Hi all. I mailed Bram personally about this several months ago but got no response, so perhaps here is a better place for this.
I'm curious about whether there's any real security impact of many of the "vulnerabilities" that are validated on the huntr.dev platform. Take CVE-2022-3520 [1][2] as an example (which seemingly wasn't supposed to get a CVE, and I've asked the huntr.dev folks about that separately). This "vulnerability" is triggered by crafting a vim command line that feeds a file into the "-S" option, which causes vim to source the file. Is there actually any security boundary being crossed here? If an attacker is able to get their victim to execute code, surely it isn't the fault of the code interpreter if the interpreter executes that code? Separate from the issue of whether these vulnerabilities are valid at all, there is also an issue that the impact of these "vulnerabilities" don't seem to be validated. CVE-2022-3520 claims there is a "HIGH" impact to each of availability, confidentiality, and integrity, but any of this could be caused if Vim's parsing and execution of the script were bug free, that is, there doesn't seem to be anything the "vulnerability" allows for that isn't already possible via vimscript anyway. Even if this were the case, I fail to see how an out-of-bounds 1-byte read can be this severe (especially without the reporter substantiating any of it). [1] https://nvd.nist.gov/vuln/detail/CVE-2022-3520 [2] https://huntr.dev/bounties/c1db3b70-f4fe-481f-8a24-0b1449c94246/ -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/vim_dev/Y4usWGqal8mMnUfT%40gentoo.org.
signature.asc
Description: PGP signature
