1201863 – (CVE-2022-2522) VUL-1: CVE-2022-2522: vim: out of bounds read via nested autocommand

Bug 1201863 (CVE-2022-2522) - VUL-1: CVE-2022-2522: vim: out of bounds read via nested autocommand

Summary: VUL-1: CVE-2022-2522: vim: out of bounds read via nested autocommand

Status:	RESOLVED FIXED

Alias:	CVE-2022-2522

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Zoltan Balogh
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/338141/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-2522:3.3:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-07-26 07:54 UTC by Carlos López
Modified:	2022-12-27 08:28 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
poc_hbor4_s.dat (44 bytes, application/octet-stream) 2022-07-26 08:05 UTC, Carlos López	Details
fix invalid read size in ins_compl_add (815 bytes, patch) 2022-09-15 13:14 UTC, Ali Abdallah	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-07-26 07:54:01 UTC

CVE-2022-2522

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0060.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2522
https://github.com/vim/vim/commit/5fa9f23a63651a8abdb074b4fc2ec9b1adc6b089
https://huntr.dev/bounties/3a2d83af-9542-4d93-8784-98b115135a22

Comment 1 Carlos López 2022-07-26 07:54:48 UTC

Reproduced on:
 - SUSE:SLE-11-SP2:Update
 - SUSE:SLE-12:Update
 - SUSE:SLE-15:Update
 - openSUSE:Factory

Comment 2 Carlos López 2022-07-26 08:05:36 UTC

Created attachment 860384 [details]
poc_hbor4_s.dat

QA REPRODUCER:

valgrind ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_hbor4_s.dat -c :qa!

Comment 3 OBSbugzilla Bot 2022-07-26 12:40:02 UTC

This is an autogenerated message for OBS integration:
This bug (1201863) was mentioned in
https://build.opensuse.org/request/show/991225 Factory / vim

Comment 5 Swamp Workflow Management 2022-09-09 16:28:01 UTC

SUSE-SU-2022:3229-1: An update that solves 40 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1200270,1200697,1200698,1200700,1200701,1200732,1200884,1200902,1200903,1200904,1201132,1201133,1201134,1201135,1201136,1201150,1201151,1201152,1201153,1201154,1201155,1201249,1201356,1201359,1201363,1201620,1201863,1202046,1202049,1202050,1202051,1202414,1202420,1202421,1202511,1202512,1202515,1202552,1202599,1202687,1202689,1202862
CVE References: CVE-2022-1720,CVE-2022-1968,CVE-2022-2124,CVE-2022-2125,CVE-2022-2126,CVE-2022-2129,CVE-2022-2175,CVE-2022-2182,CVE-2022-2183,CVE-2022-2206,CVE-2022-2207,CVE-2022-2208,CVE-2022-2210,CVE-2022-2231,CVE-2022-2257,CVE-2022-2264,CVE-2022-2284,CVE-2022-2285,CVE-2022-2286,CVE-2022-2287,CVE-2022-2304,CVE-2022-2343,CVE-2022-2344,CVE-2022-2345,CVE-2022-2522,CVE-2022-2571,CVE-2022-2580,CVE-2022-2581,CVE-2022-2598,CVE-2022-2816,CVE-2022-2817,CVE-2022-2819,CVE-2022-2845,CVE-2022-2849,CVE-2022-2862,CVE-2022-2874,CVE-2022-2889,CVE-2022-2923,CVE-2022-2946,CVE-2022-3016
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    vim-9.0.0313-150000.5.25.1
openSUSE Leap 15.4 (src):    vim-9.0.0313-150000.5.25.1
openSUSE Leap 15.3 (src):    vim-9.0.0313-150000.5.25.1
SUSE Manager Server 4.1 (src):    vim-9.0.0313-150000.5.25.1
SUSE Manager Retail Branch Server 4.1 (src):    vim-9.0.0313-150000.5.25.1
SUSE Manager Proxy 4.1 (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Server for SAP 15 (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Server 15-LTSS (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Micro 5.2 (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise Micro 5.1 (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    vim-9.0.0313-150000.5.25.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    vim-9.0.0313-150000.5.25.1
SUSE Enterprise Storage 7 (src):    vim-9.0.0313-150000.5.25.1
SUSE Enterprise Storage 6 (src):    vim-9.0.0313-150000.5.25.1
SUSE CaaS Platform 4.0 (src):    vim-9.0.0313-150000.5.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Ali Abdallah 2022-09-15 13:14:07 UTC

Created attachment 861494 [details]
fix invalid read size in ins_compl_add

(In reply to Carlos López from comment #8)
> Correct. You should see the valgrind report by running it with timeout(1):
> 
> timeout 5 valgrind ./vim -u NONE -i NONE -n -m -X -Z -e -s -S
> ./poc_hbor4_s.dat -c :qa!

Thanks!

On recent versions, the issue is in 'ins_compl_infercase_gettext' which doesn't exist on older vim versions.

The CVE-2022-2522 issue on the old vim 7.4 on SLE12 is quiet different, the invalid read size is in 'ins_compl_add' and can be easily fixed by the attached patch, however I'm wondering if it makes sense to fix it without fixing the infinite loop issue.

But, since we will most likely soon get a newer vim version on SLE12, probably the attached patch is enough for the time being for the PTF requested on bug 1203356 for vim 7.4.

Comment 10 Zoltan Balogh 2022-11-23 09:54:59 UTC

The fix is available in the SLE15 Update with 9.0.0313 or newer.

Comment 12 Swamp Workflow Management 2022-12-27 08:28:25 UTC

SUSE-SU-2022:4619-1: An update that solves 104 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1070955,1173256,1174564,1176549,1182324,1190533,1190570,1191770,1191893,1192167,1192478,1192481,1192902,1192903,1192904,1193294,1193298,1193466,1193905,1194093,1194216,1194217,1194388,1194556,1194872,1194885,1195004,1195066,1195126,1195202,1195203,1195332,1195354,1195356,1196361,1198596,1198748,1199331,1199333,1199334,1199651,1199655,1199693,1199745,1199747,1199936,1200010,1200011,1200012,1200270,1200697,1200698,1200700,1200701,1200732,1200884,1200902,1200903,1200904,1201132,1201133,1201134,1201135,1201136,1201150,1201151,1201152,1201153,1201154,1201155,1201249,1201356,1201359,1201363,1201620,1201863,1202046,1202049,1202050,1202051,1202414,1202420,1202421,1202511,1202512,1202515,1202552,1202599,1202687,1202689,1202862,1202962,1203110,1203152,1203155,1203194,1203272,1203508,1203509,1203796,1203797,1203799,1203820,1203924,1204779
CVE References: CVE-2009-0316,CVE-2016-1248,CVE-2017-17087,CVE-2017-5953,CVE-2017-6349,CVE-2017-6350,CVE-2021-3778,CVE-2021-3796,CVE-2021-3872,CVE-2021-3875,CVE-2021-3903,CVE-2021-3927,CVE-2021-3928,CVE-2021-3968,CVE-2021-3973,CVE-2021-3974,CVE-2021-3984,CVE-2021-4019,CVE-2021-4069,CVE-2021-4136,CVE-2021-4166,CVE-2021-4192,CVE-2021-4193,CVE-2021-46059,CVE-2022-0128,CVE-2022-0213,CVE-2022-0261,CVE-2022-0318,CVE-2022-0319,CVE-2022-0351,CVE-2022-0359,CVE-2022-0361,CVE-2022-0392,CVE-2022-0407,CVE-2022-0413,CVE-2022-0696,CVE-2022-1381,CVE-2022-1420,CVE-2022-1616,CVE-2022-1619,CVE-2022-1620,CVE-2022-1720,CVE-2022-1733,CVE-2022-1735,CVE-2022-1771,CVE-2022-1785,CVE-2022-1796,CVE-2022-1851,CVE-2022-1897,CVE-2022-1898,CVE-2022-1927,CVE-2022-1968,CVE-2022-2124,CVE-2022-2125,CVE-2022-2126,CVE-2022-2129,CVE-2022-2175,CVE-2022-2182,CVE-2022-2183,CVE-2022-2206,CVE-2022-2207,CVE-2022-2208,CVE-2022-2210,CVE-2022-2231,CVE-2022-2257,CVE-2022-2264,CVE-2022-2284,CVE-2022-2285,CVE-2022-2286,CVE-2022-2287,CVE-2022-2304,CVE-2022-2343,CVE-2022-2344,CVE-2022-2345,CVE-2022-2522,CVE-2022-2571,CVE-2022-2580,CVE-2022-2581,CVE-2022-2598,CVE-2022-2816,CVE-2022-2817,CVE-2022-2819,CVE-2022-2845,CVE-2022-2849,CVE-2022-2862,CVE-2022-2874,CVE-2022-2889,CVE-2022-2923,CVE-2022-2946,CVE-2022-2980,CVE-2022-2982,CVE-2022-3016,CVE-2022-3037,CVE-2022-3099,CVE-2022-3134,CVE-2022-3153,CVE-2022-3234,CVE-2022-3235,CVE-2022-3278,CVE-2022-3296,CVE-2022-3297,CVE-2022-3324,CVE-2022-3352,CVE-2022-3705
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    vim-9.0.0814-17.9.1
SUSE OpenStack Cloud 9 (src):    vim-9.0.0814-17.9.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    vim-9.0.0814-17.9.1
SUSE Linux Enterprise Server 12-SP5 (src):    vim-9.0.0814-17.9.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    vim-9.0.0814-17.9.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    vim-9.0.0814-17.9.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    vim-9.0.0814-17.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.