On 1/20/25 5:04 PM, Christian Brabandt wrote: > segmentation fault in win_line() in Vim < 9.1.1043 > ================================================== > Date: 20.01.2025 > Severity: Medium > CVE: CVE-2025-24014 > CWE: Out-of-bounds Write (CWE-787) > > In silent Ex mode (-s -e), Vim typically doesn't show a screen and just > operates silently in batch mode. However, it is still possible to > trigger the function that handles the scrolling of a gui version of Vim > by feeding some binary characters to Vim. The function that handles the > scrolling however may be triggering a redraw, which will access the > ScreenLines pointer, even so this variable hasn't been allocated > (since there is no screen). > > In Patch 9.1.1043 Vim will therefore skip the redraw attempt, by testing > whether the ScreenLines pointer is NULL. > > Impact is medium since the user must intentionally and explicitly feed > some binary data to Vim in ex mode. > > The Vim project would like to thank github user @fizz-is-on-the-way > for reporting this issue. > > The issue has been fixed as of Vim patch v9.1.1003 > > References: > https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919 > https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955
It seems strange to me to say that it is a vulnerability, for a vim option that accepts a full-blown script to also crash when fuzzed. It's not an attack vector to crash /bin/bash when fed a malformed script, so why is there anything to comment on with regard to vim either? How is this "medium" impact? -- Eli Schwartz
OpenPGP_signature.asc
Description: OpenPGP digital signature
