Ubuntu has issued an advisory today (February 1): https://ubuntu.com/security/notices/USN-5836-1 The issue is fixed upstream in 9.0.1225. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 9.0.1225Whiteboard: (none) => MGA8TOO
openSUSE has issued an advisory for this on January 30: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YTSMWBSYCUOQ5M745FWM6JT2JSX5KYBG/
Assigning to our registered maintainer.
CC: (none) => marja11Assignee: bugsquad => thierry.vignaud
Fedora has issued an advisory today (February 13): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PZWIJBSQX53P7DHV77KRXJIXA4GH7XHC/ It fixes a new issue that is fixed upstream in 9.0.1292. Mageia 8 is also affected.
Status comment: Fixed upstream in 9.0.1225 => Fixed upstream in 9.0.1292Summary: vim new security issue CVE-2023-0433 => vim new security issues CVE-2022-47024 and CVE-2023-0433Severity: normal => major
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339 allows attackers to cause denial of service or other unspecified impacts. (CVE-2022-47024) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225. (CVE-2023-0433) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47024 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0433 https://ubuntu.com/security/notices/USN-5836-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YTSMWBSYCUOQ5M745FWM6JT2JSX5KYBG/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PZWIJBSQX53P7DHV77KRXJIXA4GH7XHC/ ======================== Updated packages in core/updates_testing: ======================== vim-X11-9.0.1314-1.mga8 vim-common-9.0.1314-1.mga8 vim-enhanced-9.0.1314-1.mga8 vim-minimal-9.0.1314-1.mga8 from SRPM: vim-9.0.1314-1.mga8.src.rpm
Version: Cauldron => 8Status comment: Fixed upstream in 9.0.1292 => (none)Assignee: thierry.vignaud => qa-bugsWhiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDCVE: (none) => CVE-2022-47024, CVE-2023-0433
MGA8-64 MATE on Acer Aspire 5253 No installation issues Created new txt file by $ vi pruts.txt Added, inserted,deleted characters and complete lines, saved and reopened the file several times in between the operations, all wal aboard.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Midair collision here! mga8, x64 Updated the packages and put vim through its paces in normal (default) mode using a simple range of commands, switching between modes insertion and command, accessing onboard help, exit without saving changes.... Checked the man pages. Tried the graphical version using $ gvim gview and that worked fine as well, saving current file as gview if no file has been specified. Files can be opened from the menu and edited OK. $ view starts vim in readonly mode, which is not particularly useful. Easy mode is started with $ vim -y starts vim in easy mode, that is insert mode where the user can no longer use Esc to switch modes or anything ele. Ctrl-q allows exit with a choice of saving current work or not. Everything seems to work as before.
CC: (none) => tarazed25
Validating. Advisory in comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0075.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2023-0512: https://lists.suse.com/pipermail/sle-security-updates/2023-March/014068.html