Re: Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043

[Eli Schwartz <eschwartz () gentoo org>]

On 1/20/25 5:04 PM, Christian Brabandt wrote:
> segmentation fault in win_line() in Vim < 9.1.1043
> ==================================================
> Date: 20.01.2025
> Severity: Medium
> CVE: CVE-2025-24014
> CWE: Out-of-bounds Write (CWE-787)
>
> In silent Ex mode (-s -e), Vim typically doesn't show a screen and just
> operates silently in batch mode. However, it is still possible to
> trigger the function that handles the scrolling of a gui version of Vim
> by feeding some binary characters to Vim. The function that handles the
> scrolling however may be triggering a redraw, which will access the
> ScreenLines pointer, even so this variable hasn't been allocated
> (since there is no screen).
>
> In Patch 9.1.1043 Vim will therefore skip the redraw attempt, by testing
> whether the ScreenLines pointer is NULL.
>
> Impact is medium since the user must intentionally and explicitly feed
> some binary data to Vim in ex mode.
>
> The Vim project would like to thank github user @fizz-is-on-the-way
> for reporting this issue.
>
> The issue has been fixed as of Vim patch v9.1.1003
>
> References:
> https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919
> https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955


It seems strange to me to say that it is a vulnerability, for a vim
option that accepts a full-blown script to also crash when fuzzed.

It's not an attack vector to crash /bin/bash when fed a malformed
script, so why is there anything to comment on with regard to vim either?

How is this "medium" impact?

-- 
Eli Schwartz

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature