openEuler update for vim



Published: 2022-07-14
Risk High
Patch available YES
Number of vulnerabilities 11
CVE-ID CVE-2022-1720
CVE-2022-2208
CVE-2022-2207
CVE-2022-2183
CVE-2022-2284
CVE-2022-2285
CVE-2022-2304
CVE-2022-2345
CVE-2022-2344
CVE-2022-2042
CVE-2022-2000
CWE-ID CWE-125
CWE-476
CWE-122
CWE-190
CWE-121
CWE-416
CWE-787
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		openEuler
Operating systems & Components / Operating system

vim-filesystem
Operating systems & Components / Operating system package or component

vim-X11
Operating systems & Components / Operating system package or component

vim-common
Operating systems & Components / Operating system package or component

vim-minimal
Operating systems & Components / Operating system package or component

vim-enhanced
Operating systems & Components / Operating system package or component

vim-debugsource
Operating systems & Components / Operating system package or component

vim-debuginfo
Operating systems & Components / Operating system package or component

vim
Operating systems & Components / Operating system package or component

Vendor openEuler

Security Bulletin

This security bulletin contains information about 11 vulnerabilities.

1) Out-of-bounds read

EUVDB-ID: #VU64714

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1720

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in normal.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 22.03 LTS

vim-filesystem: before 8.2-42

vim-X11: before 8.2-42

vim-common: before 8.2-42

vim-minimal: before 8.2-42

vim-enhanced: before 8.2-42

vim-debugsource: before 8.2-42

vim-debuginfo: before 8.2-42

vim: before 8.2-42

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) NULL pointer dereference

EUVDB-ID: #VU64708

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2208

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in diff.c. A remote attacker can perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 22.03 LTS

vim-filesystem: before 8.2-42

vim-X11: before 8.2-42

vim-common: before 8.2-42

vim-minimal: before 8.2-42

vim-enhanced: before 8.2-42

vim-debugsource: before 8.2-42

vim-debuginfo: before 8.2-42

vim: before 8.2-42

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Heap-based buffer overflow

EUVDB-ID: #VU64709

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2207

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in edit.c. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 22.03 LTS

vim-filesystem: before 8.2-42

vim-X11: before 8.2-42

vim-common: before 8.2-42

vim-minimal: before 8.2-42

vim-enhanced: before 8.2-42

vim-debugsource: before 8.2-42

vim-debuginfo: before 8.2-42

vim: before 8.2-42

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Out-of-bounds read

EUVDB-ID: #VU64711

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2183

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in indent.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 22.03 LTS

vim-filesystem: before 8.2-42

vim-X11: before 8.2-42

vim-common: before 8.2-42

vim-minimal: before 8.2-42

vim-enhanced: before 8.2-42

vim-debugsource: before 8.2-42

vim-debuginfo: before 8.2-42

vim: before 8.2-42

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Heap-based buffer overflow

EUVDB-ID: #VU65412

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2284

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in utfc_ptr2len() function at mbyte.c:2113. A remote attacker can trick the victim into opening a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 22.03 LTS

vim-filesystem: before 8.2-42

vim-X11: before 8.2-42

vim-common: before 8.2-42

vim-minimal: before 8.2-42

vim-enhanced: before 8.2-42

vim-debugsource: before 8.2-42

vim-debuginfo: before 8.2-42

vim: before 8.2-42

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Integer overflow

EUVDB-ID: #VU65411

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2285

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in del_typebuf() function at getchar.c:1204. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 22.03 LTS

vim-filesystem: before 8.2-42

vim-X11: before 8.2-42

vim-common: before 8.2-42

vim-minimal: before 8.2-42

vim-enhanced: before 8.2-42

vim-debugsource: before 8.2-42

vim-debuginfo: before 8.2-42

vim: before 8.2-42

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Stack-based buffer overflow

EUVDB-ID: #VU65395

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2304

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in spell_dump_compl() function at spell.c:4038. A remote unauthenticated attacker can trick the victim into opening a specially crafted file to trigger stack-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 22.03 LTS

vim-filesystem: before 8.2-42

vim-X11: before 8.2-42

vim-common: before 8.2-42

vim-minimal: before 8.2-42

vim-enhanced: before 8.2-42

vim-debugsource: before 8.2-42

vim-debuginfo: before 8.2-42

vim: before 8.2-42

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Use-after-free

EUVDB-ID: #VU65394

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2345

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in function skipwhite at charset.c:1428. A remote attacker can trick the victim to open a specially crafted file and compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 22.03 LTS

vim-filesystem: before 8.2-42

vim-X11: before 8.2-42

vim-common: before 8.2-42

vim-minimal: before 8.2-42

vim-enhanced: before 8.2-42

vim-debugsource: before 8.2-42

vim-debuginfo: before 8.2-42

vim: before 8.2-42

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Heap-based buffer overflow

EUVDB-ID: #VU65418

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2344

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in ins_compl_add() function at insexpand.c:751. A remote attacker can trick the victim into opening a specially crafted data, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 22.03 LTS

vim-filesystem: before 8.2-42

vim-X11: before 8.2-42

vim-common: before 8.2-42

vim-minimal: before 8.2-42

vim-enhanced: before 8.2-42

vim-debugsource: before 8.2-42

vim-debuginfo: before 8.2-42

vim: before 8.2-42

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Use-after-free

EUVDB-ID: #VU64706

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2042

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in spell.c. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 22.03 LTS

vim-filesystem: before 8.2-42

vim-X11: before 8.2-42

vim-common: before 8.2-42

vim-minimal: before 8.2-42

vim-enhanced: before 8.2-42

vim-debugsource: before 8.2-42

vim-debuginfo: before 8.2-42

vim: before 8.2-42

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Out-of-bounds write

EUVDB-ID: #VU64719

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2000

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in ex_docmd.c. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 22.03 LTS

vim-filesystem: before 8.2-42

vim-X11: before 8.2-42

vim-common: before 8.2-42

vim-minimal: before 8.2-42

vim-enhanced: before 8.2-42

vim-debugsource: before 8.2-42

vim-debuginfo: before 8.2-42

vim: before 8.2-42

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###