CVE-2024-47814 – use-after-free when closing buffers in Vim
https://notcve.org/view.php?id=CVE-2024-47814
Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. • https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg https://github.com/vim/vim/commit/51b62387be93c65fa56bbabe1c3 • CWE-416: Use After Free •
CVE-2024-45306 – heap-buffer-overflow in Vim
https://notcve.org/view.php?id=CVE-2024-45306
Vim is an open source, command line text editor. Patch v9.1.0038 optimized how the cursor position is calculated and removed a loop, that verified that the cursor position always points inside a line and does not become invalid by pointing beyond the end of a line. Back then we assumed this loop is unnecessary. However, this change made it possible that the cursor position stays invalid and points beyond the end of a line, which would eventually cause a heap-buffer-overflow when trying to access the line pointer at the specified cursor position. It's not quite clear yet, what can lead to this situation that the cursor points to an invalid position. • https://github.com/vim/vim/security/advisories/GHSA-wxf9-c5gx-qrwr https://github.com/vim/vim/commit/396fd1ec2956307755392a1 https://github.com/vim/vim/releases/tag/v9.1.0038 • CWE-122: Heap-based Buffer Overflow •
CVE-2024-43802 – heap-buffer-overflow in ins_typebuf() in Vim < 9.1.0697
https://notcve.org/view.php?id=CVE-2024-43802
Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. • https://github.com/vim/vim/commit/322ba9108612bead5eb https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh • CWE-122: Heap-based Buffer Overflow •
CVE-2024-43790 – heap-buffer-overflow in do_search() in Vim < 9.1.0689
https://notcve.org/view.php?id=CVE-2024-43790
Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. • https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm • CWE-122: Heap-based Buffer Overflow •
CVE-2024-43374 – Vim heap-use-after-free in src/arglist.c:207
https://notcve.org/view.php?id=CVE-2024-43374
The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. • https://github.com/vim/vim/security/advisories/GHSA-2w8m-443v-cgvw https://github.com/vim/vim/commit/0a6e57b09bc8c76691b367a5babfb79b31b770e8 • CWE-416: Use After Free •