Bug 2246953 (CVE-2023-46246) - CVE-2023-46246 vim: Integer Overflow in :history command
Summary: CVE-2023-46246 vim: Integer Overflow in :history command
Keywords:
Status: NEW
Alias: CVE-2023-46246
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
: 2246543 (view as bug list)
Depends On: 2254025
Blocks: 2246544 2246954
TreeView+ depends on / blocked
 
Reported: 2023-10-30 09:01 UTC by Avinash Hanwate
Modified: 2024-01-02 04:35 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Avinash Hanwate 2023-10-30 09:01:54 UTC
Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.


https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm
https://github.com/vim/vim/commit/9198c1f2b1ddecde22af918541e0de2a32f0f45a

Comment 2 Marian Rehak 2023-12-11 15:35:25 UTC
*** Bug 2246543 has been marked as a duplicate of this bug. ***

Comment 3 Marian Rehak 2023-12-11 15:49:33 UTC
Created vim tracking bugs for this issue:

Affects: fedora-all [bug 2254025]


Note You need to log in before you can comment on or make changes to this bug.