ALAS2022-2022-025

Amazon Linux 2022 Security Advisory: ALAS-2022-025
Advisory Release Date: 2022-02-16 00:51 Pacific
Advisory Updated Date: 2022-02-16 19:15 Pacific
Severity: Medium
Issue Overview:

A flaw was found in vim. The vulnerability occurs due to a crash when recording and using Select mode and leads to an out-of-bounds read. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-0393)

A flaw was found in vim. The vulnerability occurs due to stack corruption when looking for spell suggestions and leads to a stack buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-0408)

A flaw was found in vim. The vulnerability occurs due to using freed memory when the substitute uses a recursive function call, resulting in a use-after-free vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-0413)

A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-0417)

A flaw was found in vim. The vulnerability occurs due to using freed memory which results in a use-after-free vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-0443)


Affected Packages:

vim


Issue Correction:
Run dnf update --releasever=2022.0.20220215 vim to update your system.

New Packages:
aarch64:
    vim-X11-debuginfo-8.2.4314-1.amzn2022.aarch64
    vim-common-debuginfo-8.2.4314-1.amzn2022.aarch64
    vim-enhanced-debuginfo-8.2.4314-1.amzn2022.aarch64
    vim-minimal-debuginfo-8.2.4314-1.amzn2022.aarch64
    vim-minimal-8.2.4314-1.amzn2022.aarch64
    vim-enhanced-8.2.4314-1.amzn2022.aarch64
    vim-X11-8.2.4314-1.amzn2022.aarch64
    vim-debuginfo-8.2.4314-1.amzn2022.aarch64
    vim-debugsource-8.2.4314-1.amzn2022.aarch64
    vim-common-8.2.4314-1.amzn2022.aarch64

noarch:
    vim-filesystem-8.2.4314-1.amzn2022.noarch
    vim-default-editor-8.2.4314-1.amzn2022.noarch
    vim-data-8.2.4314-1.amzn2022.noarch

src:
    vim-8.2.4314-1.amzn2022.src

x86_64:
    vim-enhanced-debuginfo-8.2.4314-1.amzn2022.x86_64
    vim-X11-debuginfo-8.2.4314-1.amzn2022.x86_64
    vim-minimal-8.2.4314-1.amzn2022.x86_64
    vim-common-debuginfo-8.2.4314-1.amzn2022.x86_64
    vim-debuginfo-8.2.4314-1.amzn2022.x86_64
    vim-X11-8.2.4314-1.amzn2022.x86_64
    vim-minimal-debuginfo-8.2.4314-1.amzn2022.x86_64
    vim-debugsource-8.2.4314-1.amzn2022.x86_64
    vim-enhanced-8.2.4314-1.amzn2022.x86_64
    vim-common-8.2.4314-1.amzn2022.x86_64

Additional References

Red Hat: CVE-2022-0393, CVE-2022-0408, CVE-2022-0413, CVE-2022-0417, CVE-2022-0443

Mitre: CVE-2022-0393, CVE-2022-0408, CVE-2022-0413, CVE-2022-0417, CVE-2022-0443