[vim-security] use-after-free in ex_substitute in Vim < v9.0.2121

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[vim-security] use-after-free in ex_substitute in Vim &lt; v9.0.2121

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Christian Brabandt &lt;cb () 256bit org&gt;

Date: Wed, 22 Nov 2023 22:12:49 +0100

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
CVE-2023-48706: Use-After-Free in ex_substitute()
=================================================
Date: 22.11.2023
Severity: Low

When executing a :s command for the very first time and using a 
sub-replace-special atom inside the substitution part, it is possible 
that the recursive :s call causes freeing of memory which may later then 
be accessed by the initial :s command.

Impact is low since the user must intentionally execute the payload and
the whole process is a bit tricky to do (since it seems to work only
reliably for the very first :s command). It may also cause a crash of 
Vim.

The Vim project would like to thank github user gandalf4a for reporting 
this issue which is now fixed in Vim patch 9.0.2121.

URLs: https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf8
      https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q

Thanks,
Christian
-- 
Wie man sein Kind nicht nennen sollte: 
  Jupp Heidi 

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[vim-security] use-after-free in ex_substitute in Vim &lt; v9.0.2121 Christian Brabandt (Nov 22)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->