SBN

Vim Vulnerabilities Addressed in Ubuntu Security Updates

The recent Ubuntu security updates have addressed 13 vulnerabilities in the Vim package. Canonical has released updates for different Ubuntu releases, including Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 ESM, and Ubuntu 14.04 ESM. In this blog, we will look at some of the Vim vulnerabilities that have been patched in the update.

 

Several Vim Vulnerabilities Fixed

CVE-2022-3234

CVSS 3.x Score: 7.8 (High)

Vim did not correctly handle memory when replacing it in virtualedit mode, leading to a heap-based buffer overflow. An attacker can use this to cause a denial of service. Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS are only affected.

 

CVE-2022-3256

CVSS 3.x Score: 7.8 High

It was found that Vim did not correctly handle memory when autocmd changes mark. An attacker can use this use-after-free flaw to cause a denial of service.

 

CVE-2022-3324

CVSS 3.x Score: 7.8 High

Vim did not correctly perform checks on the array index with the negative width window. An attacker can use this stack-based buffer overflow vulnerability to cause a denial of service or execute arbitrary code.

 

CVE-2022-3520

CVSS 3.x Score: 9.8 Critical

It was discovered that Vim did not properly perform checks on a put command column with a visual block. An attacker could possibly use this heap-based buffer overflow issue to cause a denial of service. Ubuntu 20.04 LTS and Ubuntu 22.04 LTS are only affected.

 

CVE-2022-3591

CVSS 3.x Score: 7.8 High

Vim did not correctly handle memory when using autocommand to open a window. An attacker can use this use-after-free flaw to cause a denial of service.

 

CVE-2022-3705

CVSS 3.x Score: 7.5 High

A vulnerability was detected in Vim and has been categorized as problematic. This issue pertains to the function qf_update_buffer within the file quickfix.c of the autocmd Handler component. Exploiting this vulnerability can result in a use-after-free condition, and it may be exploited remotely. A potential attacker could leverage this vulnerability to initiate a denial of service. It’s important to note that this issue only impacted Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

 

CVE-2022-4293

CVSS 3.x Score: 5.5 Medium

Vim did not correctly handle floating point comparison with the incorrect operating, resulting in a floating point exception flaw. An attacker can use this issue to cause a denial of service. Ubuntu 20.04 LTS and Ubuntu 22.04 LTS are only affected.

 

TuxCare has already released patches for these vulnerabilities affecting different EOL Linux distributions. Learn about Extended Lifecycle Support for End-of-Life Linux.

 

Final Thoughts

It is highly recommended to update the system to newer package versions to fix these Vim vulnerabilities. A reboot will be required after the system update.

To apply patches without a system reboot, you can consider using TuxCare’s KernelCare Enterprise, which provides an automated live patching solution to apply security updates to Linux systems. Learn how live patching works with KernelCare.

 

The sources for this article can be found on Ubuntu Security Notices.

The post Vim Vulnerabilities Addressed in Ubuntu Security Updates appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/vim-vulnerabilities-addressed-in-ubuntu-security-updates/