Bug 31422 - vim new security issue CVE-2023-0049
Summary: vim new security issue CVE-2023-0049
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-01-17 23:33 CET by David Walser
Modified: 2023-02-01 18:24 CET (History)
4 users (show)

See Also:
Source RPM: vim-9.0.1054-1.mga9.src.rpm
CVE: CVE-2023-0049
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-01-17 23:33:45 CET 
Fedora has issued an advisory on January 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3Y752EAVACVC5XY2TMGGOAIU25VQRPDW/

The issue is fixed upstream in 9.0.1143.

Mageia 8 is also affected.
David Walser 2023-01-17 23:34:02 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 9.0.1143

Comment 1 Lewis Smith 2023-01-18 21:08:00 CET 
This is unambiguously for tv.

Assignee: bugsquad => thierry.vignaud

Comment 2 Nicolas Salguero 2023-01-23 15:12:16 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143. (CVE-2023-0049)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0049
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3Y752EAVACVC5XY2TMGGOAIU25VQRPDW/
========================

Updated packages in core/updates_testing:
========================
vim-common-9.0.1221-1.mga8
vim-enhanced-9.0.1221-1.mga8
vim-minimal-9.0.1221-1.mga8
vim-X11-9.0.1221-1.mga8

from SRPM:
vim-9.0.1221-1.mga8.src.rpm

Version: Cauldron => 8
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 9.0.1143 => (none)
CVE: (none) => CVE-2023-0049

Comment 3 Len Lawrence 2023-01-23 20:47:06 CET 
mga8, x64

Clean update.  Picked a random text document and tried out command mode and insertion mode:

$ vim output
.....
:version
VIM - Vi IMproved 9.0 (2022 Jun 28, compiled Jan 23 2023 14:07:43)
Included patches: 1-1221
Compiled by ns80 <ns80>
Huge version without GUI.  Features included (+) or not (-):
+acl               +file_in_path      +mouse_urxvt       -tag_any_white
+arabic            +find_in_path      +mouse_xterm       +tcl
+autocmd           +float             +multi_byte        +termguicolors
[...]
vim-9.0 vim-9 version-9.0 version9.0
Welcome to Vim 9!  Several years have passed since the previous release.
......
<crashed out

$ vim output
E325: ATTENTION
Found a swap file by the name ".output.swp"
          owned by: lcl   dated: Mon Jan 23 18:42:01 2023
         file name: ~lcl/docs/output
          modified: no
         user name: lcl   host name: canopus
        process ID: 1902692 (STILL RUNNING)
.......
Swap file ".output.swp" already exists!
[O]pen Read-Only, (E)dit anyway, (R)ecover, (Q)uit, (A)bort: 

E

%!PS-Adobe-3.0
%%Title: bindoc
%%For: Len Lawrence
%%Creator: a2ps version 4.14
%%CreationDate: Sat Jan 14 15:13:09 2023
--------------------------------------------------------------------------

Used various commands to modify the text:
character deletion       x
line deletion            dd
restore                  p
change to insertion mode i or a or b == immediate, after, before
Esc to return to command mode

/ text   Find text (just like less/more)  Return to continue.
Line numbers and cursor position appear at the bottom of the window.
In command mode v switches on VISUAL which seems to mean highlighting traversed text when moving up or down the file and picking out paired parentheses and braces on the current line.
Tried out ways to quit in successive tests.

Esc :q
E37: No write since last change (add ! to override)
:q!
Works.
Restart, edit a few lines.
Esc :wq

File saved with changes.
Note also that the Postscript code was colour coded. The colour scheme may be universal.  Ruby code is coloured the same way emacs does it.

Just scratching the surface but vim seems to work without regressions.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 4 Dave Hodgins 2023-01-24 03:05:09 CET 
Advisory committed to svn. Validating based on comment 3

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2023-01-24 09:00:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0021.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2023-02-01 17:13:24 CET 
This update also fixed CVE-2023-0054, CVE-2023-0288:
https://ubuntu.com/security/notices/USN-5836-1
Comment 7 David Walser 2023-02-01 18:16:42 CET 
This update also fixed CVE-2023-0051:
https://lists.suse.com/pipermail/sle-security-updates/2023-January/013596.html
Comment 8 David Walser 2023-02-01 18:24:32 CET 
(In reply to David Walser from comment #7)
> This update also fixed CVE-2023-0051:
> https://lists.suse.com/pipermail/sle-security-updates/2023-January/013596.
> html

openSUSE reference:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YTSMWBSYCUOQ5M745FWM6JT2JSX5KYBG/
Note You need to log in before you can comment on or make changes to this bug.