Bug 2176462 (CVE-2023-1170) - CVE-2023-1170 vim: Heap-based Buffer Overflow
Summary: CVE-2023-1170 vim: Heap-based Buffer Overflow
Keywords:
Status: NEW
Alias: CVE-2023-1170
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2176463 Red Hat2179903 Red Hat2179904
Blocks: Embargoed2177866
TreeView+ depends on / blocked
 
Reported: 2023-03-08 13:04 UTC by Pedro Sampaio
Modified: 2023-03-20 11:17 UTC (History)
2 users (show)

Fixed In Version: vim 9.0.1376
Doc Type: If docs needed, set a value
Doc Text:
A heap-based buffer overflow vulnerability was found in Vim's utf_ptr2char() function of the src/mbyte.c file. This flaw occurs because there is access to invalid memory with put in visual block mode. An attacker can trick a user into opening a specially crafted file, triggering an out-of-bounds read that causes an application to crash, leading to a denial of service.
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)

Description Pedro Sampaio 2023-03-08 13:04:56 UTC 
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376.

References:

https://github.com/vim/vim/commit/1c73b65229c25e3c1fd8824ba958f7cc4d604f9c
https://huntr.dev/bounties/286e0090-e654-46d2-ac60-29f81799d0a4
Comment 1 Pedro Sampaio 2023-03-08 13:05:11 UTC 
Created vim tracking bugs for this issue:

Affects: fedora-all [bug 2176463]
Comment 2 Zdenek Dohnal 2023-03-09 12:47:19 UTC 
Hi,

the reproducer seems to be a vimscript combination - would you mind explaining why the vulnerability is not low, but medium?
Comment 3 Pedro Sampaio 2023-03-13 18:04:13 UTC 
In reply to comment #2:
> Hi,
> 
> the reproducer seems to be a vimscript combination - would you mind
> explaining why the vulnerability is not low, but medium?

Initial triage set it to medium by description. Lowered to low now.
Note You need to log in before you can comment on or make changes to this bug.