{ "threat_severity" : "Moderate", "public_date" : "2024-08-22T22:15:05Z", "bugzilla" : { "description" : "vim: Out of bounds read when performing a search command", "id" : "2307454", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2307454" }, "cvss3" : { "cvss3_base_score" : "4.2", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "status" : "draft" }, "cwe" : "CWE-122", "details" : [ "Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.", "A vulnerability was found in the VIM package. When performing a search and displaying the search count message is disabled, the search pattern is shown at the bottom of the screen, and this text is stored in an internal buffer. The search pattern is reversed when using the right-left search mode, and a new internal buffer will be created. If the original search pattern contains NULL characters, the newly allocated buffer will be smaller than the required size, leading to a head-based out-of-bounds read. This flaw allows an attacker to trick the user into running the malicious search pattern and execute all the steps required to cause the out-of-bounds read." ], "statement" : "Red Hat Product Security has rated this issue as having a Low security impact because the \"victim\" has to run an untrusted file IN SCRIPT MODE. Someone who is running untrusted files in script mode is equivalent to someone just taking a random Python script and running it.\nFor additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "vim", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "vim", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "vim", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "vim", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "vim", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "rhcos", "cpe" : "cpe:/a:redhat:openshift:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-43790\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-43790\nhttps://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc\nhttps://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm" ], "name" : "CVE-2024-43790", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }