[SECURITY] [DLA 4097-1] vim security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4097-1] vim security update
From: Sean Whitton <spwhitton@spwhitton.name>
Date: Sun, 30 Mar 2025 12:55:46 +0800
Message-id: <[🔎] 87ecyf15il.fsf@melete.silentflame.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4097-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Sean Whitton
March 30, 2025                                https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : vim
Version        : 2:8.2.2434-3+deb11u3
CVE ID         : CVE-2021-3872 CVE-2021-4019 CVE-2021-4173 CVE-2021-4187 
                 CVE-2022-0261 CVE-2022-0351 CVE-2022-0359 CVE-2022-0361 
                 CVE-2022-0392 CVE-2022-0417 CVE-2022-0572 CVE-2022-1616 
                 CVE-2022-1785 CVE-2022-1897 CVE-2022-1942 CVE-2022-2000 
                 CVE-2022-2129 CVE-2022-2304 CVE-2022-3099 CVE-2022-3134 
                 CVE-2022-3324 CVE-2022-4141 CVE-2023-0054 CVE-2023-1175 
                 CVE-2023-2610 CVE-2023-4738 CVE-2023-4752 CVE-2023-4781 
                 CVE-2023-5344 CVE-2024-22667 CVE-2024-43802 CVE-2024-47814
Debian Bug     : 1015984 1019590 1027146 1031875 1035955 1053694 1084806

Multiple vulnerabilities were discovered in vim, an enhanced vi editor.

CVE-2021-3872

    Heap-based buffer overflow possible if the buffer name is very long.

CVE-2021-4019

    Heap-based buffer overflow possible with a very long help argument.

CVE-2021-4173

    Double free in the VimScript9 compiler with a nested :def function.

CVE-2021-4187

    Double free in the VimScript9 compiler if a nested function has a
    line break in its argument list.

CVE-2022-0261

    Buffer overflow in block insert, which goes over the end of the line.

CVE-2022-0351

    In a command, a condition with many parentheses can cause a crash,
    because there was previously no recursion limit.

CVE-2022-0359

    A heap-based buffer overflow could occur with a large tabstop in Ex
    mode.

CVE-2022-0361

    A buffer overflow was found in the code copying lines in Visual
    mode.

CVE-2022-0392

    A heap-based buffer overflow was found in the code handling
    bracketed paste in ex mode.

CVE-2022-0417

    The ":retab 0" command may cause a buffer overflow because a limit
    was set too high.

CVE-2022-0572

    Repeatedly using the ":retab" command may have caused a crash.

CVE-2022-1616

    There is a possbile buffer overflow when processing an invalid
    command with composing characters.

CVE-2022-1785

    It was possible to change the window in a substitute expression,
    which could lead to an out-of-bounds write.

CVE-2022-1897

    It was possible to use the undo command in a substitute expression,
    leading to an invalid memory overwrite.

CVE-2022-1942

    It was possible to open a command line window from a substitute
    expression, leading to a heap-based buffer overflow.

CVE-2022-2000

    Command error messages were not truncated, and as such could lead to
    out-of-bounds writes.

CVE-2022-2129

    It was possible to switch buffers in a substitute expression,
    leading to a heap-based buffer overflow.

CVE-2022-2304

    Long words might cause a buffer overflow in the spellchecker.

CVE-2022-3099

    Line numbers in ":for" commands were not validated, which could lead
    to a crash.

CVE-2022-3134

    If a relevant window was unexpectedly closed while searching for
    tags, vim would crash.

CVE-2022-3324

    Negative window widths caused the use of a negative array index,
    that is, an invalid read.

CVE-2022-4141

    Functions that visit another file during a substitution could cause
    a heap-based buffer overflow.

CVE-2023-0054

    A recursive substitute expression could cause an out-of-bounds write.

CVE-2023-1175

    When doing virtual editing, a buffer size calculation was wrong.

CVE-2023-2610

    When expanding "~" in a substitution, if the resulting expansion was
    very long, vim would crash.

CVE-2023-4738

    A buffer overflow problem was found in vim_regsub_both().

CVE-2023-4752

    A use-after-free problem was found in ins_compl_get_exp().

CVE-2023-4781

    A second buffer overflow problem was found in vim_regsub_both().

CVE-2023-5344

    trunc_string() made an incorrect assumption about when a certain
    buffer would be writeable.

CVE-2024-22667

    Several calls writing error messages did not check that there was
    enough space for the full message.

CVE-2024-43802

    The typeahead buffer end pointer could be moved past its end when
    flushing that buffer, leading to an out-of-bounds read.

CVE-2024-47814

    When splitting the window and editing a new buffer, the new buffer
    could be marked for deletion, leading to a use-after-free.

For Debian 11 bullseye, these problems have been fixed in version
2:8.2.2434-3+deb11u3.

We recommend that you upgrade your vim packages.

For the detailed security status of vim please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/vim

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 4096-1] librabbitmq security update
Next by Date: [SECURITY] [DLA 4098-1] amd64-microcode security update
Previous by thread: [SECURITY] [DLA 4096-1] librabbitmq security update
Next by thread: [SECURITY] [DLA 4098-1] amd64-microcode security update
Index(es):
- Date
- Thread