CVE-2024-43802

{"id": "CVE-2024-43802", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.0}]}, "published": "2024-08-26T19:15:07.943", "references": [{"url": "https://github.com/vim/vim/commit/322ba9108612bead5eb", "source": "security-advisories@github.com"}, {"url": "https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh", "source": "security-advisories@github.com"}, {"url": "https://security.netapp.com/advisory/ntap-20241004-0008/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-122"}]}], "descriptions": [{"lang": "en", "value": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue."}, {"lang": "es", "value": "Vim es una versi\u00f3n mejorada del editor de texto Unix VI. Al vaciar el b\u00fafer de escritura anticipada, Vim mueve la posici\u00f3n actual en el b\u00fafer de escritura anticipada pero no verifica si queda suficiente espacio en el b\u00fafer para manejar los siguientes caracteres. Por lo tanto, esto puede llevar a que la posici\u00f3n tb_off dentro de la variable typebuf apunte fuera del tama\u00f1o de b\u00fafer v\u00e1lido, lo que luego puede provocar un desbordamiento del b\u00fafer de mont\u00f3n, por ejemplo, en ins_typebuf(). Por lo tanto, al vaciar el b\u00fafer de escritura anticipada, verifique si queda suficiente espacio antes de avanzar a la posici\u00f3n de apagado. De lo contrario, recurra para vaciar el contenido actual de Typebuf. A\u00fan no est\u00e1 del todo claro qu\u00e9 puede conducir a esta situaci\u00f3n. Parece suceder cuando aparecen mensajes de error (lo que har\u00e1 que Vim vac\u00ede el b\u00fafer de escritura anticipada) en combinaci\u00f3n con varios mappgins largos y, por lo tanto, eventualmente puede mover la posici\u00f3n de apagado fuera de un tama\u00f1o de b\u00fafer v\u00e1lido. El impacto es bajo ya que no es f\u00e1cilmente reproducible y requiere tener varias asignaciones activas y ejecutar alguna condici\u00f3n de error. Pero cuando esto sucede, provocar\u00e1 un bloqueo. El problema se solucion\u00f3 a partir del parche Vim v9.1.0697. Se recomienda a los usuarios que actualicen. No se conocen workarounds para este problema."}], "lastModified": "2024-11-21T09:35:53.910", "sourceIdentifier": "security-advisories@github.com"}