Skip to first unread message

John Helmert III

Dec 6, 2022, 7:59:36 AM12/6/22
Hi all. I mailed Bram personally about this several months ago but got
no response, so perhaps here is a better place for this.

I'm curious about whether there's any real security impact of many of
the "vulnerabilities" that are validated on the
platform. Take CVE-2022-3520 [1][2] as an example (which seemingly
wasn't supposed to get a CVE, and I've asked the folks about
that separately).

This "vulnerability" is triggered by crafting a vim command line that
feeds a file into the "-S" option, which causes vim to source the
file. Is there actually any security boundary being crossed here? If
an attacker is able to get their victim to execute code, surely it
isn't the fault of the code interpreter if the interpreter executes
that code?

Separate from the issue of whether these vulnerabilities are valid at
all, there is also an issue that the impact of these "vulnerabilities"
don't seem to be validated. CVE-2022-3520 claims there is a "HIGH"
impact to each of availability, confidentiality, and integrity, but
any of this could be caused if Vim's parsing and execution of the
script were bug free, that is, there doesn't seem to be anything the
"vulnerability" allows for that isn't already possible via vimscript
anyway. Even if this were the case, I fail to see how an out-of-bounds
1-byte read can be this severe (especially without the reporter
substantiating any of it).


John Helmert III

Dec 31, 2022, 3:47:04 PM12/31/22
Ping? I notice the Google Groups mangling broke my PGP signature on
this mail, so sending this one without it incase people's clients
filtered it out implicitly or something.
Reply all
Reply to author
0 new messages