Out-of-bounds Read in vim/vim

Vulnerability

An out-of-bounds read vulnerability exists in the build_stl_str_hl() function of Vim, specifically when processing a malformed 'statusline' option containing a % character followed immediately by 0 (e.g., %!%0). The improper bounds check in the patch 9.0.1143 [4] shows that when the character after % is NUL (string terminator), the loop continues without breaking, leading to an illegal memory access. All versions of Vim prior to 9.0.1143 are affected.

Exploitation

To exploit this vulnerability, an attacker must be able to set or influence the 'statusline' option to a crafted string such as %!%0. This could occur if a user opens a file that sets the statusline via a modeline or if a malicious script configures the option. When the statusline is redrawn (e.g., via :redraw), the out-of-bounds read is triggered. No authentication is required beyond the ability to execute Vim commands or open a specially crafted file.

Impact

Successful exploitation results in an out-of-bounds read, which can cause a crash (assertion failure or segmentation fault) and may potentially leak sensitive memory contents. Apple's advisory [1] confirms that on macOS Ventura 13.3, the issue was addressed with improved bounds checks and rated that an app may be able to cause unexpected system termination or write kernel memory, indicating potential for more severe outcomes in certain configurations.

Mitigation

The vulnerability is fixed in Vim version 9.0.1143 [4]. Users should upgrade to this version or later. For macOS users, the fix is included in macOS Ventura 13.3 (released March 27, 2023) [1]. Fedora package announcements [2][3] indicate that updates were made available for Fedora distributions. No workaround other than updating is known.