vim is vulnerable to heap-based buffer overflow. Reference: https://huntr.dev/bounties/c958013b-1c09-4939-92ca-92f50aa169e8 Upstream patch: https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b
Created vim tracking bugs for this issue: Affects: fedora-all [bug 2016057]
marking hosted services affected (low) / delegated solely for presence of affected code.
Upstream patch commit: https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b
Flaw summary: The vulnerable code is in src/drawscreen.c. Specifically: `p` is a pointer to the `NameBuff` buffer. It's size is represented by the `MAXPATHL` macro. `win_redr_status()` performs operations such as: `STRCPY(p + len, _("[Help]"));` The problem is that `len` can be large enough to cause this to overflow the `NameBuff` buffer to which `p` points, as there isn't enough room for the data being copied and no check is performed. This can result in out-of-bounds write when Vim buffer ("buffer" as in the Vim feature here, not array) names are long. The upstream patch uses `vim_snprintf()` with a write length constraint of `MAXPATHL - len` rather than `STRCPY()` to prevent an out-of-bounds write. This flaw is Moderate at most because while it is an out-of-bounds write, the attacker does not necessarily have an arbitrary write and the attack is not inherently bound to the network.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0366 https://access.redhat.com/errata/RHSA-2022:0366