVE-2023-5535 and CVE-2023-5441
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO MGA9-64-OK MGA8-32-OK
Source RPM: vim-9.0.1882-1.mga9.src.rpm CVE:
Status comment:

Description Nicolas Salguero 2023-10-23 16:10:03 CEST 
Fedora has issued an advisory today (October 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDDWD25AZIHBAA44HQT75OWLQ5UMDKU3/

The issues are fixed upstream in 9.0.2010.

Mageia 8 and 9 are also affected.
Comment 1 Nicolas Salguero 2023-10-23 16:24:56 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960. (CVE-2023-5441)

Use After Free in GitHub repository vim/vim prior to v9.0.2010. (CVE-2023-5535)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5441
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5535
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDDWD25AZIHBAA44HQT75OWLQ5UMDKU3/
========================

Updated packages in {8|9}/core/updates_testing:
========================
vim-X11-9.0.2059-1.mga{8|9}
vim-common-9.0.2059-1.mga{8|9}
vim-enhanced-9.0.2059-1.mga{8|9}
vim-minimal-9.0.2059-1.mga{8|9}

from SRPM:
vim-9.0.2059-1.mga{8|9}.src.rpm

Assignee: bugsquad => qa-bugs
Source RPM: (none) => vim-9.0.1882-1.mga9.src.rpm
Whiteboard: (none) => MGA8TOO
CC: (none) => nicolas.salguero
Version: Cauldron => 9
Status: NEW => ASSIGNED

Comment 2 Marja Van Waes 2023-10-23 17:09:58 CEST 
Advisory from comment 1 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory
CC: (none) => marja11

Comment 3 Herman Viaene 2023-10-25 15:48:11 CEST 
MGA9-64 Xfce on Acer Aspire 5253
No installation issues.
Opened a .txt file with vim, exercised the a, i, x , dd and w commands. Exited with q command and used pluma to check the changes. All works OK.

Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OK
CC: (none) => herman.viaene

Comment 4 katnatek 2023-10-26 03:23:22 CEST 
Tested on Mageia 8 i586, nothing weird

Whiteboard: MGA8TOO MGA9-64-OK => MGA8TOO MGA9-64-OK MGA8-32-OK

Comment 5 Thomas Andrews 2023-10-26 18:46:48 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2023-10-27 23:51:46 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0305.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED