Lucene search

K
slackwareSlackware Linux ProjectSSA-2022-089-01
HistoryMar 30, 2022 - 10:41 p.m.

[slackware-security] vim

2022-03-3022:41:18
Slackware Linux Project
www.slackware.com
21

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

54.5%

New vim packages are available for Slackware 15.0 and -current to
fix a security issue.

Here are the details from the Slackware 15.0 ChangeLog:

patches/packages/vim-8.2.4649-i586-1_slack15.0.txz: Upgraded.
Fixes a use-after-free in utf_ptr2char in vim/vim prior to 8.2.4646.
This vulnerability is capable of crashing software, bypassing protection
mechanisms, modifying memory, and possibly execution of arbitrary code.
Thanks to marav for the heads-up.
For more information, see:
https://vulners.com/cve/CVE-2022-1154
https://huntr.dev/bounties/7f0ec6bc-ea0e-45b0-8128-caac72d23425
https://github.com/vim/vim/commit/b55986c52d4cd88a22d0b0b0e8a79547ba13e1d5
(* Security fix *)
patches/packages/vim-gvim-8.2.4649-i586-1_slack15.0.txz: Upgraded.

Where to find the new packages:

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)

Also see the “Get Slack” section on http://slackware.com for
additional mirror sites near you.

Updated packages for Slackware 15.0:
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/vim-8.2.4649-i586-1_slack15.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/vim-gvim-8.2.4649-i586-1_slack15.0.txz

Updated packages for Slackware x86_64 15.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/vim-8.2.4649-x86_64-1_slack15.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/vim-gvim-8.2.4649-x86_64-1_slack15.0.txz

Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/vim-8.2.4649-i586-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/vim-gvim-8.2.4649-i586-1.txz

Updated packages for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/vim-8.2.4649-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/vim-gvim-8.2.4649-x86_64-1.txz

MD5 signatures:

Slackware 15.0 packages:
e256ba90d3a861c2d0ae52b2c0078498 vim-8.2.4649-i586-1_slack15.0.txz
d5bd26402ae3338284f509b5f6ade6c9 vim-gvim-8.2.4649-i586-1_slack15.0.txz

Slackware x86_64 15.0 packages:
df88ffc4da35ce29ddc0be2c8e30de84 vim-8.2.4649-x86_64-1_slack15.0.txz
ff9f02cd841e6eb5ea55c3a51d33b983 vim-gvim-8.2.4649-x86_64-1_slack15.0.txz

Slackware -current packages:
5870187dd239ac2b09c0f42542dfb8ae ap/vim-8.2.4649-i586-1.txz
69a20480ac90589d0aadc1958a952d32 xap/vim-gvim-8.2.4649-i586-1.txz

Slackware x86_64 -current packages:
eda2009b0296ed29ba735394c34f1419 ap/vim-8.2.4649-x86_64-1.txz
a4fd425ca055db0e1ac4b18fb002bbfe xap/vim-gvim-8.2.4649-x86_64-1.txz

Installation instructions:

Upgrade the packages as root:
> upgradepkg vim-8.2.4649-i586-1_slack15.0.txz vim-gvim-8.2.4649-i586-1_slack15.0.txz

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

54.5%