Bug 2215590

Summary: TRIAGE vim: Divide By Zero vulnerability in scroll_cursor_bot() in move.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jburrell, michal.skrivanek, mperina, sbonazzo, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-04 11:45:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2215591, 2215593, 2215594, 2215595, 2215596    
Bug Blocks: 2215592    

Description Guilherme de Almeida Suckevicz 2023-06-16 17:16:39 UTC 
Technical details and steps to reproduce can be found on the referenced GitHub pages below.

Divide-by-zero vulnerability in function scroll_cursor_bot

 [Additional Information]
 This is a similar vulnerability to CVE-2023-0512.

 ------------------------------------------

 [VulnerabilityType]
 CWE-369 Divide by zero

 ------------------------------------------

 [Vendor of Product]
 VIM

 ------------------------------------------

 [Affected Product Code Base]
>9.0.0908

 ------------------------------------------

 [Affected Component]
 src/move.c, scroll_cursor_bot
​
 ------------------------------------------

 [Attack Type]
 Local

 ------------------------------------------

 [Impact Denial of Service]
 true

 ------------------------------------------

 [Attack Vectors]
 To trigger this vulnerability, several conditions must be met: the VIM window is vertically split into 2 or more, smooth-scrool is turned on, line-number and fold-column are turned on and showed, and window size is restricted. These can be set in a VIM script, which can be set up as user-defined script or style file for every instance of VIM.
 To exploit the vulnerability, an attacker needs to set up the specific script as default in the victim's environment, then every time VIM is executed it will crash. Further impact can be possible.

 ------------------------------------------

 [Reference]
Technical report and PoC:
https://github.com/vim/vim/issues/12528
[https://opengraph.githubassets.com/64c4b7a5ad38cb6612d8f8a76feff4acd4a8a3bf509c98e8707b04267ddbb2d9/vim/vim/issues/12528]<https://github.com/vim/vim/issues/12528>
Divide-by-zero vulnerability in function `scroll_cursor_bot` · Issue #12528 · vim/vim<https://github.com/vim/vim/issues/12528>
I reported this vulnerability on huntr.dev but had not got a response for a week, so I think maybe disclosing it here is easier to keep in touch. Description Recently I have been reviewing CVEs, ch...
github.com
Proposed patch:
https://github.com/vim/vim/pull/12540
[https://opengraph.githubassets.com/79eb1917e0147abb3bf574e20a80ba7cfb149774ebd5ad1be0013c76928683cd/vim/vim/pull/12540]<https://github.com/vim/vim/pull/12540>
Fix divide-by-zero vulnerability in scroll_cursor_bot. by fullwaywang · Pull Request #12540 · vim/vim<https://github.com/vim/vim/pull/12540>
Fix #12528
github.com


 ------------------------------------------

 [Has vendor confirmed or acknowledged the vulnerability?]
 true


 ------------------------------------------

 [Discoverer]
 fullwaywang from Tencent
Comment 1 Guilherme de Almeida Suckevicz 2023-06-16 17:16:57 UTC 
Created vim tracking bugs for this issue:

Affects: fedora-all [bug 2215591]