diff --git a/cve/sudo/2023/CVE-2023-28487/README.md b/cve/sudo/2023/CVE-2023-28487/README.md new file mode 100644 index 0000000000000000000000000000000000000000..04c3b320740f9c1aad53397706d805d5d5ca3df7 --- /dev/null +++ b/cve/sudo/2023/CVE-2023-28487/README.md @@ -0,0 +1,93 @@ +Sandipan Roy 2023-03-17 07:51:42 UTC +More information about this security flaw is available in the following bug: + +http://bugzilla.redhat.com/show_bug.cgi?id=2179273 + +Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. + +Comment 1Sandipan Roy 2023-03-17 07:51:45 UTC +Use the following template to for the 'fedpkg update' request to submit an +update for this issue as it contains the top-level parent bug(s) as well as +this tracking bug. This will ensure that all associated bugs get updated +when new packages are pushed to stable. + +===== + +# bugfix, security, enhancement, newpackage (required) +type=security + +# low, medium, high, urgent (required) +severity=medium + +# testing, stable +request=testing + +# Bug numbers: 1234,9876 +bugs=2179273,2179276 + +# Description of your update +notes=Security fix for [PUT CVEs HERE] + +# Enable request automation based on the stable/unstable karma thresholds +autokarma=True +stable_karma=3 +unstable_karma=-3 + +# Automatically close bugs when this marked as stable +close_bugs=True + +# Suggest that users restart after update +suggest_reboot=False + +====== + +Additionally, you may opt to use the bodhi web interface to submit updates: + +https://bodhi.fedoraproject.org/updates/new + +Sandipan Roy 2023-03-17 07:51:47 UTC +More information about this security flaw is available in the following bug: + +http://bugzilla.redhat.com/show_bug.cgi?id=2179273 + +Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. + +Comment 1Sandipan Roy 2023-03-17 07:51:51 UTC +Use the following template to for the 'fedpkg update' request to submit an +update for this issue as it contains the top-level parent bug(s) as well as +this tracking bug. This will ensure that all associated bugs get updated +when new packages are pushed to stable. + +===== + +# bugfix, security, enhancement, newpackage (required) +type=security + +# low, medium, high, urgent (required) +severity=medium + +# testing, stable +request=testing + +# Bug numbers: 1234,9876 +bugs=2179273,2179277 + +# Description of your update +notes=Security fix for [PUT CVEs HERE] + +# Enable request automation based on the stable/unstable karma thresholds +autokarma=True +stable_karma=3 +unstable_karma=-3 + +# Automatically close bugs when this marked as stable +close_bugs=True + +# Suggest that users restart after update +suggest_reboot=False + +====== + +Additionally, you may opt to use the bodhi web interface to submit updates: + +https://bodhi.fedoraproject.org/updates/new \ No newline at end of file diff --git a/cve/sudo/2023/yaml/CVE-2023-28487.yaml b/cve/sudo/2023/yaml/CVE-2023-28487.yaml new file mode 100644 index 0000000000000000000000000000000000000000..67c24d3c9e30d73bbe4219ee39f9f7e2b8241e98 --- /dev/null +++ b/cve/sudo/2023/yaml/CVE-2023-28487.yaml @@ -0,0 +1,22 @@ +id: CVE-2023-28487 +source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28487 +info: + name: Sudo 是一个用于类 Unix 计算机操作系统的程序,它能够使用户能够以另一个用户(默认是超级用户)的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。 + severity: medium + description: + Sudo无法转义sudoreplay中输出的控制字符。 + scope-of-influence: + sudo < 1.9.13 + references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28487 + - MISC:https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca + - MISC:https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_13 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N + cvss-score: 5.5 + cve-id: CVE-2023-28487 + cwe-id: None + cnvd-id: None + kve-id: None + tags: cve 2023 + \ No newline at end of file diff --git a/cve/vim/2023/CVE-2023-1355 Detail/README.md b/cve/vim/2023/CVE-2023-1355 Detail/README.md new file mode 100644 index 0000000000000000000000000000000000000000..1eca1bc8dd20099cfbf71222b77411328415a1aa --- /dev/null +++ b/cve/vim/2023/CVE-2023-1355 Detail/README.md @@ -0,0 +1,245 @@ + **Description** +null pointer dereference in class_object_index at vim9class.c:1356 +variable cl in class_object_index at vim9class.c:1254 is NULL +at last, reference to cl refers to NULL + + **Version** + +$ git log +commit c727b19e9f1df36e44321d933334c7b4961daa54 (HEAD -> master, tag: v9.0.1374, origin/master, origin/HEAD) +Author: Yegappan Lakshmanan +Date: Fri Mar 3 12:26:15 2023 +0000 + + patch 9.0.1374: function for setting options not used consistently + + Problem: Function for setting options not used consistently. + Solution: Use a function for 'encoding' and terminal options. (Yegappan + Lakshmanan, closes #12099) + **Proof of Concept** + +$ ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +Segmentation fault (core dumped) + + **Debug** + +huntr +Search... +Bounties524 Community More +Submit report + Login +null pointer dereference in class_object_index at vim9class.c:1356 in vim/vim +0 + + Valid Reported on Mar 4th 2023 +Description +null pointer dereference in class_object_index at vim9class.c:1356 +variable cl in class_object_index at vim9class.c:1254 is NULL +at last, reference to cl refers to NULL + +Version +$ git log +commit c727b19e9f1df36e44321d933334c7b4961daa54 (HEAD -> master, tag: v9.0.1374, origin/master, origin/HEAD) +Author: Yegappan Lakshmanan +Date: Fri Mar 3 12:26:15 2023 +0000 + + patch 9.0.1374: function for setting options not used consistently + + Problem: Function for setting options not used consistently. + Solution: Use a function for 'encoding' and terminal options. (Yegappan + Lakshmanan, closes #12099) + +Proof of Concept +$ ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +Segmentation fault (core dumped) +Debug +gdb-peda$ r -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +Starting program: /home/user/recentvim/vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". + +Program received signal SIGSEGV, Segmentation fault. +Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated. +Use 'set logging enabled off'. + +Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated. +Use 'set logging enabled on'. + + +[----------------------------------registers-----------------------------------] +RAX: 0x0 +RBX: 0x0 +RCX: 0x2 +RDX: 0x55555569ba29 (: endbr64) +RSI: 0x0 +RDI: 0x555555969673 --> 0x210000000061 ('a') +RBP: 0x7fffffffbc80 --> 0x7fffffffbd20 --> 0x7fffffffbda0 --> 0x7fffffffbe20 --> 0x7fffffffbeb0 --> 0x7fffffffbff0 (--> ...) +RSP: 0x7fffffffb9f0 --> 0x100000000 +RIP: 0x5555558074d1 (: mov eax,DWORD PTR [rax+0x40]) +R8 : 0x1 +R9 : 0x55555596c710 ("E1004: White space required before and after '=' at \"\t=null_class.a\"") +R10: 0x55555596ccc0 --> 0x570 +R11: 0xa ('\n') +R12: 0x7fffffffddf8 --> 0x7fffffffe1fe ("/home/user/recentvim/vim/src/vim") +R13: 0x55555588a9b7 (
: endbr64) +R14: 0x555555906038 --> 0x55555558cac0 (<__do_global_dtors_aux>: endbr64) +R15: 0x7ffff7ffd040 --> 0x7ffff7ffe2e0 --> 0x555555554000 --> 0x10102464c457f +EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) +[-------------------------------------code-------------------------------------] + 0x5555558074c1 : jmp 0x55555580750d + 0x5555558074c3 : add DWORD PTR [rbp-0x254],0x1 + 0x5555558074ca : mov rax,QWORD PTR [rbp-0x238] +=> 0x5555558074d1 : mov eax,DWORD PTR [rax+0x40] + 0x5555558074d4 : cmp DWORD PTR [rbp-0x254],eax + 0x5555558074da : jl 0x5555558073be + 0x5555558074e0 : mov rax,QWORD PTR [rbp-0x238] + 0x5555558074e7 : mov rax,QWORD PTR [rax] +[------------------------------------stack-------------------------------------] +0000| 0x7fffffffb9f0 --> 0x100000000 +0008| 0x7fffffffb9f8 --> 0x7fffffffc510 --> 0x1 +0016| 0x7fffffffba00 --> 0x7fffffffc500 --> 0x10 +0024| 0x7fffffffba08 --> 0x7fffffffc440 --> 0x555555969673 --> 0x210000000061 ('a') +0032| 0x7fffffffba10 --> 0x0 +0040| 0x7fffffffba18 --> 0x0 +0048| 0x7fffffffba20 --> 0x0 +0056| 0x7fffffffba28 --> 0x0 +[------------------------------------------------------------------------------] +Legend: code, data, rodata, value +Stopped reason: SIGSEGV +0x00005555558074d1 in class_object_index (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, verbose=0x1) at vim9class.c:1356 +1356 for (int i = 0; i < cl->class_class_member_count; ++i) +gdb-peda$ bt +#0 0x00005555558074d1 in class_object_index (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, verbose=0x1) at vim9class.c:1356 +#1 0x00005555555f3045 in handle_subscript (arg=0x7fffffffc440, name_start=0x0, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, verbose=0x1) at eval.c:6934 +#2 0x00005555555ee0f3 in eval9 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, want_string=0x0) at eval.c:4310 +#3 0x00005555555ed2bb in eval8 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, want_string=0x0) at eval.c:3840 +#4 0x00005555555ecd0b in eval7 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, want_string=0x0) at eval.c:3644 +#5 0x00005555555ec452 in eval6 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3423 +#6 0x00005555555ec114 in eval5 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3312 +#7 0x00005555555ebbe8 in eval4 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3163 +#8 0x00005555555eb6f7 in eval3 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3024 +#9 0x00005555555eb21f in eval2 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:2898 +#10 0x00005555555eaad2 in eval1 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:2744 +#11 0x00005555555ea85a in eval0_retarg (arg=0x555555969668 "null_class.a", rettv=0x7fffffffc500, eap=0x7fffffffc6a0, evalarg=0x7fffffffc510, retarg=0x0) at eval.c:2655 +#12 0x00005555555ea69b in eval0 (arg=0x555555969668 "null_class.a", rettv=0x7fffffffc500, eap=0x7fffffffc6a0, evalarg=0x7fffffffc510) at eval.c:2589 +#13 0x0000555555608779 in ex_let (eap=0x7fffffffc6a0) at evalvars.c:1149 +#14 0x0000555555607eb8 in ex_var (eap=0x7fffffffc6a0) at evalvars.c:960 +#15 0x000055555562314c in do_one_cmd (cmdlinep=0x7fffffffc8d0, flags=0x7, cstack=0x7fffffffc9b0, fgetline=0x55555575fe37 , cookie=0x7fffffffd120) at ex_docmd.c:2580 +#16 0x000055555562009e in do_cmdline (cmdline=0x55555596c350 "vim9@_\t=null_class.a", fgetline=0x55555575fe37 , cookie=0x7fffffffd120, flags=0x7) at ex_docmd.c:993 +#17 0x000055555575eca8 in do_source_ext (fname=0x555555968893 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0, eap=0x0, clearvars=0x0) at scriptfile.c:1759 +#18 0x000055555575f3a3 in do_source (fname=0x555555968893 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0) at scriptfile.c:1905 +#19 0x000055555575de5f in cmd_source (fname=0x555555968893 "poc", eap=0x7fffffffd2d0) at scriptfile.c:1250 +#20 0x000055555575dea6 in ex_source (eap=0x7fffffffd2d0) at scriptfile.c:1276 +#21 0x000055555562314c in do_one_cmd (cmdlinep=0x7fffffffd500, flags=0xb, cstack=0x7fffffffd5e0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580 +#22 0x000055555562009e in do_cmdline (cmdline=0x555555968850 "so poc", fgetline=0x0, cookie=0x0, flags=0xb) at ex_docmd.c:993 +#23 0x000055555561f535 in do_cmdline_cmd (cmd=0x555555968850 "so poc") at ex_docmd.c:587 +#24 0x000055555588e6da in exe_commands (parmp=0x555555953800 ) at main.c:3146 +#25 0x000055555588b50f in vim_main2 () at main.c:782 +#26 0x000055555588ae7c in main (argc=0xf, argv=0x7fffffffddf8) at main.c:433 +#27 0x00007ffff7c29d90 in __libc_start_call_main (main=main@entry=0x55555588a9b7
, argc=argc@entry=0xf, argv=argv@entry=0x7fffffffddf8) at ../sysdeps/nptl/libc_start_call_main.h:58 +#28 0x00007ffff7c29e40 in __libc_start_main_impl (main=0x55555588a9b7
, argc=0xf, argv=0x7fffffffddf8, init=, fini=, rtld_fini=, + stack_end=0x7fffffffdde8) at ../csu/libc-start.c:392 +#29 0x000055555558ca45 in _start () +gdb-peda$ p cl +$1 = (class_T *) 0x0 +gdb-peda$ p *(typval_T *) rettv +$2 = { + v_type = VAR_CLASS, + v_lock = 0x0, + vval = { + v_number = 0x0, + v_float = 0, + v_string = 0x0, + v_list = 0x0, + v_dict = 0x0, + v_partial = 0x0, + v_job = 0x0, + v_channel = 0x0, + v_blob = 0x0, + v_instr = 0x0, + v_class = 0x0, + v_object = 0x0 + } +} + +poc + +Impact +it can lead to DoS, possibly code execution + +We are processing your report and will contact the vim team within 24 hours. 19 days ago +We have contacted a member of the vim team and are waiting to hear back 18 days ago + +Bram Moolenaar validated this vulnerability 10 days ago +I can reproduce the problem, the POC is short, I can use it for a regression test. + + +thkim0 has been awarded the disclosure bounty +The fix bounty is now up for grabs +The researcher's credibility has increased: +7 + +Bram Moolenaar marked this as fixed in 9.0.1402 with commit d13dd3 10 days ago +Bram Moolenaar has been awarded the fix bounty +This vulnerability has been assigned a CVE + +Bram Moolenaar published this vulnerability 10 days ago +Sign in to join this conversation +CVE +CVE-2023-1355 +(Published) +Vulnerability Type +CWE-476: NULL Pointer Dereference +Severity +High (8.4) +Attack vector +Local +Attack complexity +Low +Privileged required +None +User interaction +None +Scope +Unchanged +Confidentiality +High +Integrity +High +Availability +High +Open in visual CVSS calculator +Registry +Other +Affected Version +* + +Visibility +Public +Status +Fixed +Found by + +User avatar +thkim0 +@thkim0 +unranked +Fixed by + +User avatar +Bram Moolenaar +@brammool +maintainer +This report was seen 474 times. +2022 © 418sec + +huntr +home +hacktivity +leaderboard +FAQ +contact us +terms +privacy policy +part of 418sec +company +about +team diff --git a/cve/vim/2023/yaml/CVE-2023-1355.yaml b/cve/vim/2023/yaml/CVE-2023-1355.yaml new file mode 100644 index 0000000000000000000000000000000000000000..dcff2d972b1d3662b0f66269a33a0f27e8ee01e6 --- /dev/null +++ b/cve/vim/2023/yaml/CVE-2023-1355.yaml @@ -0,0 +1,19 @@ +id: CVE-2023-1355 +source: https://huntr.dev/bounties/4d0a9615-d438-4f5c-8dd6-aa22f4b716d9 +info: + name: Vim是一款基于UNIX平台的编辑器,由vi发展而来。 + severity: high + description: | + GitHub存储库vim/vim中的NULL指针解引用。 + scope-of-influence: + vim < 9.0.1402 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-1355 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + cvss-score: 8.4 + cve-id: CVE-2023-1355 + cwe-id: CWE-476 + cnvd-id: None + kve-id: None + tags: cve2023 \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index 428354b052e24bcd706182b37e638525cdc3550c..ff7d97dee7c3e2de1930eedda1b0295d2fe7dec9 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -32,4 +32,8 @@ cve: - CVE-2022-0529 django: - CVE-2022-34265 + vim: + - CVE-2023-1355 + sudo: + - CVE-2023-28487 cnvd: