Bug 2246953 (CVE-2023-46246) - CVE-2023-46246 vim: Integer Overflow in :history command
Summary: CVE-2023-46246 vim: Integer Overflow in :history command
Status: NEW
Alias: CVE-2023-46246
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
: 2246543 (view as bug list)
Depends On: 2254025
Blocks: 2246544 2246954
TreeView+ depends on / blocked
Reported: 2023-10-30 09:01 UTC by Avinash Hanwate
Modified: 2024-01-02 04:35 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Avinash Hanwate 2023-10-30 09:01:54 UTC
Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.


Comment 2 Marian Rehak 2023-12-11 15:35:25 UTC
*** Bug 2246543 has been marked as a duplicate of this bug. ***

Comment 3 Marian Rehak 2023-12-11 15:49:33 UTC
Created vim tracking bugs for this issue:

Affects: fedora-all [bug 2254025]

Note You need to log in before you can comment on or make changes to this bug.