Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 833572 (CVE-2022-0629, CVE-2022-0685, CVE-2022-0714, CVE-2022-0729, CVE-2022-0943) - <app-editors/vim-8.2.4586: multiple vulnerabilities
Summary: <app-editors/vim-8.2.4586: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-0629, CVE-2022-0685, CVE-2022-0714, CVE-2022-0729, CVE-2022-0943
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/vim/vim/commit/34f...
Whiteboard: B3 [glsa+]
Keywords: PullRequest
Depends on: 849338
Blocks:
  Show dependency tree
 
Reported: 2022-02-17 21:29 UTC by John Helmert III
Modified: 2022-08-21 02:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-17 21:29:40 UTC 
CVE-2022-0629:

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Fix in 8.2.4397.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-20 17:06:39 UTC 
CVE-2022-0685 (https://github.com/vim/vim/commit/5921aeb5741fc6e84c870d68c7c35b93ad0c9f87):

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4418.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-23 15:58:49 UTC 
CVE-2022-0729 (https://huntr.dev/bounties/f3f3d992-7bd6-4ee5-a502-ae0e5f8016ea):

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440.

CVE-2022-0714 (https://github.com/vim/vim/commit/4e889f98e95ac05d7c8bd3ee933ab4d47820fdfa):

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4436.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-15 15:21:48 UTC 
CVE-2022-0943 (https://github.com/vim/vim/commit/5c68617d395f9d7b824f68475b24ce3e38d653a3):

Heap-based Buffer Overflow occurs in vim in GitHub repository vim/vim prior to 8.2.4563.
Comment 4 Larry the Git Cow gentoo-dev 2022-03-21 23:42:44 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e29157e8acb1c2750139326314e527ee0235774

commit 2e29157e8acb1c2750139326314e527ee0235774
Author:     Meena Shanmugam <meenashanmugam@google.com>
AuthorDate: 2022-03-17 21:54:47 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-21 23:38:48 +0000

    app-editors/gvim: version bump to v8.2.4586.
    
    This is needed to resolve CVE-2022-0714, CVE-2022-0696, CVE-2022-0685,
    CVE-2022-0729, CVE-2022-0572 and CVE-2022-0629.
    
    Bug: https://bugs.gentoo.org/833572
    Signed-off-by: Meena Shanmugam <meenashanmugam@google.com>
    Closes: https://github.com/gentoo/gentoo/pull/24629
    Signed-off-by: Sam James <sam@gentoo.org>

 app-editors/gvim/Manifest             |   1 +
 app-editors/gvim/gvim-8.2.4586.ebuild | 383 ++++++++++++++++++++++++++++++++++
 2 files changed, 384 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=601495240b55ed1730c209da20689b84145b7d55

commit 601495240b55ed1730c209da20689b84145b7d55
Author:     Meena Shanmugam <meenashanmugam@google.com>
AuthorDate: 2022-03-17 21:48:50 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-21 23:38:46 +0000

    app-editors/vim-core: version bump to v8.2.4586.
    
    This is needed to resolve CVE-2022-0714, CVE-2022-0696, CVE-2022-0685,
    CVE-2022-0729, CVE-2022-0572 and CVE-2022-0629.
    
    Bug: https://bugs.gentoo.org/833572
    Signed-off-by: Meena Shanmugam <meenashanmugam@google.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-editors/vim-core/Manifest                 |   1 +
 app-editors/vim-core/vim-core-8.2.4586.ebuild | 231 ++++++++++++++++++++++++++
 2 files changed, 232 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1be9c7bdc9ceb697535cebdf94536f36779d3fa8

commit 1be9c7bdc9ceb697535cebdf94536f36779d3fa8
Author:     Meena Shanmugam <meenashanmugam@google.com>
AuthorDate: 2022-03-17 21:36:20 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-21 23:38:44 +0000

    app-editors/vim: version bump to v8.2.4586.
    
    This is needed to resolve CVE-2022-0714, CVE-2022-0696, CVE-2022-0685,
    CVE-2022-0729, CVE-2022-0572 and CVE-2022-0629.
    
    Bug: https://bugs.gentoo.org/833572
    Signed-off-by: Meena Shanmugam <meenashanmugam@google.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-editors/vim/Manifest            |   1 +
 app-editors/vim/vim-8.2.4586.ebuild | 350 ++++++++++++++++++++++++++++++++++++
 2 files changed, 351 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2022-06-26 19:37:58 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a43cf558989922caf611410f0e381b22480ceeba

commit a43cf558989922caf611410f0e381b22480ceeba
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-06-26 19:33:23 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-06-26 19:37:34 +0000

    app-editors/vim: Drop old versions
    
    Bug: https://bugs.gentoo.org/833572
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 app-editors/vim/Manifest               |   1 -
 app-editors/vim/vim-8.2.4328-r1.ebuild | 350 ---------------------------------
 2 files changed, 351 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd7f1c1443c3218ac445dc15abe99a152d387b29

commit dd7f1c1443c3218ac445dc15abe99a152d387b29
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-06-26 19:33:22 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-06-26 19:37:30 +0000

    app-editors/vim-core: Drop old versions
    
    Bug: https://bugs.gentoo.org/833572
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 app-editors/vim-core/Manifest                    |   1 -
 app-editors/vim-core/vim-core-8.2.4328-r1.ebuild | 231 -----------------------
 2 files changed, 232 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 05:32:01 UTC 
GLSA request filed
Comment 7 Larry the Git Cow gentoo-dev 2022-08-21 02:09:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=2cee523fe648754bae0e4ed2a531da672ac5fa15

commit 2cee523fe648754bae0e4ed2a531da672ac5fa15
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-21 01:33:31 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-21 01:40:46 +0000

    [ GLSA 202208-32 ] Vim, gVim: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/811870
    Bug: https://bugs.gentoo.org/818562
    Bug: https://bugs.gentoo.org/819528
    Bug: https://bugs.gentoo.org/823473
    Bug: https://bugs.gentoo.org/824930
    Bug: https://bugs.gentoo.org/828583
    Bug: https://bugs.gentoo.org/829658
    Bug: https://bugs.gentoo.org/830106
    Bug: https://bugs.gentoo.org/830994
    Bug: https://bugs.gentoo.org/833572
    Bug: https://bugs.gentoo.org/836432
    Bug: https://bugs.gentoo.org/851231
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-32.xml | 168 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 168 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-21 02:16:57 UTC 
GLSA released, all done!