cnvd - cnvd-2024-40459

cnvd-2024-40459

Vulnerability from cnvd

Title: Vim缓冲区溢出漏洞（CNVD-2024-40459）

Description:

Vim是Vim开源的一款跨平台的文本编辑器。

Vim 9.1.0697之前版本存在缓冲区溢出漏洞，该漏洞源于未检查缓冲区中是否有足够的空间来处理下一个字符，远程攻击者可利用该漏洞在系统上执行任意代码或者导致拒绝服务攻击。

Severity: 低

Patch Name: Vim缓冲区溢出漏洞（CNVD-2024-40459）的补丁

Patch Description:

Vim是Vim开源的一款跨平台的文本编辑器。

Vim 9.1.0697之前版本存在缓冲区溢出漏洞，该漏洞源于未检查缓冲区中是否有足够的空间来处理下一个字符，远程攻击者可利用该漏洞在系统上执行任意代码或者导致拒绝服务攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/vim/vim/releases/tag/v9.1.0698

Reference: https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh

Impacted products

Name
Vim Vim <9.1.0697

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-43802",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-43802"
    }
  },
  "description": "Vim\u662fVim\u5f00\u6e90\u7684\u4e00\u6b3e\u8de8\u5e73\u53f0\u7684\u6587\u672c\u7f16\u8f91\u5668\u3002\n\nVim 9.1.0697\u4e4b\u524d\u7248\u672c\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u68c0\u67e5\u7f13\u51b2\u533a\u4e2d\u662f\u5426\u6709\u8db3\u591f\u7684\u7a7a\u95f4\u6765\u5904\u7406\u4e0b\u4e00\u4e2a\u5b57\u7b26\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u6216\u8005\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/vim/vim/releases/tag/v9.1.0698",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-40459",
  "openTime": "2024-10-11",
  "patchDescription": "Vim\u662fVim\u5f00\u6e90\u7684\u4e00\u6b3e\u8de8\u5e73\u53f0\u7684\u6587\u672c\u7f16\u8f91\u5668\u3002\r\n\r\nVim 9.1.0697\u4e4b\u524d\u7248\u672c\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u68c0\u67e5\u7f13\u51b2\u533a\u4e2d\u662f\u5426\u6709\u8db3\u591f\u7684\u7a7a\u95f4\u6765\u5904\u7406\u4e0b\u4e00\u4e2a\u5b57\u7b26\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u6216\u8005\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Vim\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2024-40459\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Vim Vim \u003c9.1.0697"
  },
  "referenceLink": "https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh",
  "serverity": "\u4f4e",
  "submitTime": "2024-08-29",
  "title": "Vim\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2024-40459\uff09"
}

CVE-2024-43802 (GCVE-0-2024-43802)

Vulnerability from cvelistv5

Published

2024-08-26 18:48

Modified

2024-10-04 15:02

Severity ?

4.5 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE

CWE-122 - Heap-based Buffer Overflow

Summary

Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.

References

▼	URL	Tags
	https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh	x_refsource_CONFIRM
	https://github.com/vim/vim/commit/322ba9108612bead5eb	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	vim	vim	Version: < 9.1.0697

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43802",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-28T14:28:07.231057Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-28T14:28:30.371Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-10-04T15:02:49.926Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20241004-0008/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vim",
          "vendor": "vim",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.1.0697"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters.  So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It\u0027s not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-26T18:48:11.979Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh"
        },
        {
          "name": "https://github.com/vim/vim/commit/322ba9108612bead5eb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vim/vim/commit/322ba9108612bead5eb"
        }
      ],
      "source": {
        "advisory": "GHSA-4ghr-c62x-cqfh",
        "discovery": "UNKNOWN"
      },
      "title": "heap-buffer-overflow in ins_typebuf() in Vim \u003c 9.1.0697"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-43802",
    "datePublished": "2024-08-26T18:48:11.979Z",
    "dateReserved": "2024-08-16T14:20:37.326Z",
    "dateUpdated": "2024-10-04T15:02:49.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted