From 8efefc37cd7500ed5dda6361f7c0b6e7133a4a24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 06:56:42 +0000 Subject: [PATCH 01/17] add cve/sudo/2023/yaml/CVE-2023-28487.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王悦 --- cve/sudo/2023/yaml/CVE-2023-28487.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 cve/sudo/2023/yaml/CVE-2023-28487.yaml diff --git a/cve/sudo/2023/yaml/CVE-2023-28487.yaml b/cve/sudo/2023/yaml/CVE-2023-28487.yaml new file mode 100644 index 00000000..6f44e8b6 --- /dev/null +++ b/cve/sudo/2023/yaml/CVE-2023-28487.yaml @@ -0,0 +1,22 @@ +id: CVE-2023-28487 +source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28487 +info: + name: Sudo 是一个用于类 Unix 计算机操作系统的程序,它能够使用户能够以另一个用户(默认是超级用户)的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。 + severity: medium + description: + 1.9.13版本之前的Sudo无法转义sudoreplay中输出的控制字符。 + scope-of-influence: + sudo before 1.9.13 + references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28487 + - MISC:https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca + - MISC:https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_13 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N + cvss-score: 5.5 + cve-id: CVE-2023-28487 + cwe-id: None + cnvd-id: None + kve-id: None + tags: + - \ No newline at end of file -- Gitee From 9ae45d5a5c579e323ea41b1c5861614c7c0e5889 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 06:57:12 +0000 Subject: [PATCH 02/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2023-28487?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/sudo/2023/CVE-2023-28487/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/sudo/2023/CVE-2023-28487/.keep diff --git a/cve/sudo/2023/CVE-2023-28487/.keep b/cve/sudo/2023/CVE-2023-28487/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 522f6b599d3323eb4cc855976dc9497eb9bee881 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 07:00:50 +0000 Subject: [PATCH 03/17] add cve/sudo/2023/CVE-2023-28487/README.md. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王悦 --- cve/sudo/2023/CVE-2023-28487/README.md | 93 ++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 cve/sudo/2023/CVE-2023-28487/README.md diff --git a/cve/sudo/2023/CVE-2023-28487/README.md b/cve/sudo/2023/CVE-2023-28487/README.md new file mode 100644 index 00000000..04c3b320 --- /dev/null +++ b/cve/sudo/2023/CVE-2023-28487/README.md @@ -0,0 +1,93 @@ +Sandipan Roy 2023-03-17 07:51:42 UTC +More information about this security flaw is available in the following bug: + +http://bugzilla.redhat.com/show_bug.cgi?id=2179273 + +Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. + +Comment 1Sandipan Roy 2023-03-17 07:51:45 UTC +Use the following template to for the 'fedpkg update' request to submit an +update for this issue as it contains the top-level parent bug(s) as well as +this tracking bug. This will ensure that all associated bugs get updated +when new packages are pushed to stable. + +===== + +# bugfix, security, enhancement, newpackage (required) +type=security + +# low, medium, high, urgent (required) +severity=medium + +# testing, stable +request=testing + +# Bug numbers: 1234,9876 +bugs=2179273,2179276 + +# Description of your update +notes=Security fix for [PUT CVEs HERE] + +# Enable request automation based on the stable/unstable karma thresholds +autokarma=True +stable_karma=3 +unstable_karma=-3 + +# Automatically close bugs when this marked as stable +close_bugs=True + +# Suggest that users restart after update +suggest_reboot=False + +====== + +Additionally, you may opt to use the bodhi web interface to submit updates: + +https://bodhi.fedoraproject.org/updates/new + +Sandipan Roy 2023-03-17 07:51:47 UTC +More information about this security flaw is available in the following bug: + +http://bugzilla.redhat.com/show_bug.cgi?id=2179273 + +Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. + +Comment 1Sandipan Roy 2023-03-17 07:51:51 UTC +Use the following template to for the 'fedpkg update' request to submit an +update for this issue as it contains the top-level parent bug(s) as well as +this tracking bug. This will ensure that all associated bugs get updated +when new packages are pushed to stable. + +===== + +# bugfix, security, enhancement, newpackage (required) +type=security + +# low, medium, high, urgent (required) +severity=medium + +# testing, stable +request=testing + +# Bug numbers: 1234,9876 +bugs=2179273,2179277 + +# Description of your update +notes=Security fix for [PUT CVEs HERE] + +# Enable request automation based on the stable/unstable karma thresholds +autokarma=True +stable_karma=3 +unstable_karma=-3 + +# Automatically close bugs when this marked as stable +close_bugs=True + +# Suggest that users restart after update +suggest_reboot=False + +====== + +Additionally, you may opt to use the bodhi web interface to submit updates: + +https://bodhi.fedoraproject.org/updates/new \ No newline at end of file -- Gitee From ffaa2589b753bbe5aa24d987e059bd6b819c4813 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 07:02:08 +0000 Subject: [PATCH 04/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202022?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache/2022/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache/2022/.keep diff --git a/cve/apache/2022/.keep b/cve/apache/2022/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 89ca83c7fa477f3da3deeb04da36bcc9bd4fbbaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 07:02:30 +0000 Subject: [PATCH 05/17] add cve/apache/2022. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王悦 --- cve/apache/2022/yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache/2022/yaml diff --git a/cve/apache/2022/yaml b/cve/apache/2022/yaml new file mode 100644 index 00000000..e69de29b -- Gitee From 7922bc5380d94c82b8ba3c4a0aff520c7635c217 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 07:02:48 +0000 Subject: [PATCH 06/17] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache/2022/yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache/2022/yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache/2022/yaml diff --git a/cve/apache/2022/yaml b/cve/apache/2022/yaml deleted file mode 100644 index e69de29b..00000000 -- Gitee From 789673b5a0dc834af98f0f6865cb72c041a53296 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 07:02:53 +0000 Subject: [PATCH 07/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache/2022/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache/2022/yaml/.keep diff --git a/cve/apache/2022/yaml/.keep b/cve/apache/2022/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From c4dd74e0f791548588ffaad9fea15dc26834cad8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 07:07:01 +0000 Subject: [PATCH 08/17] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache/2022?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache/2022/.keep | 0 cve/apache/2022/yaml/.keep | 0 2 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache/2022/.keep delete mode 100644 cve/apache/2022/yaml/.keep diff --git a/cve/apache/2022/.keep b/cve/apache/2022/.keep deleted file mode 100644 index e69de29b..00000000 diff --git a/cve/apache/2022/yaml/.keep b/cve/apache/2022/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 95c8170e87136586aa2ef0b9759e7c6148d6da0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 07:53:52 +0000 Subject: [PATCH 09/17] add cve/vim/2023/yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王悦 --- cve/vim/2023/yaml/CVE-2023-1355.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/vim/2023/yaml/CVE-2023-1355.yaml diff --git a/cve/vim/2023/yaml/CVE-2023-1355.yaml b/cve/vim/2023/yaml/CVE-2023-1355.yaml new file mode 100644 index 00000000..e69de29b -- Gitee From 64222761dcb7e014c9f196a48dbc7a7b7fee00eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 08:03:19 +0000 Subject: [PATCH 10/17] update cve/sudo/2023/yaml/CVE-2023-28487.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王悦 --- cve/sudo/2023/yaml/CVE-2023-28487.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cve/sudo/2023/yaml/CVE-2023-28487.yaml b/cve/sudo/2023/yaml/CVE-2023-28487.yaml index 6f44e8b6..67c24d3c 100644 --- a/cve/sudo/2023/yaml/CVE-2023-28487.yaml +++ b/cve/sudo/2023/yaml/CVE-2023-28487.yaml @@ -4,9 +4,9 @@ info: name: Sudo 是一个用于类 Unix 计算机操作系统的程序,它能够使用户能够以另一个用户(默认是超级用户)的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。 severity: medium description: - 1.9.13版本之前的Sudo无法转义sudoreplay中输出的控制字符。 + Sudo无法转义sudoreplay中输出的控制字符。 scope-of-influence: - sudo before 1.9.13 + sudo < 1.9.13 references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28487 - MISC:https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca @@ -18,5 +18,5 @@ info: cwe-id: None cnvd-id: None kve-id: None - tags: - - \ No newline at end of file + tags: cve 2023 + \ No newline at end of file -- Gitee From 6bd01538bf2a34f531781a8811bf57ba341e1820 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 08:03:22 +0000 Subject: [PATCH 11/17] update cve/vim/2023/yaml/CVE-2023-1355.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王悦 --- cve/vim/2023/yaml/CVE-2023-1355.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/cve/vim/2023/yaml/CVE-2023-1355.yaml b/cve/vim/2023/yaml/CVE-2023-1355.yaml index e69de29b..dcff2d97 100644 --- a/cve/vim/2023/yaml/CVE-2023-1355.yaml +++ b/cve/vim/2023/yaml/CVE-2023-1355.yaml @@ -0,0 +1,19 @@ +id: CVE-2023-1355 +source: https://huntr.dev/bounties/4d0a9615-d438-4f5c-8dd6-aa22f4b716d9 +info: + name: Vim是一款基于UNIX平台的编辑器,由vi发展而来。 + severity: high + description: | + GitHub存储库vim/vim中的NULL指针解引用。 + scope-of-influence: + vim < 9.0.1402 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-1355 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + cvss-score: 8.4 + cve-id: CVE-2023-1355 + cwe-id: CWE-476 + cnvd-id: None + kve-id: None + tags: cve2023 \ No newline at end of file -- Gitee From 60d952b865ee027399ec4b605400e2fb25cb02c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 08:03:51 +0000 Subject: [PATCH 12/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2023-1355=20Deta?= =?UTF-8?q?il?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/vim/2023/CVE-2023-1355 Detail/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/vim/2023/CVE-2023-1355 Detail/.keep diff --git a/cve/vim/2023/CVE-2023-1355 Detail/.keep b/cve/vim/2023/CVE-2023-1355 Detail/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 36f06f2bf88c841455dd765185394bd932c84805 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 08:05:40 +0000 Subject: [PATCH 13/17] add cve/vim/2023/CVE-2023-1355 Detail/README.md. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王悦 --- cve/vim/2023/CVE-2023-1355 Detail/README.md | 245 ++++++++++++++++++++ 1 file changed, 245 insertions(+) create mode 100644 cve/vim/2023/CVE-2023-1355 Detail/README.md diff --git a/cve/vim/2023/CVE-2023-1355 Detail/README.md b/cve/vim/2023/CVE-2023-1355 Detail/README.md new file mode 100644 index 00000000..47f581f8 --- /dev/null +++ b/cve/vim/2023/CVE-2023-1355 Detail/README.md @@ -0,0 +1,245 @@ +Description +null pointer dereference in class_object_index at vim9class.c:1356 +variable cl in class_object_index at vim9class.c:1254 is NULL +at last, reference to cl refers to NULL + +Version +$ git log +commit c727b19e9f1df36e44321d933334c7b4961daa54 (HEAD -> master, tag: v9.0.1374, origin/master, origin/HEAD) +Author: Yegappan Lakshmanan +Date: Fri Mar 3 12:26:15 2023 +0000 + + patch 9.0.1374: function for setting options not used consistently + + Problem: Function for setting options not used consistently. + Solution: Use a function for 'encoding' and terminal options. (Yegappan + Lakshmanan, closes #12099) + +Proof of Concept + +$ ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +Segmentation fault (core dumped) + +Debug + +huntr +Search... +Bounties524 Community More +Submit report + Login +null pointer dereference in class_object_index at vim9class.c:1356 in vim/vim +0 + + Valid Reported on Mar 4th 2023 +Description +null pointer dereference in class_object_index at vim9class.c:1356 +variable cl in class_object_index at vim9class.c:1254 is NULL +at last, reference to cl refers to NULL + +Version +$ git log +commit c727b19e9f1df36e44321d933334c7b4961daa54 (HEAD -> master, tag: v9.0.1374, origin/master, origin/HEAD) +Author: Yegappan Lakshmanan +Date: Fri Mar 3 12:26:15 2023 +0000 + + patch 9.0.1374: function for setting options not used consistently + + Problem: Function for setting options not used consistently. + Solution: Use a function for 'encoding' and terminal options. (Yegappan + Lakshmanan, closes #12099) + +Proof of Concept +$ ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +Segmentation fault (core dumped) +Debug +gdb-peda$ r -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +Starting program: /home/user/recentvim/vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". + +Program received signal SIGSEGV, Segmentation fault. +Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated. +Use 'set logging enabled off'. + +Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated. +Use 'set logging enabled on'. + + +[----------------------------------registers-----------------------------------] +RAX: 0x0 +RBX: 0x0 +RCX: 0x2 +RDX: 0x55555569ba29 (: endbr64) +RSI: 0x0 +RDI: 0x555555969673 --> 0x210000000061 ('a') +RBP: 0x7fffffffbc80 --> 0x7fffffffbd20 --> 0x7fffffffbda0 --> 0x7fffffffbe20 --> 0x7fffffffbeb0 --> 0x7fffffffbff0 (--> ...) +RSP: 0x7fffffffb9f0 --> 0x100000000 +RIP: 0x5555558074d1 (: mov eax,DWORD PTR [rax+0x40]) +R8 : 0x1 +R9 : 0x55555596c710 ("E1004: White space required before and after '=' at \"\t=null_class.a\"") +R10: 0x55555596ccc0 --> 0x570 +R11: 0xa ('\n') +R12: 0x7fffffffddf8 --> 0x7fffffffe1fe ("/home/user/recentvim/vim/src/vim") +R13: 0x55555588a9b7 (
: endbr64) +R14: 0x555555906038 --> 0x55555558cac0 (<__do_global_dtors_aux>: endbr64) +R15: 0x7ffff7ffd040 --> 0x7ffff7ffe2e0 --> 0x555555554000 --> 0x10102464c457f +EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) +[-------------------------------------code-------------------------------------] + 0x5555558074c1 : jmp 0x55555580750d + 0x5555558074c3 : add DWORD PTR [rbp-0x254],0x1 + 0x5555558074ca : mov rax,QWORD PTR [rbp-0x238] +=> 0x5555558074d1 : mov eax,DWORD PTR [rax+0x40] + 0x5555558074d4 : cmp DWORD PTR [rbp-0x254],eax + 0x5555558074da : jl 0x5555558073be + 0x5555558074e0 : mov rax,QWORD PTR [rbp-0x238] + 0x5555558074e7 : mov rax,QWORD PTR [rax] +[------------------------------------stack-------------------------------------] +0000| 0x7fffffffb9f0 --> 0x100000000 +0008| 0x7fffffffb9f8 --> 0x7fffffffc510 --> 0x1 +0016| 0x7fffffffba00 --> 0x7fffffffc500 --> 0x10 +0024| 0x7fffffffba08 --> 0x7fffffffc440 --> 0x555555969673 --> 0x210000000061 ('a') +0032| 0x7fffffffba10 --> 0x0 +0040| 0x7fffffffba18 --> 0x0 +0048| 0x7fffffffba20 --> 0x0 +0056| 0x7fffffffba28 --> 0x0 +[------------------------------------------------------------------------------] +Legend: code, data, rodata, value +Stopped reason: SIGSEGV +0x00005555558074d1 in class_object_index (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, verbose=0x1) at vim9class.c:1356 +1356 for (int i = 0; i < cl->class_class_member_count; ++i) +gdb-peda$ bt +#0 0x00005555558074d1 in class_object_index (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, verbose=0x1) at vim9class.c:1356 +#1 0x00005555555f3045 in handle_subscript (arg=0x7fffffffc440, name_start=0x0, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, verbose=0x1) at eval.c:6934 +#2 0x00005555555ee0f3 in eval9 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, want_string=0x0) at eval.c:4310 +#3 0x00005555555ed2bb in eval8 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, want_string=0x0) at eval.c:3840 +#4 0x00005555555ecd0b in eval7 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, want_string=0x0) at eval.c:3644 +#5 0x00005555555ec452 in eval6 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3423 +#6 0x00005555555ec114 in eval5 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3312 +#7 0x00005555555ebbe8 in eval4 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3163 +#8 0x00005555555eb6f7 in eval3 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3024 +#9 0x00005555555eb21f in eval2 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:2898 +#10 0x00005555555eaad2 in eval1 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:2744 +#11 0x00005555555ea85a in eval0_retarg (arg=0x555555969668 "null_class.a", rettv=0x7fffffffc500, eap=0x7fffffffc6a0, evalarg=0x7fffffffc510, retarg=0x0) at eval.c:2655 +#12 0x00005555555ea69b in eval0 (arg=0x555555969668 "null_class.a", rettv=0x7fffffffc500, eap=0x7fffffffc6a0, evalarg=0x7fffffffc510) at eval.c:2589 +#13 0x0000555555608779 in ex_let (eap=0x7fffffffc6a0) at evalvars.c:1149 +#14 0x0000555555607eb8 in ex_var (eap=0x7fffffffc6a0) at evalvars.c:960 +#15 0x000055555562314c in do_one_cmd (cmdlinep=0x7fffffffc8d0, flags=0x7, cstack=0x7fffffffc9b0, fgetline=0x55555575fe37 , cookie=0x7fffffffd120) at ex_docmd.c:2580 +#16 0x000055555562009e in do_cmdline (cmdline=0x55555596c350 "vim9@_\t=null_class.a", fgetline=0x55555575fe37 , cookie=0x7fffffffd120, flags=0x7) at ex_docmd.c:993 +#17 0x000055555575eca8 in do_source_ext (fname=0x555555968893 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0, eap=0x0, clearvars=0x0) at scriptfile.c:1759 +#18 0x000055555575f3a3 in do_source (fname=0x555555968893 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0) at scriptfile.c:1905 +#19 0x000055555575de5f in cmd_source (fname=0x555555968893 "poc", eap=0x7fffffffd2d0) at scriptfile.c:1250 +#20 0x000055555575dea6 in ex_source (eap=0x7fffffffd2d0) at scriptfile.c:1276 +#21 0x000055555562314c in do_one_cmd (cmdlinep=0x7fffffffd500, flags=0xb, cstack=0x7fffffffd5e0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580 +#22 0x000055555562009e in do_cmdline (cmdline=0x555555968850 "so poc", fgetline=0x0, cookie=0x0, flags=0xb) at ex_docmd.c:993 +#23 0x000055555561f535 in do_cmdline_cmd (cmd=0x555555968850 "so poc") at ex_docmd.c:587 +#24 0x000055555588e6da in exe_commands (parmp=0x555555953800 ) at main.c:3146 +#25 0x000055555588b50f in vim_main2 () at main.c:782 +#26 0x000055555588ae7c in main (argc=0xf, argv=0x7fffffffddf8) at main.c:433 +#27 0x00007ffff7c29d90 in __libc_start_call_main (main=main@entry=0x55555588a9b7
, argc=argc@entry=0xf, argv=argv@entry=0x7fffffffddf8) at ../sysdeps/nptl/libc_start_call_main.h:58 +#28 0x00007ffff7c29e40 in __libc_start_main_impl (main=0x55555588a9b7
, argc=0xf, argv=0x7fffffffddf8, init=, fini=, rtld_fini=, + stack_end=0x7fffffffdde8) at ../csu/libc-start.c:392 +#29 0x000055555558ca45 in _start () +gdb-peda$ p cl +$1 = (class_T *) 0x0 +gdb-peda$ p *(typval_T *) rettv +$2 = { + v_type = VAR_CLASS, + v_lock = 0x0, + vval = { + v_number = 0x0, + v_float = 0, + v_string = 0x0, + v_list = 0x0, + v_dict = 0x0, + v_partial = 0x0, + v_job = 0x0, + v_channel = 0x0, + v_blob = 0x0, + v_instr = 0x0, + v_class = 0x0, + v_object = 0x0 + } +} + +poc + +Impact +it can lead to DoS, possibly code execution + +We are processing your report and will contact the vim team within 24 hours. 19 days ago +We have contacted a member of the vim team and are waiting to hear back 18 days ago + +Bram Moolenaar validated this vulnerability 10 days ago +I can reproduce the problem, the POC is short, I can use it for a regression test. + + +thkim0 has been awarded the disclosure bounty +The fix bounty is now up for grabs +The researcher's credibility has increased: +7 + +Bram Moolenaar marked this as fixed in 9.0.1402 with commit d13dd3 10 days ago +Bram Moolenaar has been awarded the fix bounty +This vulnerability has been assigned a CVE + +Bram Moolenaar published this vulnerability 10 days ago +Sign in to join this conversation +CVE +CVE-2023-1355 +(Published) +Vulnerability Type +CWE-476: NULL Pointer Dereference +Severity +High (8.4) +Attack vector +Local +Attack complexity +Low +Privileged required +None +User interaction +None +Scope +Unchanged +Confidentiality +High +Integrity +High +Availability +High +Open in visual CVSS calculator +Registry +Other +Affected Version +* + +Visibility +Public +Status +Fixed +Found by + +User avatar +thkim0 +@thkim0 +unranked +Fixed by + +User avatar +Bram Moolenaar +@brammool +maintainer +This report was seen 474 times. +2022 © 418sec + +huntr +home +hacktivity +leaderboard +FAQ +contact us +terms +privacy policy +part of 418sec +company +about +team -- Gitee From 76ea3f684d4ab7fc6c823d3bde538ad69c719b5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 08:06:45 +0000 Subject: [PATCH 14/17] update cve/vim/2023/CVE-2023-1355 Detail/README.md. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王悦 --- cve/vim/2023/CVE-2023-1355 Detail/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cve/vim/2023/CVE-2023-1355 Detail/README.md b/cve/vim/2023/CVE-2023-1355 Detail/README.md index 47f581f8..1eca1bc8 100644 --- a/cve/vim/2023/CVE-2023-1355 Detail/README.md +++ b/cve/vim/2023/CVE-2023-1355 Detail/README.md @@ -1,9 +1,10 @@ -Description + **Description** null pointer dereference in class_object_index at vim9class.c:1356 variable cl in class_object_index at vim9class.c:1254 is NULL at last, reference to cl refers to NULL -Version + **Version** + $ git log commit c727b19e9f1df36e44321d933334c7b4961daa54 (HEAD -> master, tag: v9.0.1374, origin/master, origin/HEAD) Author: Yegappan Lakshmanan @@ -14,13 +15,12 @@ Date: Fri Mar 3 12:26:15 2023 +0000 Problem: Function for setting options not used consistently. Solution: Use a function for 'encoding' and terminal options. (Yegappan Lakshmanan, closes #12099) - -Proof of Concept + **Proof of Concept** $ ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! Segmentation fault (core dumped) -Debug + **Debug** huntr Search... -- Gitee From e7257bbe4ff56bff43cb2e502924150df5605fcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 11:26:32 +0000 Subject: [PATCH 15/17] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/sudo/2023/CVE-2023-28487/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/sudo/2023/CVE-2023-28487/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/sudo/2023/CVE-2023-28487/.keep diff --git a/cve/sudo/2023/CVE-2023-28487/.keep b/cve/sudo/2023/CVE-2023-28487/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From c0638b3b1d9970e3b713e2358c899d840e573565 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 11:54:30 +0000 Subject: [PATCH 16/17] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/vim/2023/CVE-2023-1355=20Detail/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/vim/2023/CVE-2023-1355 Detail/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/vim/2023/CVE-2023-1355 Detail/.keep diff --git a/cve/vim/2023/CVE-2023-1355 Detail/.keep b/cve/vim/2023/CVE-2023-1355 Detail/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From ff414b36c755a661fa5df9618681430da6b1022c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E6=82=A6?= Date: Wed, 22 Mar 2023 11:58:55 +0000 Subject: [PATCH 17/17] update other_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王悦 --- other_list.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/other_list.yaml b/other_list.yaml index 428354b0..ff7d97de 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -32,4 +32,8 @@ cve: - CVE-2022-0529 django: - CVE-2022-34265 + vim: + - CVE-2023-1355 + sudo: + - CVE-2023-28487 cnvd: -- Gitee