Ubuntu update for vim

1) Heap-based buffer overflow

EUVDB-ID: #VU62026

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0943

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package vim to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 22.04

vim (Ubuntu package): before 2:8.2.3995-1ubuntu2.1

External links

http://ubuntu.com/security/notices/USN-5613-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use-after-free

EUVDB-ID: #VU61763

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1154

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the utf_ptr2char() function in regexp_bt.c. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected package vim to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 22.04

vim (Ubuntu package): before 2:8.2.3995-1ubuntu2.1

External links

http://ubuntu.com/security/notices/USN-5613-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use of Out-of-range Pointer Offset

EUVDB-ID: #VU63044

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1420

CWE-ID: CWE-823 - Use of Out-of-range Pointer Offset

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause a denial of service on the target application.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a use of out-of-range pointer offset and crash the application.

Mitigation

Update the affected package vim to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 22.04

vim (Ubuntu package): before 2:8.2.3995-1ubuntu2.1

External links

http://ubuntu.com/security/notices/USN-5613-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Heap-based buffer overflow

EUVDB-ID: #VU63042

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1616

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package vim to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 22.04

vim (Ubuntu package): before 2:8.2.3995-1ubuntu2.1

External links

http://ubuntu.com/security/notices/USN-5613-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Heap-based buffer overflow

EUVDB-ID: #VU62875

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1619

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing data in the cmdline_erase_chars() function in ex_getln.c. A remote attacker can trick the victim to open a specially crafted file, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package vim to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 22.04

vim (Ubuntu package): before 2:8.2.3995-1ubuntu2.1

External links

http://ubuntu.com/security/notices/USN-5613-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) NULL pointer dereference

EUVDB-ID: #VU62876

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1620

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the vim_regexec_string() function in regexp.c. A remote attacker can trick the victim to open a specially crafted file, trigger NULL pointer dereference error and crash the application.

Mitigation

Update the affected package vim to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 22.04

vim (Ubuntu package): before 2:8.2.3995-1ubuntu2.1

External links

http://ubuntu.com/security/notices/USN-5613-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Heap-based buffer overflow

EUVDB-ID: #VU63041

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1621

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package vim to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 22.04

vim (Ubuntu package): before 2:8.2.3995-1ubuntu2.1

External links

http://ubuntu.com/security/notices/USN-5613-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.