Bug 2302419 (CVE-2024-41965)

Summary: CVE-2024-41965 vim: Double-Free Vulnerability in Vim Could Cause Application Crashes
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adudiak, kshier, omaciel, stcannon, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Vim versions before 9.1.0648 that can cause the program to crash. This issue happens when a user abandons a modified file, and Vim tries to save it as an Untitled file. Due to a mistake in handling this process, Vim accidentally tries to free up memory twice, which can lead to problems, causing the program to crash. This issue can be exploited by someone with local access to the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2302485, 2302486, 2302500, 2302501    
Bug Blocks:    

Description OSIDB Bzimport 2024-08-01 22:21:38 UTC 
Vim is an open source command line text editor. double-free in dialog_changed() in Vim < v9.1.0648. When abandoning a buffer, Vim may ask the user what to do with the modified buffer. If the user wants the changed buffer to be saved, Vim may create a new Untitled file, if the buffer did not have a name yet. However, when setting the buffer name to Unnamed, Vim will falsely free a pointer twice, leading to a double-free and possibly later to a heap-use-after-free, which can lead to a crash. The issue has been fixed as of Vim patch v9.1.0648.