Bug 1214921 (CVE-2023-4751)

Summary:	VUL-0: CVE-2023-4751: vim: heap-buffer-overflow in function utfc_ptr2len
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Robert Frohl <rfrohl>
Component:	Incidents	Assignee:	Martin Schreiner <martin.schreiner>
Status:	RESOLVED NORESPONSE	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	mimi.vx
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/377044/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Robert Frohl 2023-09-04 07:10:21 UTC

CVE-2023-4751

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1331.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4751
https://bugzilla.redhat.com/show_bug.cgi?id=2237187
https://www.cve.org/CVERecord?id=CVE-2023-4751
https://github.com/vim/vim/commit/e1121b139480f53d1b06f84f3e4574048108fa0b
https://huntr.dev/bounties/db7be8d6-6cb7-4ae5-9c4e-805423afa378

Comment 3 OBSbugzilla Bot 2023-09-11 16:15:03 UTC

This is an autogenerated message for OBS integration:
This bug (1214921) was mentioned in
https://build.opensuse.org/request/show/1110341 Factory / vim

Comment 4 Zoltan Balogh 2023-09-20 05:42:22 UTC

The vim in sle11sp2 is on 7.2 version and it is years behind the upstream. Backporting single patches is hardly possible and upgrading to 9.0 may be risky.

Do we really want that?

Comment 5 Martin Schreiner 2024-06-19 20:11:43 UTC

I'm closing this bug with "no response" since no one replied to Zoltan a long while ago.

So I think it's obsolete/moot. Should the need arise, please reopen it, and assign to me.