huntr.dev CVEs
75 views
Skip to first unread message
John Helmert III
Dec 6, 2022, 7:59:36 AM12/6/22
to vim...@vim.org, secu...@gentoo.org
Hi all. I mailed Bram personally about this several months ago but got
no response, so perhaps here is a better place for this.
I'm curious about whether there's any real security impact of many of
the "vulnerabilities" that are validated on the huntr.dev
platform. Take CVE-2022-3520 [1][2] as an example (which seemingly
wasn't supposed to get a CVE, and I've asked the huntr.dev folks about
that separately).
This "vulnerability" is triggered by crafting a vim command line that
feeds a file into the "-S" option, which causes vim to source the
file. Is there actually any security boundary being crossed here? If
an attacker is able to get their victim to execute code, surely it
isn't the fault of the code interpreter if the interpreter executes
that code?
Separate from the issue of whether these vulnerabilities are valid at
all, there is also an issue that the impact of these "vulnerabilities"
don't seem to be validated. CVE-2022-3520 claims there is a "HIGH"
impact to each of availability, confidentiality, and integrity, but
any of this could be caused if Vim's parsing and execution of the
script were bug free, that is, there doesn't seem to be anything the
"vulnerability" allows for that isn't already possible via vimscript
anyway. Even if this were the case, I fail to see how an out-of-bounds
1-byte read can be this severe (especially without the reporter
substantiating any of it).
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-3520
[2] https://huntr.dev/bounties/c1db3b70-f4fe-481f-8a24-0b1449c94246/
no response, so perhaps here is a better place for this.
I'm curious about whether there's any real security impact of many of
the "vulnerabilities" that are validated on the huntr.dev
platform. Take CVE-2022-3520 [1][2] as an example (which seemingly
wasn't supposed to get a CVE, and I've asked the huntr.dev folks about
that separately).
This "vulnerability" is triggered by crafting a vim command line that
feeds a file into the "-S" option, which causes vim to source the
file. Is there actually any security boundary being crossed here? If
an attacker is able to get their victim to execute code, surely it
isn't the fault of the code interpreter if the interpreter executes
that code?
Separate from the issue of whether these vulnerabilities are valid at
all, there is also an issue that the impact of these "vulnerabilities"
don't seem to be validated. CVE-2022-3520 claims there is a "HIGH"
impact to each of availability, confidentiality, and integrity, but
any of this could be caused if Vim's parsing and execution of the
script were bug free, that is, there doesn't seem to be anything the
"vulnerability" allows for that isn't already possible via vimscript
anyway. Even if this were the case, I fail to see how an out-of-bounds
1-byte read can be this severe (especially without the reporter
substantiating any of it).
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-3520
[2] https://huntr.dev/bounties/c1db3b70-f4fe-481f-8a24-0b1449c94246/
John Helmert III
Dec 31, 2022, 3:47:04 PM12/31/22
to vim...@googlegroups.com, Br...@moolenaar.net, secu...@gentoo.org
this mail, so sending this one without it incase people's clients
filtered it out implicitly or something.
Reply all
Reply to author
Forward
0 new messages