32428 – vim new security issues CVE-2023-5535 and CVE-2023-5441

Bug 32428 - vim new security issues CVE-2023-5535 and CVE-2023-5441

Summary: vim new security issues CVE-2023-5535 and CVE-2023-5441

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8TOO MGA9-64-OK MGA8-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-10-23 16:10 CEST by Nicolas Salguero
Modified:	2023-10-27 23:51 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	vim-9.0.1882-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-10-23 16:10:03 CEST

Fedora has issued an advisory today (October 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDDWD25AZIHBAA44HQT75OWLQ5UMDKU3/

The issues are fixed upstream in 9.0.2010.

Mageia 8 and 9 are also affected.

Comment 1 Nicolas Salguero 2023-10-23 16:24:56 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960. (CVE-2023-5441)

Use After Free in GitHub repository vim/vim prior to v9.0.2010. (CVE-2023-5535)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5441
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5535
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDDWD25AZIHBAA44HQT75OWLQ5UMDKU3/
========================

Updated packages in {8|9}/core/updates_testing:
========================
vim-X11-9.0.2059-1.mga{8|9}
vim-common-9.0.2059-1.mga{8|9}
vim-enhanced-9.0.2059-1.mga{8|9}
vim-minimal-9.0.2059-1.mga{8|9}

from SRPM:
vim-9.0.2059-1.mga{8|9}.src.rpm

Assignee: bugsquad => qa-bugs
Source RPM: (none) => vim-9.0.1882-1.mga9.src.rpm
Whiteboard: (none) => MGA8TOO
CC: (none) => nicolas.salguero
Version: Cauldron => 9
Status: NEW => ASSIGNED

Comment 2 Marja Van Waes 2023-10-23 17:09:58 CEST

Advisory from comment 1 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory
CC: (none) => marja11

Comment 3 Herman Viaene 2023-10-25 15:48:11 CEST

MGA9-64 Xfce on Acer Aspire 5253
No installation issues.
Opened a .txt file with vim, exercised the a, i, x , dd and w commands. Exited with q command and used pluma to check the changes. All works OK.

Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OK
CC: (none) => herman.viaene

Comment 4 katnatek 2023-10-26 03:23:22 CEST

Tested on Mageia 8 i586, nothing weird

Whiteboard: MGA8TOO MGA9-64-OK => MGA8TOO MGA9-64-OK MGA8-32-OK

Comment 5 Thomas Andrews 2023-10-26 18:46:48 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2023-10-27 23:51:46 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0305.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.