Bug 2016056 (CVE-2021-3872) - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() in drawscreen.c
Summary: CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() in drawscr...
Alias: CVE-2021-3872
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2016123 2016125 2016200 2016201 2016202 2016057
Blocks: 2014663
TreeView+ depends on / blocked
Reported: 2021-10-20 17:41 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-05 13:53 UTC (History)
18 users (show)

Fixed In Version: vim 8.2.3487
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write flaw was found in vim's drawscreen.c win_redr_status() function. This flaw allows an attacker to trick a user to open a crafted file with specific arguments in vim, triggering an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.
Clone Of:
Last Closed: 2021-11-02 23:40:14 UTC

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-10-20 17:41:34 UTC
vim is vulnerable to heap-based buffer overflow.


Upstream patch:

Comment 1 Guilherme de Almeida Suckevicz 2021-10-20 17:41:51 UTC
Created vim tracking bugs for this issue:

Affects: fedora-all [bug 2016057]

Comment 2 juneau 2021-10-20 18:39:05 UTC
marking hosted services affected (low) / delegated solely for presence of affected code.

Comment 5 Todd Cullum 2021-10-20 22:56:33 UTC
Upstream patch commit: https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b

Comment 8 Todd Cullum 2021-10-22 01:13:58 UTC
Flaw summary:

The vulnerable code is in src/drawscreen.c. Specifically:

`p` is a pointer to the `NameBuff` buffer. It's size is represented by the `MAXPATHL` macro.  `win_redr_status()` performs operations such as: `STRCPY(p + len, _("[Help]"));` The problem is that `len` can be large enough to cause this to overflow the `NameBuff` buffer to which `p` points, as there isn't enough room for the data being copied and no check is performed. This can result in out-of-bounds write when Vim buffer ("buffer" as in the Vim feature here, not array) names are long. The upstream patch uses `vim_snprintf()` with a write length constraint of `MAXPATHL - len` rather than `STRCPY()` to prevent an out-of-bounds write.

This flaw is Moderate at most because while it is an out-of-bounds write, the attacker does not necessarily have an arbitrary write and the attack is not inherently bound to the network.

Note You need to log in before you can comment on or make changes to this bug.