CVE-2022-32207 – curl: Unpreserved file permissions
https://notcve.org/view.php?id=CVE-2022-32207
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended. Cuando curl versiones anteriores a 7.84.0, guarda datos de cookies, alt-svc y hsts en archivos locales, hace que la operación sea atómica al finalizar la operación con un renombramiento de un nombre temporal al nombre final del archivo de destino. En esa operación de renombramiento, podría accidentalmente *ampliar* los permisos del archivo de destino, dejando el archivo actualizado accesible a más usuarios de los previstos A vulnerability was found in curl. This issue occurs because when curl saves cookies, alt-svc, and HSTS data to local files, it makes the operation atomic by finalizing the process with a rename from a temporary name to the final target file name. This flaw leads to unpreserved file permissions, either by mistake or by a malicious actor. • http://seclists.org/fulldisclosure/2022/Oct/28 http://seclists.org/fulldisclosure/2022/Oct/41 https://hackerone.com/reports/1573634 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY https://security.gentoo.org/glsa/202212-01 https://security.netapp.com/advisory/ntap-20220915-0003 https://support.apple.com/kb/HT213488 https://www.debian.org/security/2022/dsa-5197 https://access.redhat.com/security/cve/CVE-2022-32207 http • CWE-276: Incorrect Default Permissions CWE-281: Improper Preservation of Permissions CWE-840: Business Logic Errors •
CVE-2022-2124 – Buffer Over-read in vim/vim
https://notcve.org/view.php?id=CVE-2022-2124
Buffer Over-read in GitHub repository vim/vim prior to 8.2. Una Lectura Excesiva del Búfer en el repositorio GitHub vim/vim versiones anteriores a 8.2 • http://seclists.org/fulldisclosure/2022/Oct/28 http://seclists.org/fulldisclosure/2022/Oct/41 http://seclists.org/fulldisclosure/2022/Oct/43 http://seclists.org/fulldisclosure/2022/Oct/45 https://github.com/vim/vim/commit/2f074f4685897ab7212e25931eeeb0212292829f https://huntr.dev/bounties/8e9e056d-f733-4540-98b6-414bf36e0b42 https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264 • CWE-125: Out-of-bounds Read CWE-126: Buffer Over-read •
CVE-2022-2125 – Heap-based Buffer Overflow in vim/vim
https://notcve.org/view.php?id=CVE-2022-2125
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. Un Desbordamiento de Búfer en la Región Heap de la Memoria en el repositorio de GitHub vim/vim versiones anteriores a 8.2 • http://seclists.org/fulldisclosure/2022/Oct/28 http://seclists.org/fulldisclosure/2022/Oct/41 http://seclists.org/fulldisclosure/2022/Oct/43 http://seclists.org/fulldisclosure/2022/Oct/45 https://github.com/vim/vim/commit/0e8e938d497260dd57be67b4966cb27a5f72376f https://huntr.dev/bounties/17dab24d-beec-464d-9a72-5b6b11283705 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN https://lists.fedoraproject.org/archives/list/package-announce%40lists • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2022-2126 – Out-of-bounds Read in vim/vim
https://notcve.org/view.php?id=CVE-2022-2126
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. Una Lectura Fuera de Límites en el repositorio de GitHub vim/vim versiones anteriores a 8.2 • http://seclists.org/fulldisclosure/2022/Oct/28 http://seclists.org/fulldisclosure/2022/Oct/41 http://seclists.org/fulldisclosure/2022/Oct/43 http://seclists.org/fulldisclosure/2022/Oct/45 https://github.com/vim/vim/commit/156d3911952d73b03d7420dc3540215247db0fe8 https://huntr.dev/bounties/8d196d9b-3d10-41d2-9f70-8ef0d08c946e https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264 • CWE-125: Out-of-bounds Read •
CVE-2022-2042 – Use After Free in vim/vim
https://notcve.org/view.php?id=CVE-2022-2042
Use After Free in GitHub repository vim/vim prior to 8.2. Un Uso de Memoria Previamente Liberada en el repositorio GitHub vim/vim versiones anteriores a 8.2 • http://seclists.org/fulldisclosure/2022/Oct/28 http://seclists.org/fulldisclosure/2022/Oct/41 http://seclists.org/fulldisclosure/2022/Oct/43 http://seclists.org/fulldisclosure/2022/Oct/45 https://github.com/vim/vim/commit/2813f38e021c6e6581c0c88fcf107e41788bc835 https://huntr.dev/bounties/8628b4cd-4055-4059-aed4-64f7fdc10eba https://security.gentoo.org/glsa/202208-32 https://security.gentoo.org/glsa/202305-16 https://support.apple.com/kb/HT213443 https://support.apple.com/kb/HT213444 h • CWE-416: Use After Free •