USN-6557-1: Vim vulnerabilities
Severity
medium
Vendor
VMware Tanzu
Versions Affected
- Canonical Ubuntu 18.04
Description
It was discovered that Vim could be made to dereference invalid memory. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-1725) It was discovered that Vim could be made to recurse infinitely. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-1771) It was discovered that Vim could be made to write out of bounds with a put command. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-1886) It was discovered that Vim could be made to write out of bounds. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-1897, CVE-2022-2000) It was discovered that Vim did not properly manage memory in the spell command. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-2042) It was discovered that Vim did not properly manage memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2023-46246, CVE-2023-48231) It was discovered that Vim could be made to divide by zero. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.04 and Ubuntu 23.10. (CVE-2023-48232) It was discovered that Vim contained multiple arithmetic overflows. An attacker could possibly use these issues to cause a denial of service. (CVE-2023-48233, CVE-2023-48234, CVE-2023-48235, CVE-2023-48236, CVE-2023-48237) It was discovered that Vim did not properly manage memory in the substitute command. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. (CVE-2023-48706) Update Instructions: Run `sudo pro fix USN-6557-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: vim-common - 2:7.4.1689-3ubuntu1.5+esm22 vim-nox-py2 - 2:7.4.1689-3ubuntu1.5+esm22 vim-gnome - 2:7.4.1689-3ubuntu1.5+esm22 vim-athena-py2 - 2:7.4.1689-3ubuntu1.5+esm22 vim-athena - 2:7.4.1689-3ubuntu1.5+esm22 vim-gtk - 2:7.4.1689-3ubuntu1.5+esm22 vim-gui-common - 2:7.4.1689-3ubuntu1.5+esm22 vim - 2:7.4.1689-3ubuntu1.5+esm22 vim-gtk3-py2 - 2:7.4.1689-3ubuntu1.5+esm22 vim-doc - 2:7.4.1689-3ubuntu1.5+esm22 vim-gtk-py2 - 2:7.4.1689-3ubuntu1.5+esm22 vim-tiny - 2:7.4.1689-3ubuntu1.5+esm22 vim-gnome-py2 - 2:7.4.1689-3ubuntu1.5+esm22 vim-gtk3 - 2:7.4.1689-3ubuntu1.5+esm22 vim-nox - 2:7.4.1689-3ubuntu1.5+esm22 vim-runtime - 2:7.4.1689-3ubuntu1.5+esm22 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro.
Fixed VMware Products and Versions
Severity is medium unless otherwise noted.
- Platform Automation Toolkit
- 4.4.32
- 5.0.25
- 5.1.2
- Cflinuxfs3
- 0.3181.0
- Cflinuxfs4
- 1.61.0
- Operations Manager
- 2.10.69
- 3.0.22+LTS-T
- Tanzu Greenplum for Kubernetes
- 2.0.0
- Jammy Stemcells
- 1.327
- Xenial Stemcell
- 621.793
- CF Deployment
- 30.0.0
- Isolation Segment
- 2.11.45
- 2.13.30
- 4.0.15+LTS-T
- 5.0.5
- VMware Tanzu Application Service for VMs
- 2.11.51
- 2.13.33
- 4.0.15+LTS-T
- 5.0.6
References
https://ubuntu.com/security/notices/USN-6557-1
https://www.cloudfoundry.org/blog/usn-6557-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6557-1
History
2023-12-14: Initial vulnerability report published.