Ubuntu Security Notices
USN-6270-1

USN-6270-1: Vim vulnerabilities

Publication date

3 August 2023

Overview

Several security issues were fixed in Vim.

Releases

22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS 14.04 LTS

Packages

vim - Vi IMproved - enhanced vi editor

Details

It was discovered that Vim incorrectly handled memory when opening certain
files. If an attacker could trick a user into opening a specially crafted
file, it could cause Vim to crash, or possibly execute arbitrary code. This
issue only affected Ubuntu 22.04 LTS. (CVE-2022-2182)

It was discovered that Vim incorrectly handled memory when deleting buffers
in diff mode. An attacker could possibly use this issue to cause a denial
of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-2208)

It was discovered that Vim incorrectly handled memory access. An attacker
could possibly use this issue to cause the corruption of sensitive
information, a crash, or arbitrary code execution. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(

It was discovered that Vim incorrectly handled memory when using nested
:source. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-2231)

It was discovered that Vim did not properly perform bounds checks when
processing a menu item with the only modifier. An attacker could possibly
use this issue to cause a denial of service. (CVE-2022-2257)

It was discovered that Vim did not properly perform bounds checks when
going over the end of the typahead. An attacker could possibly use this
issue to cause a denial of service. (CVE-2022-2285)

It was discovered that Vim did not properly perform bounds checks when
reading the provided string. An attacker could possibly use this issue to
cause a denial of service. (CVE-2022-2286)

It was discovered that Vim incorrectly handled memory when adding words
with a control character to the internal spell word list. An attacker could
possibly use this issue to cause a denial of service. (CVE-2022-2287)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release	Package Version
22.04 jammy	vim-athena – 2:8.2.3995-1ubuntu2.10
	xxd – 2:8.2.3995-1ubuntu2.10
	vim-gtk – 2:8.2.3995-1ubuntu2.10
	vim – 2:8.2.3995-1ubuntu2.10
	vim-tiny – 2:8.2.3995-1ubuntu2.10
	vim-gtk3 – 2:8.2.3995-1ubuntu2.10
	vim-nox – 2:8.2.3995-1ubuntu2.10
20.04 focal	vim-athena – 2:8.1.2269-1ubuntu5.16
	xxd – 2:8.1.2269-1ubuntu5.16
	vim-gtk – 2:8.1.2269-1ubuntu5.16
	vim – 2:8.1.2269-1ubuntu5.16
	vim-tiny – 2:8.1.2269-1ubuntu5.16
	vim-gtk3 – 2:8.1.2269-1ubuntu5.16
	vim-nox – 2:8.1.2269-1ubuntu5.16
18.04 bionic	vim-athena – 2:8.0.1453-1ubuntu1.13+esm3
	xxd – 2:8.0.1453-1ubuntu1.13+esm3
	vim-gtk – 2:8.0.1453-1ubuntu1.13+esm3
	vim – 2:8.0.1453-1ubuntu1.13+esm3
	vim-tiny – 2:8.0.1453-1ubuntu1.13+esm3
	vim-gtk3 – 2:8.0.1453-1ubuntu1.13+esm3
	vim-nox – 2:8.0.1453-1ubuntu1.13+esm3
16.04 xenial	vim-athena – 2:7.4.1689-3ubuntu1.5+esm19
	vim-gtk – 2:7.4.1689-3ubuntu1.5+esm19
	vim – 2:7.4.1689-3ubuntu1.5+esm19
	vim-tiny – 2:7.4.1689-3ubuntu1.5+esm19
	vim-gtk3 – 2:7.4.1689-3ubuntu1.5+esm19
	vim-nox – 2:7.4.1689-3ubuntu1.5+esm19
14.04 trusty	vim-athena – 2:7.4.052-1ubuntu3.1+esm11
	vim-gtk – 2:7.4.052-1ubuntu3.1+esm11
	vim – 2:7.4.052-1ubuntu3.1+esm11
	vim-tiny – 2:7.4.052-1ubuntu3.1+esm11
	vim-nox – 2:7.4.052-1ubuntu3.1+esm11

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

USN-5516-1

USN-5516-1