Out-of-bounds Write in vim/vim

Vulnerability

An out-of-bounds write vulnerability exists in the do_addsub() function of Vim prior to version 9.0.1847 [2]. The flaw occurs when converting a number to a binary string representation; the loop iterates while bit is positive but lacks a check against the buffer size, allowing an overflow of the buf2[] buffer [2]. This can be triggered when a user opens a specially crafted file that forces the do_addsub() function to process arithmetic operations.

Exploitation

An attacker must craft a malicious file that triggers the vulnerable code path in do_addsub(). No authentication is required beyond the user opening the file in Vim. The exploitation does not require network access; the file can be delivered via email, download, or other means. When Vim parses the file, the out-of-bounds write occurs as the loop writes beyond the allocated buffer [2].

Impact

Successful exploitation allows an attacker to write out-of-bounds data, potentially leading to arbitrary code execution in the context of the Vim process. Apple's advisory notes that parsing a malicious file may result in unexpected app termination or arbitrary code execution [1]. The attacker could compromise the user's system by executing arbitrary commands.

Mitigation

The vulnerability is fixed in Vim version 9.0.1847, released on or around September 1, 2023 [2]. The fix adds a bounds check in the loop condition: bit > 0 && i < (NUMBUFLEN - 1) [2]. Users should update to Vim 9.0.1847 or later. Apple also addressed this issue in macOS Sonoma 14.1 by removing the vulnerable code [1]. No workaround is available other than upgrading.