Bug 2215590 - TRIAGE vim: Divide By Zero vulnerability in scroll_cursor_bot() in move.c
Summary: TRIAGE vim: Divide By Zero vulnerability in scroll_cursor_bot() in move.c
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2215591 2215593 2215594 2215595 2215596
Blocks: 2215592
TreeView+ depends on / blocked
 
Reported: 2023-06-16 17:16 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-07-04 11:45 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-07-04 11:45:21 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2023-06-16 17:16:39 UTC 
Technical details and steps to reproduce can be found on the referenced GitHub pages below.

Divide-by-zero vulnerability in function scroll_cursor_bot

 [Additional Information]
 This is a similar vulnerability to CVE-2023-0512.

 ------------------------------------------

 [VulnerabilityType]
 CWE-369 Divide by zero

 ------------------------------------------

 [Vendor of Product]
 VIM

 ------------------------------------------

 [Affected Product Code Base]
>9.0.0908

 ------------------------------------------

 [Affected Component]
 src/move.c, scroll_cursor_bot
​
 ------------------------------------------

 [Attack Type]
 Local

 ------------------------------------------

 [Impact Denial of Service]
 true

 ------------------------------------------

 [Attack Vectors]
 To trigger this vulnerability, several conditions must be met: the VIM window is vertically split into 2 or more, smooth-scrool is turned on, line-number and fold-column are turned on and showed, and window size is restricted. These can be set in a VIM script, which can be set up as user-defined script or style file for every instance of VIM.
 To exploit the vulnerability, an attacker needs to set up the specific script as default in the victim's environment, then every time VIM is executed it will crash. Further impact can be possible.

 ------------------------------------------

 [Reference]
Technical report and PoC:
https://github.com/vim/vim/issues/12528
[https://opengraph.githubassets.com/64c4b7a5ad38cb6612d8f8a76feff4acd4a8a3bf509c98e8707b04267ddbb2d9/vim/vim/issues/12528]<https://github.com/vim/vim/issues/12528>
Divide-by-zero vulnerability in function `scroll_cursor_bot` · Issue #12528 · vim/vim<https://github.com/vim/vim/issues/12528>
I reported this vulnerability on huntr.dev but had not got a response for a week, so I think maybe disclosing it here is easier to keep in touch. Description Recently I have been reviewing CVEs, ch...
github.com
Proposed patch:
https://github.com/vim/vim/pull/12540
[https://opengraph.githubassets.com/79eb1917e0147abb3bf574e20a80ba7cfb149774ebd5ad1be0013c76928683cd/vim/vim/pull/12540]<https://github.com/vim/vim/pull/12540>
Fix divide-by-zero vulnerability in scroll_cursor_bot. by fullwaywang · Pull Request #12540 · vim/vim<https://github.com/vim/vim/pull/12540>
Fix #12528
github.com


 ------------------------------------------

 [Has vendor confirmed or acknowledged the vulnerability?]
 true


 ------------------------------------------

 [Discoverer]
 fullwaywang from Tencent
Comment 1 Guilherme de Almeida Suckevicz 2023-06-16 17:16:57 UTC 
Created vim tracking bugs for this issue:

Affects: fedora-all [bug 2215591]
Note You need to log in before you can comment on or make changes to this bug.