Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN098 _____________________________________________________________________ DATE : 18/02/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Vim versions prior to 9.1.1115. ===================================================================== https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v _____________________________________________________________________ heap use-after-free in str_to_reg() in Vim < 9.1.1115 Moderate chrisbra published GHSA-63p5-mwg2-787v Feb 16, 2025 Package Vim Affected versions < 9.1.1115 Patched versions v9.1.1115 Description Summary A heap use-after-free was found in Vim < 9.1.1115 Description Vim allows to redirect screen messages using the :redir ex command to register, variables and files. It also allows to show the contents of registers using the :registers or :display ex command. When redirecting the output of :display to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the :display command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the + and * registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers * or +. Impact Impact is medium since this is a rather unusual situation and a user must explicitly run this command. The Vim project would like to thank github user @fizz-is-on-the-way for reporting this issue. The issue has been fixed as of Vim patch v9.1.1115 References: Commit Github Advisory Details Severity Moderate 4.2/ 10 CVSS v3 base metrics Attack vector Local Attack complexity High Privileges required Low User interaction Required Scope Unchanged Confidentiality Low Integrity Low Availability Low CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L CVE ID No known CVE Weaknesses CWE-416 Credits @fizz-is-on-the-way fizz-is-on-the-way Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================