Security update for vim

Announcement ID:	SUSE-SU-2023:3942-1
Rating:	important
References:	bsc#1210738 bsc#1211461 bsc#1214922 bsc#1214924 bsc#1214925 bsc#1215004 bsc#1215006 bsc#1215033
Cross-References:	CVE-2023-4733 CVE-2023-4734 CVE-2023-4735 CVE-2023-4738 CVE-2023-4752 CVE-2023-4781
CVSS scores:	CVE-2023-4733 ( SUSE ): 8.2 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVE-2023-4733 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4733 ( NVD ): 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2023-4734 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2023-4734 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4734 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4735 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2023-4735 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4735 ( NVD ): 4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVE-2023-4738 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4738 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4738 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4752 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4752 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4752 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4781 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4781 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4781 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves six vulnerabilities and has two security fixes can now be installed.

Description:

This update for vim fixes the following issues:

Security fixes:

• CVE-2023-4733: Fixed use-after-free in function buflist_altfpos (bsc#1215004).
• CVE-2023-4734: Fixed segmentation fault in function f_fullcommand (bsc#1214925).
• CVE-2023-4735: Fixed out of bounds write in ops.c (bsc#1214924).
• CVE-2023-4738: Fixed heap buffer overflow in vim_regsub_both (bsc#1214922).
• CVE-2023-4752: Fixed heap use-after-free in function ins_compl_get_exp (bsc#1215006).
• CVE-2023-4781: Fixed heap buffer overflow in function vim_regsub_both (bsc#1215033).

Other fixes:

• Calling vim on xterm leads to missing first character of the command prompt (bsc#1211461)
• Rendering corruption in gvim with all 9.x versions (bsc#1210738)
• Updated to version 9.0 with patch level 1894

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise High Performance Computing 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-3942=1
• SUSE Linux Enterprise Server 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-3942=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-3942=1

Package List:

• SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
  • vim-9.0.1894-17.23.2
  • vim-debuginfo-9.0.1894-17.23.2
  • vim-debugsource-9.0.1894-17.23.2
  • gvim-debuginfo-9.0.1894-17.23.2
  • gvim-9.0.1894-17.23.2
• SUSE Linux Enterprise High Performance Computing 12 SP5 (noarch)
  • vim-data-9.0.1894-17.23.2
  • vim-data-common-9.0.1894-17.23.2
• SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
  • vim-9.0.1894-17.23.2
  • vim-debuginfo-9.0.1894-17.23.2
  • vim-debugsource-9.0.1894-17.23.2
  • gvim-debuginfo-9.0.1894-17.23.2
  • gvim-9.0.1894-17.23.2
• SUSE Linux Enterprise Server 12 SP5 (noarch)
  • vim-data-9.0.1894-17.23.2
  • vim-data-common-9.0.1894-17.23.2
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
  • vim-9.0.1894-17.23.2
  • vim-debuginfo-9.0.1894-17.23.2
  • vim-debugsource-9.0.1894-17.23.2
  • gvim-debuginfo-9.0.1894-17.23.2
  • gvim-9.0.1894-17.23.2
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (noarch)
  • vim-data-9.0.1894-17.23.2
  • vim-data-common-9.0.1894-17.23.2

References:

• https://www.suse.com/security/cve/CVE-2023-4733.html
• https://www.suse.com/security/cve/CVE-2023-4734.html
• https://www.suse.com/security/cve/CVE-2023-4735.html
• https://www.suse.com/security/cve/CVE-2023-4738.html
• https://www.suse.com/security/cve/CVE-2023-4752.html
• https://www.suse.com/security/cve/CVE-2023-4781.html
• https://bugzilla.suse.com/show_bug.cgi?id=1210738
• https://bugzilla.suse.com/show_bug.cgi?id=1211461
• https://bugzilla.suse.com/show_bug.cgi?id=1214922
• https://bugzilla.suse.com/show_bug.cgi?id=1214924
• https://bugzilla.suse.com/show_bug.cgi?id=1214925
• https://bugzilla.suse.com/show_bug.cgi?id=1215004
• https://bugzilla.suse.com/show_bug.cgi?id=1215006
• https://bugzilla.suse.com/show_bug.cgi?id=1215033