vim is vulnerable to heap-based buffer overflow.
Created vim tracking bugs for this issue:
Affects: fedora-all [bug 2016057]
marking hosted services affected (low) / delegated solely for presence of affected code.
Upstream patch commit: https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b
The vulnerable code is in src/drawscreen.c. Specifically:
`p` is a pointer to the `NameBuff` buffer. It's size is represented by the `MAXPATHL` macro. `win_redr_status()` performs operations such as: `STRCPY(p + len, _("[Help]"));` The problem is that `len` can be large enough to cause this to overflow the `NameBuff` buffer to which `p` points, as there isn't enough room for the data being copied and no check is performed. This can result in out-of-bounds write when Vim buffer ("buffer" as in the Vim feature here, not array) names are long. The upstream patch uses `vim_snprintf()` with a write length constraint of `MAXPATHL - len` rather than `STRCPY()` to prevent an out-of-bounds write.
This flaw is Moderate at most because while it is an out-of-bounds write, the attacker does not necessarily have an arbitrary write and the attack is not inherently bound to the network.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2022:0366 https://access.redhat.com/errata/RHSA-2022:0366