Use After Free in vim/vim

Vulnerability

A use-after-free vulnerability exists in Vim versions prior to patch 8.2.3428. The bug resides in the nv_replace() function in src/normal.c [2]. Under certain conditions, the line pointer ptr obtained via ml_get_buf() is used after the line may have been freed or reallocated by u_save(), showmatch(), or ins_copychar() [2]. The commit that fixes this issue [2] reorders the code to fetch the pointer again after these operations, preventing use of freed memory.

Exploitation

An attacker could exploit this vulnerability by crafting a specially designed text file or editor command sequence that triggers the vulnerable code path. Specifically, the issue occurs when the replace command ("R" or "r") is used in combination with Ctrl-E or Ctrl-Y to copy characters from adjacent lines [2]. Local access to Vim and the ability to open a crafted file or execute a sequence of commands is required. The attacker does not need elevated privileges beyond normal Vim usage.

Impact

Successful exploitation results in a use-after-free condition, potentially leading to memory corruption, a crash, or possibly arbitrary code execution in the context of the Vim process. The impact is limited by the need for user interaction and the complexity of the race condition. The advisory from Openwall notes that the security boundary is not crossed in normal Vim usage but could be a concern if Vim runs with raised privileges [1].

Mitigation

The vulnerability is fixed in Vim patch 8.2.3428 [2]. Users should update to Vim version 8.2.3428 or later. Workarounds include avoiding the use of the replace command with Ctrl-E/Ctrl-Y on untrusted files. Fedora package announcements may have been issued [3][4], but their content is not accessible in the available references.