USN-5723-1: Vim vulnerabilities

14 November 2022

Several security issues were fixed in Vim.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • vim - Vi IMproved - enhanced vi editor

Details

It was discovered that Vim could be made to crash when searching specially
crafted patterns. An attacker could possibly use this to crash Vim and
cause denial of service. (CVE-2022-1674)

It was discovered that there existed a NULL pointer dereference in Vim. An
attacker could possibly use this to crash Vim and cause denial of service.
(CVE-2022-1725)

It was discovered that there existed a buffer over-read in Vim when
searching specially crafted patterns. An attacker could possibly use this
to crash Vim and cause denial of service. (CVE-2022-2124)

It was discovered that there existed a heap buffer overflow in Vim when
auto-indenting lisp. An attacker could possibly use this to crash Vim and
cause denial of service. (CVE-2022-2125)

It was discovered that there existed an out of bounds read in Vim when
performing spelling suggestions. An attacker could possibly use this to
crash Vim and cause denial of service. (CVE-2022-2126)

It was discovered that Vim accessed invalid memory when executing specially
crafted command line expressions. An attacker could possibly use this to
crash Vim, access or modify memory, or execute arbitrary commands.
(CVE-2022-2175)

It was discovered that there existed an out-of-bounds read in Vim when
auto-indenting lisp. An attacker could possibly use this to crash Vim,
access or modify memory, or execute arbitrary commands. (CVE-2022-2183)

It was discovered that Vim accessed invalid memory when terminal size
changed. An attacker could possibly use this to crash Vim, access or modify
memory, or execute arbitrary commands. (CVE-2022-2206)

It was discovered that there existed a stack buffer overflow in Vim's
spelldump. An attacker could possibly use this to crash Vim and cause
denial of service. (CVE-2022-2304)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04

In general, a standard system update will make all the necessary changes.

Related notices