Amazon Linux 1 Security Advisory: ALAS-2022-1628
Advisory Release Date: 2022-07-28 20:41 Pacific
Advisory Updated Date: 2022-08-04 23:02 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution (CVE-2022-1616)
Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution (CVE-2022-1619)
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input. (CVE-2022-1620)
Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution (CVE-2022-1621)
Buffer Over-read in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution (CVE-2022-1629)
A NULL pointer dereference flaw was found in vim's vim_regexec_string() function in regexp.c file. The issue occurs when the function tries to match the buffer with an invalid pattern. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a NULL pointer dereference that causes an application to crash, leading to a denial of service. (CVE-2022-1674)
A heap buffer over-read vulnerability was found in Vim's grab_file_name() function of the src/findfile.c file. This flaw occurs because the function reads after the NULL terminates the line with "gf" in Visual block mode. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap buffer over-read vulnerability that causes an application to crash and corrupt memory. (CVE-2022-1720)
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.495 (CVE-2022-1725)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4968. (CVE-2022-1733)
Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969. (CVE-2022-1735)
Buffer Over-read in GitHub repository vim/vim prior to 8.2.4974. (CVE-2022-1769)
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a stack-based buffer overflow vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-1771)
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to an out-of-bounds write vulnerability in the ex_cmds function. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-1785)
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a use after free vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-1796)
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to an out-of-bounds read vulnerability in the gchar_cursor function. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-1851)
A heap buffer overflow flaw was found in Vim's utf_head_off() function in the mbyte.c file. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap buffer overflow that causes an application to crash, leading to a denial of service and possibly some amount of memory leak. (CVE-2022-1886)
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to an out-of-bounds write vulnerability in the vim_regsub_both function. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-1897)
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a use-after-free vulnerability in the find_pattern_in_path function. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-1898)
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a buffer over-read vulnerability in the utf_ptr2char function. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-1927)
An out-of-bounds write vulnerability was found in Vim's vim_regsub_both() function in the src/regexp.c file. The flaw can open a command-line window from a substitute expression when a text or buffer is locked. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering an out-of-bounds write that causes an application to crash, possibly reading and modifying some amount of memory contents. (CVE-2022-1942)
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a use-after-free vulnerability in the utf_ptr2char function. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-1968)
An out-of-bounds write vulnerability was found in Vim's append_command() function of the src/ex_docmd.c file. This issue occurs when an error for a command goes over the end of IObuff. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap buffer overflow that causes an application to crash and corrupt memory. (CVE-2022-2000)
A heap use-after-free vulnerability was found in Vim's skipwhite() function of the src/charset.c file. This flaw occurs because of an uninitialized attribute value and freed memory in the spell command. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap use-after-free that causes an application to crash and corrupt memory. (CVE-2022-2042)
Buffer Over-read in GitHub repository vim/vim prior to 8.2. (CVE-2022-2124)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. (CVE-2022-2125)
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. (CVE-2022-2126)
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. (CVE-2022-2129)
A heap buffer over-read vulnerability was found in Vim's put_on_cmdline() function of the src/ex_getln.c file. This issue occurs due to invalid memory access when using an expression on the command line. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap buffer overflow that causes an application to crash and corrupt memory. (CVE-2022-2175)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. (CVE-2022-2182)
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. (CVE-2022-2183)
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. (CVE-2022-2206)
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. (CVE-2022-2207)
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163. (CVE-2022-2208)
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. (CVE-2022-2210)
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2. (CVE-2022-2231)
Affected Packages:
vim
Issue Correction:
Run yum update vim to update your system.
i686:
vim-minimal-8.2.5172-1.1.amzn1.i686
vim-debuginfo-8.2.5172-1.1.amzn1.i686
vim-common-8.2.5172-1.1.amzn1.i686
vim-enhanced-8.2.5172-1.1.amzn1.i686
noarch:
vim-filesystem-8.2.5172-1.1.amzn1.noarch
vim-data-8.2.5172-1.1.amzn1.noarch
src:
vim-8.2.5172-1.1.amzn1.src
x86_64:
vim-debuginfo-8.2.5172-1.1.amzn1.x86_64
vim-enhanced-8.2.5172-1.1.amzn1.x86_64
vim-common-8.2.5172-1.1.amzn1.x86_64
vim-minimal-8.2.5172-1.1.amzn1.x86_64