Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.6148 vim security update 25 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: vim Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-3352 CVE-2022-3256 CVE-2022-3235 CVE-2022-2129 CVE-2022-2000 CVE-2022-1942 CVE-2022-1897 CVE-2022-1785 CVE-2022-1621 CVE-2022-1619 CVE-2022-0696 CVE-2022-0629 CVE-2022-0392 CVE-2022-0318 Original Bulletin: https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html Comment: CVSS (Max): 9.8 CVE-2022-0318 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3204-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Helmut Grohne November 24, 2022 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : vim Version : 2:8.1.0875-5+deb10u4 CVE ID : CVE-2022-0318 CVE-2022-0392 CVE-2022-0629 CVE-2022-0696 CVE-2022-1619 CVE-2022-1621 CVE-2022-1785 CVE-2022-1897 CVE-2022-1942 CVE-2022-2000 CVE-2022-2129 CVE-2022-3235 CVE-2022-3256 CVE-2022-3352 This update fixes multiple memory access violations in vim. CVE-2022-0318 Heap-based Buffer Overflow CVE-2022-0392 Heap-based Buffer Overflow CVE-2022-0629 Stack-based Buffer Overflow CVE-2022-0696 NULL Pointer Dereference CVE-2022-1619 Heap-based Buffer Overflow in function cmdline_erase_chars. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution CVE-2022-1621 Heap buffer overflow in vim_strncpy find_word. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution CVE-2022-1785 Out-of-bounds Write CVE-2022-1897 Out-of-bounds Write CVE-2022-1942 Heap-based Buffer Overflow CVE-2022-2000 Out-of-bounds Write CVE-2022-2129 Out-of-bounds Write CVE-2022-3235 Use After Free CVE-2022-3256 Use After Free CVE-2022-3352 Use After Free For Debian 10 buster, these problems have been fixed in version 2:8.1.0875-5+deb10u4. We recommend that you upgrade your vim packages. For the detailed security status of vim please refer to its security tracker page at: https://security-tracker.debian.org/tracker/vim Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEETMLS2QqNFlTb+HOqLRqqzyREREIFAmN/Nr0ACgkQLRqqzyRE REJW5w//WRA4EEZnPWgQf587N9lHJbQ1hAW0ql2ImaAbdw58Z8RMHgcyuVoMzPtm kDdg6b8zLNRxi07oBzRpgP+ytGPSxZpY+FixBpEOOjuq4gnWHlYS/G8jTWyhetOf uA7NJaJqT7gR4ev1lZ7gXG7o95iCWCpFNZ9dZIP64/0ReqlUkfRIEl0B23KBWoto bk+oySFHjx+bj3h/7UybxIfuFRalgIPsIJ41tqN7bVN3kStpNZbn2pJX46Qy+WA8 /2ck1j1LvT0WUo1dkJ8zN+NLo9IZxI13BVB+sH6GCytLkntshttJe3eTMFrKDYLF 1+3x/ZvnpvL3FGTahSju6XQdJrzoG2DCqIHtYRhJAUmiKfraZnojrDB/9rVEChEP Zs99WkerM1EOUaXmd1brLOMjlopQQYdE4z8ujtUPavSGRHxghJGATi/9x9RFH6RR EeW1VxTM+ZxBjHHeAEYi/kMBSZiecdCtLykPgPaZ24Dm082mU522E1PgZp7L94I3 A/XchNcK/Y0lRg2QK9dGf0eQBWC1gXfKjIKd5GwPErkd5l8Q62JcqP3EEY0ZlTvI LHtKLD32eNJtwXwfIDCmYYBM86XMT1EYKVi9HfT99iQWlJL1QHgfwxXPClTBlGav caeOgjXd/e/Ky3iwNaahVlT7Zbt8QK9RloVmZNS5mLgoYqPq+P4= =EeE6 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY4AZbckNZI30y1K9AQhJYA//WJmgTXOYxyeLLLlvvEG9gyd4rx8NOf2M SOVQ9MQUWHzr50efPaUUsTO+QxxIgcNgTJcKlmL6e3NKWF6zOgYjMQJQF9sFQ/tN Kcm+CA8gV3ZOoanP55yfcHfcsTYW/l6aM3Jv7ZtlKtyVXhNN/GLiL6I9ZxIh19lV qYmvx+xiCITTik9jYlLZbgVY7MihCpcn0/8KyiqPwuLpS+W53wHYx0x4hbNEEASJ XXyqG6WoZz4j+XyLCFUdtQJ4Xkmgzxwlw8QZZvEA2dQ7SMPW12qhd2m/ImakCHlG te6rDtFcXVJKAeNLJRzXPozS3YSnPBderVYuzDwtcUgZun4p9J9KH5MpCTSbuU7B 8XmlMfAVVrdgKLuGn8sXOO3fk3iTcflKZ10dduUWmPDBOTAEhUtDVn+UK9JTacDR atKw9S50oW6CO8ZS2lM/b8lbLIfZ2TsDYoQuQ6fUklDkPNoRH/ibRkjrriSW0Wcr sbm4uApL97bjl/NT/aD7IpokKCNn1rMhqeOZIYrhRqd/sMvwNtwfdl5TlnPw9hkR rdxllnOEA5ZWlhtLveb0oYBEzz+7Gjw4y+l78FyBT3sTL9XmBoz+ytYf5qEENNYr A5YjCkqO1NsKbA/ZKhDyisxFqzdp2KdY+1MESW2VzIOa3lPW8o4zXg5Di9ZEOenf mRx6nxdhRe0= =ziXz -----END PGP SIGNATURE-----