vim: vulnerability allows denial of service

by admin
vim: vulnerability allows denial of service

There is an IT security warning for vim. Here you can find out which vulnerabilities are involved, which products are affected and what you can do.

The Federal Office for Security in der Informationstechnik (BSI) published an update on May 5th, 2023 to a vulnerability for vim that became known on March 8th, 2023. The operating systems UNIX, Linux and MacOS X as well as the products Amazon Linux 2, Fedora Linux, Ubuntu Linux, SUSE Linux and Open Source vim are affected by the vulnerability.

The latest manufacturer recommendations regarding updates, workarounds and security patches for this vulnerability can be found here: SUSE Security Update SUSE-SU-2023:2103-1 (Status: 04.05.2023). Other useful links are listed later in this article.

Security advisory for vim – Risk: medium

Risk level: 3 (medium)
CVSS Base Score: 6,6
CVSS Temporal Score: 5,9
Remote Attack: No

The Common Vulnerability Scoring System (CVSS) is used to assess the severity of vulnerabilities in computer systems. The CVSS standard makes it possible to compare potential or actual security vulnerabilities based on various metrics in order to better prioritize countermeasures. The attributes “none”, “low”, “medium”, “high” and “critical” are used for the severity of a vulnerability. The base score assesses the prerequisites for an attack (including authentication, complexity, privileges, user interaction) and its consequences. The Temporal Score also takes into account changes over time with regard to the risk situation. The severity of the vulnerability discussed here is classified as “medium” according to the CVSS with a base score of 6.6.

vim Bug: Vulnerability allows denial of service

Vim (Vi IMproved) is a further development of the text editor vi.

A remote, anonymous attacker could exploit a vulnerability in vim to perform a denial of service attack or achieve unknown results.

The vulnerability is identified with the unique CVE serial number (Common Vulnerabilities and Exposures) CVE-2023-1264 traded.

Systems affected by the vim vulnerability at a glance

operating systems
UNIX, Linux, MacOS X

Products
Amazon Linux 2 (cpe:/o:amazon:linux_2)
Fedora Linux (cpe:/o:fedoraproject:fedora)
Ubuntu Linux (cpe:/o:canonical:ubuntu_linux)
SUSE Linux (cpe:/o:suse:suse_linux)
Open Source vim < 9.0.1392 (cpe:/a:vim:vim)

General measures for dealing with IT security gaps

  1. Users of the affected applications should keep them up to date. When security gaps become known, manufacturers are required to remedy them as quickly as possible by developing a patch or a workaround. If security patches are available, install them promptly.
  2. For information, consult the sources listed in the next section. These often contain further information on the latest version of the software in question and the availability of security patches or tips on workarounds.
  3. If you have any further questions or are uncertain, please contact your responsible administrator. IT security officers should regularly check when the IT security warning affected manufacturers makes a new security update available.

Sources for updates, patches and workarounds

At this point there are further links with information about bug reports, security fixes and workarounds.

SUSE Security Update SUSE-SU-2023:2103-1 vom 2023-05-04 (05.05.2023)
For more information, see: https://lists.suse.com/pipermail/sle-security-updates/2023-May/014736.html

Amazon Linux Security Advisory ALAS-2023-1716 vom 2023-04-06 (06.04.2023)
For more information, see: https://alas.aws.amazon.com/ALAS-2023-1716.html

Amazon Linux Security Advisory ALAS-2023-2005 vom 2023-04-05 (06.04.2023)
For more information, see: https://alas.aws.amazon.com/AL2/ALAS-2023-2005.html

Ubuntu Security Notice USN-5963-1 vom 2023-03-20 (21.03.2023)
For more information, see: https://ubuntu.com/security/notices/USN-5963-1

Fedora Security Advisory FEDORA-2023-D4EBE53978 vom 2023-03-16 (17.03.2023)
For more information, see: https://bodhi.fedoraproject.org/updates/FEDORA-2023-d4ebe53978

Fedora Security Advisory FEDORA-2023-43CB13AEFB vom 2023-03-16 (17.03.2023)
For more information, see: https://bodhi.fedoraproject.org/updates/FEDORA-2023-43cb13aefb

Fedora Security Advisory FEDORA-2023-030318CA00 vom 2023-03-16 (17.03.2023)
For more information, see: https://bodhi.fedoraproject.org/updates/FEDORA-2023-030318ca00

GitHub Security Advisory GHSA-mrf7-wp64-3p45 vom 2023-03-07 (08.03.2023)
For more information, see: https://github.com/advisories/GHSA-mrf7-wp64-3p45

huntr: NULL Pointer Dereference in function utfc_ptr2len in vim/vim (08.03.2023)
For more information, see: https://huntr.dev/bounties/b2989095-88f3-413a-9a39-c1c58a6e6815

Version history of this security alert

This is the 5th version of this IT security notice for vim. As further updates are announced, this text will be updated. You can understand the changes made using the following version history.

03/08/2023 – Initial version
03/17/2023 – Added new updates of Fedora
03/21/2023 – Added new updates of Ubuntu
04/06/2023 – Added new updates from Amazon
05/05/2023 – Added new updates from SUSE

