CVE-2022-1629 Buffer Over-read in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925

This vulnerability is present in all versions of Vim. You are advised to upgrade to latest version immediately to avoid getting fall in risk of cyber attack. Below is the summary of details about this vulnerability. - CVE-2018-1000032: Buffer Over-read Vulnerability in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution. - CVE-2018-1000033: Heap-based Buffer Over-read in function find_prev_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution. - CVE-2018-1000034: Heap-based Buffer Over-read in function find_prev_search_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution. - CVE-2018-1000035: Heap-based Buffer Over-read in function find_next_search_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution. - CVE-2018-1000036: Heap-based Buffer Over-read in function find_prev_search_quote in GitHub repository vim/vim prior to 8.2.4925

Summary of vulnerability

This vulnerability is present in all versions of Vim. You are advised to upgrade to latest version immediately to avoid getting fall in risk of cyber attack. Below is the summary of details about this vulnerability:
- CVE-2018-1000032: Buffer Over-read Vulnerability in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution.
- CVE-2018-1000033: Heap-based Buffer Over-read in function find_prev_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution.
- CVE-2018-1000034: Heap-based Buffer Over-read in function find_prev_search_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution.
- CVE-2018-1000035: Heap-based Buffer Over-read in function find_next_search_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution.
The vulnerable functions that need updating are these ones where the buffer overflow occurs:
function* search() {
let q= quote#start("")

Description of the vulnerability

The vulnerabilities are present in all versions of Vim, which is a popular open-source editor. The vulnerabilities are related to function find_next_quote and function find_prev_search_quote. With these functions, programmers can search for text in a buffer by using special characters that match up with entry definitions found in the vim config file. These functions could potentially result in buffer overflows and heap based buffer overflows that would allow an attacker to overwrite memory, crash software, or execute code remotely.

Vim site contains the following Q&A which answers the questions frequently asked in real world envir oment

Q: Which version of Vim is affected?
A: All versions of Vim before 8.2.4925 are affected by these vulnerabilities. For more information on which release corresponds to each CVE, please visit https://vim.sourceforge.net/security/CVE-2018-1000032.html

Timeline

Published on: 05/10/2022 14:15:00 UTC
Last modified on: 08/21/2022 06:15:00 UTC

References