Vim Vulnerabilities Addressed in Ubuntu Security Updates
The recent Ubuntu security updates have addressed 13 vulnerabilities in the Vim package. Canonical has released updates for different Ubuntu releases, including Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 ESM, and Ubuntu 14.04 ESM. In this blog, we will look at some of the Vim vulnerabilities that have been patched in the update.
Several Vim Vulnerabilities Fixed
CVE-2022-3234
CVSS 3.x Score: 7.8 (High)
Vim did not correctly handle memory when replacing it in virtualedit mode, leading to a heap-based buffer overflow. An attacker can use this to cause a denial of service. Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS are only affected.
CVE-2022-3256
CVSS 3.x Score: 7.8 High
It was found that Vim did not correctly handle memory when autocmd changes mark. An attacker can use this use-after-free flaw to cause a denial of service.
CVE-2022-3324
CVSS 3.x Score: 7.8 High
Vim did not correctly perform checks on the array index with the negative width window. An attacker can use this stack-based buffer overflow vulnerability to cause a denial of service or execute arbitrary code.
CVE-2022-3520
CVSS 3.x Score: 9.8 Critical
It was discovered that Vim did not properly perform checks on a put command column with a visual block. An attacker could possibly use this heap-based buffer overflow issue to cause a denial of service. Ubuntu 20.04 LTS and Ubuntu 22.04 LTS are only affected.
CVE-2022-3591
CVSS 3.x Score: 7.8 High
Vim did not correctly handle memory when using autocommand to open a window. An attacker can use this use-after-free flaw to cause a denial of service.
CVE-2022-3705
CVSS 3.x Score: 7.5 High
A vulnerability was detected in Vim and has been categorized as problematic. This issue pertains to the function qf_update_buffer within the file quickfix.c of the autocmd Handler component. Exploiting this vulnerability can result in a use-after-free condition, and it may be exploited remotely. A potential attacker could leverage this vulnerability to initiate a denial of service. It’s important to note that this issue only impacted Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
CVE-2022-4293
CVSS 3.x Score: 5.5 Medium
Vim did not correctly handle floating point comparison with the incorrect operating, resulting in a floating point exception flaw. An attacker can use this issue to cause a denial of service. Ubuntu 20.04 LTS and Ubuntu 22.04 LTS are only affected.
TuxCare has already released patches for these vulnerabilities affecting different EOL Linux distributions. Learn about Extended Lifecycle Support for End-of-Life Linux.
Final Thoughts
It is highly recommended to update the system to newer package versions to fix these Vim vulnerabilities. A reboot will be required after the system update.
To apply patches without a system reboot, you can consider using TuxCare’s KernelCare Enterprise, which provides an automated live patching solution to apply security updates to Linux systems. Learn how live patching works with KernelCare.
The sources for this article can be found on Ubuntu Security Notices.
The post Vim Vulnerabilities Addressed in Ubuntu Security Updates appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/vim-vulnerabilities-addressed-in-ubuntu-security-updates/