Fedora has issued an advisory today (March 4): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PDVN5HSWPNVP4QXBPCEGZDLZKURLJWTE/ The issue is fixed upstream in 9.0.1367. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 9.0.1367Whiteboard: (none) => MGA8TOO
Vim is tv's baby, so assigning this update to you.
Assignee: bugsquad => thierry.vignaud
SUSE has issued an advisory on March 16: https://lists.suse.com/pipermail/sle-security-updates/2023-March/014068.html Two new issues are fixed upstream in 9.0.1378. Mageia 8 is also affected.
Status comment: Fixed upstream in 9.0.1367 => Fixed upstream in 9.0.1378Summary: vim new security issue CVE-2023-1127 => vim new security issue CVE-2023-1127 and CVE-2023-117[05]
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Divide By Zero in GitHub repository vim/vim prior to 9.0.1367. (CVE-2023-1127) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376. (CVE-2023-1170) Incorrect Calculation of Buffer Size in GitHub repository vim/vim prior to 9.0.1378. (CVE-2023-1175) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1127 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1170 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1175 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PDVN5HSWPNVP4QXBPCEGZDLZKURLJWTE/ https://lists.suse.com/pipermail/sle-security-updates/2023-March/014068.html ======================== Updated packages in core/updates_testing: ======================== vim-X11-9.0.1411-1.mga8 vim-common-9.0.1411-1.mga8 vim-enhanced-9.0.1411-1.mga8 vim-minimal-9.0.1411-1.mga8 from SRPM: vim-9.0.1411-1.mga8.src.rpm
CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDStatus comment: Fixed upstream in 9.0.1378 => (none)Assignee: thierry.vignaud => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)
Note that this is still pending a freeze move in Cauldron.
Mageia8, x86_64 Updated the packages. Edited a sample weather report in command and insertion modes. Removed and replaced lines in overwrite. Exercised the search function using command /. Repeated search using / and Return. In insertion mode Esc returns to command mode. The degree symbol ° could be typed in as key combination and characters like € could be cut and pasted in insert mode. Tried editing a list of files, using the :next command in vim. That worked. $ vim + servercheck starts up with the cursor positioned at the end of the file. At this basic level there are no obvious regressions.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
This update also fixes CVE-2023-1264: https://ubuntu.com/security/notices/USN-5963-1
Validating. Advisory in Comment 3, with an additional CVE reference in Comment 6.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
(In reply to David Walser from comment #6) > This update also fixes CVE-2023-1264: > https://ubuntu.com/security/notices/USN-5963-1 Fedora reference for the newer CVEs: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DIAKPMKJ4OZ6NYRZJO7YWMNQL2BICLYV/
Summary: vim new security issue CVE-2023-1127 and CVE-2023-117[05] => vim new security issue CVE-2023-1127, CVE-2023-117[05], and CVE-2023-1264
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0110.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
This update also fixed CVE-2023-1355: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IE44W6WMMREYCW3GJHPSYP7NK2VT5NY6/