Bug 31490 - vim new security issues CVE-2022-47024 and CVE-2023-0433
Summary: vim new security issues CVE-2022-47024 and CVE-2023-0433
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2023-02-01 17:14 CET by David Walser
Modified: 2023-03-16 18:00 CET (History)
7 users (show)

See Also:
Source RPM: vim-9.0.1221-1.mga8.src.rpm
CVE: CVE-2022-47024, CVE-2023-0433
Status comment:


Description David Walser 2023-02-01 17:14:49 CET
Ubuntu has issued an advisory today (February 1):

The issue is fixed upstream in 9.0.1225.

Mageia 8 is also affected.
David Walser 2023-02-01 17:15:01 CET

Status comment: (none) => Fixed upstream in 9.0.1225
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2023-02-01 18:24:59 CET
openSUSE has issued an advisory for this on January 30:
Comment 2 Marja Van Waes 2023-02-04 22:28:16 CET
Assigning to our registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => thierry.vignaud

Comment 3 David Walser 2023-02-13 18:17:56 CET
Fedora has issued an advisory today (February 13):

It fixes a new issue that is fixed upstream in 9.0.1292.

Mageia 8 is also affected.

Status comment: Fixed upstream in 9.0.1225 => Fixed upstream in 9.0.1292
Summary: vim new security issue CVE-2023-0433 => vim new security issues CVE-2022-47024 and CVE-2023-0433
Severity: normal => major

Comment 4 Nicolas Salguero 2023-02-27 15:49:33 CET
Suggested advisory:

The updated packages fix security vulnerabilities:

A null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339 allows attackers to cause denial of service or other unspecified impacts. (CVE-2022-47024)

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225. (CVE-2023-0433)


Updated packages in core/updates_testing:

from SRPM:

Version: Cauldron => 8
Status comment: Fixed upstream in 9.0.1292 => (none)
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-47024, CVE-2023-0433

Comment 5 Herman Viaene 2023-03-01 10:38:47 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Created new txt file by
$ vi pruts.txt
Added, inserted,deleted characters and complete lines, saved and reopened the file several times in between the operations, all wal aboard.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 6 Len Lawrence 2023-03-01 11:16:14 CET
Midair collision here!

mga8, x64

Updated the packages and put vim through its paces in normal (default) mode using a simple range of commands, switching between modes insertion and command, accessing onboard help, exit without saving changes....

Checked the man pages.
Tried the graphical version using
$ gvim gview
and that worked fine as well, saving current file as gview if no file has been specified.  Files can be opened from the menu and edited OK.

$ view
starts vim in readonly mode, which is not particularly useful.

Easy mode is started with
$ vim -y 
starts vim in easy mode, that is insert mode where the user can no longer use Esc to switch modes or anything ele.  Ctrl-q allows exit with a choice of saving current work or not.

Everything seems to work as before.

CC: (none) => tarazed25

Comment 7 Thomas Andrews 2023-03-01 17:23:40 CET
Validating. Advisory in comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-01 17:45:48 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2023-03-01 22:15:56 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 9 David Walser 2023-03-16 18:00:30 CET
This update also fixed CVE-2023-0512:

Note You need to log in before you can comment on or make changes to this bug.