CVE-2024-43790

EUVD-2024-40450

22.08.2024, 22:15

Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.5 MEDIUM	LOCAL	HIGH	NONE	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Affected Products (NVD)

Vendor	Product	Version
vim	vim	9.1.0425 ≤ 𝑥 < 9.1.0689
netapp	bootstrap_os	-

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

vim

bookworm	unimportant
bullseye	unimportant
bullseye (security)	unimportant
forky	2:9.1.1882-1 fixed
sid	2:9.1.1882-1 fixed
trixie	2:9.1.1230-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

vim

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

openSUSE / SLES Releases

openSUSE Product

Release

gvim

suse enterprise server 15 SP4

9.1.1101-150000.5.69.1

fixed

vim

suse enterprise desktop 15 SP6	9.1.1101-150500.20.21.1 fixed
suse enterprise desktop 15 SP7	9.1.1101-150500.20.21.1 fixed
suse enterprise sap 15 SP6	9.1.1101-150500.20.21.1 fixed
suse enterprise sap 15 SP7	9.1.1101-150500.20.21.1 fixed
suse enterprise server 15 SP4	9.1.1101-150000.5.69.1 fixed
suse enterprise server 15 SP6	9.1.1101-150500.20.21.1 fixed
suse enterprise server 15 SP7	9.1.1101-150500.20.21.1 fixed

vim-data

suse enterprise desktop 15 SP6	9.1.1101-150500.20.21.1 fixed
suse enterprise desktop 15 SP7	9.1.1101-150500.20.21.1 fixed
suse enterprise sap 15 SP6	9.1.1101-150500.20.21.1 fixed
suse enterprise sap 15 SP7	9.1.1101-150500.20.21.1 fixed
suse enterprise server 15 SP4	9.1.1101-150000.5.69.1 fixed
suse enterprise server 15 SP6	9.1.1101-150500.20.21.1 fixed
suse enterprise server 15 SP7	9.1.1101-150500.20.21.1 fixed

vim-data-common

suse enterprise desktop 15 SP6	9.1.1101-150500.20.21.1 fixed
suse enterprise desktop 15 SP7	9.1.1101-150500.20.21.1 fixed
suse enterprise sap 15 SP6	9.1.1101-150500.20.21.1 fixed
suse enterprise sap 15 SP7	9.1.1101-150500.20.21.1 fixed
suse enterprise server 15 SP4	9.1.1101-150000.5.69.1 fixed
suse enterprise server 15 SP6	9.1.1101-150500.20.21.1 fixed
suse enterprise server 15 SP7	9.1.1101-150500.20.21.1 fixed

vim-small

suse enterprise desktop 15 SP6	9.1.1101-150500.20.21.1 fixed
suse enterprise desktop 15 SP7	9.1.1101-150500.20.21.1 fixed
suse enterprise sap 15 SP6	9.1.1101-150500.20.21.1 fixed
suse enterprise sap 15 SP7	9.1.1101-150500.20.21.1 fixed
suse enterprise server 15 SP4	9.1.1101-150000.5.69.1 fixed
suse enterprise server 15 SP6	9.1.1101-150500.20.21.1 fixed
suse enterprise server 15 SP7	9.1.1101-150500.20.21.1 fixed

xxd

suse enterprise server 15 SP4

9.1.1101-150000.5.69.1

fixed

Common Weakness Enumeration

CWE-122 - Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

References

https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc

https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm

https://security.netapp.com/advisory/ntap-20240920-0005/