On Sat, Dec 03, 2022 at 02:06:48PM -0600, John Helmert III wrote: > Hi all. I mailed Bram personally about this several months ago but got > no response, so perhaps here is a better place for this. > > I'm curious about whether there's any real security impact of many of > the "vulnerabilities" that are validated on the huntr.dev > platform. Take CVE-2022-3520 [1][2] as an example (which seemingly > wasn't supposed to get a CVE, and I've asked the huntr.dev folks about > that separately). > > This "vulnerability" is triggered by crafting a vim command line that > feeds a file into the "-S" option, which causes vim to source the > file. Is there actually any security boundary being crossed here? If > an attacker is able to get their victim to execute code, surely it > isn't the fault of the code interpreter if the interpreter executes > that code? > > Separate from the issue of whether these vulnerabilities are valid at > all, there is also an issue that the impact of these "vulnerabilities" > don't seem to be validated. CVE-2022-3520 claims there is a "HIGH" > impact to each of availability, confidentiality, and integrity, but > any of this could be caused if Vim's parsing and execution of the > script were bug free, that is, there doesn't seem to be anything the > "vulnerability" allows for that isn't already possible via vimscript > anyway. Even if this were the case, I fail to see how an out-of-bounds > 1-byte read can be this severe (especially without the reporter > substantiating any of it). > > [1] https://nvd.nist.gov/vuln/detail/CVE-2022-3520 > [2] https://huntr.dev/bounties/c1db3b70-f4fe-481f-8a24-0b1449c94246/
Ping? I notice the Google Groups mangling broke my PGP signature on this mail, so sending this one without it incase people's clients filtered it out implicitly or something. -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/vim_dev/Y7CDrnDISbSUoWLc%40gentoo.org.
signature.asc
Description: PGP signature
