Security update for vim

Announcement ID:	SUSE-SU-2025:0723-1
Release Date:	2025-02-26T13:29:54Z
Rating:	moderate
References:	bsc#1229685 bsc#1229822 bsc#1230078 bsc#1235695 bsc#1236151 bsc#1237137
Cross-References:	CVE-2024-43790 CVE-2024-43802 CVE-2024-45306 CVE-2025-1215 CVE-2025-22134 CVE-2025-24014
CVSS scores:	CVE-2024-43790 ( SUSE ): 2.0 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L CVE-2024-43790 ( SUSE ): 4.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2024-43802 ( SUSE ): 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2024-43802 ( SUSE ): 4.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2024-45306 ( SUSE ): 4.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-45306 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H CVE-2024-45306 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2024-45306 ( NVD ): 4.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2025-1215 ( SUSE ): 2.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-1215 ( SUSE ): 2.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L CVE-2025-1215 ( NVD ): 2.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2025-1215 ( NVD ): 2.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L CVE-2025-22134 ( SUSE ): 1.0 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-22134 ( SUSE ): 4.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L CVE-2025-22134 ( NVD ): 4.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L CVE-2025-24014 ( SUSE ): 1.0 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-24014 ( SUSE ): 4.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L CVE-2025-24014 ( NVD ): 4.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
Affected Products:	Basesystem Module 15-SP6 Desktop Applications Module 15-SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves six vulnerabilities can now be installed.

Description:

This update for vim fixes the following issues:

Update to version 9.1.1101:

• CVE-2024-43790: possible out-of-bounds read when performing a search command (bsc#1229685).
• CVE-2024-43802: heap buffer overflow due to incorrect flushing of the typeahead buffer (bsc#1229822).
• CVE-2024-45306: heap buffer overflow when cursor position is invalid (bsc#1230078).
• CVE-2025-22134: heap buffer overflow when switching to other buffers using the :all command with active visual mode (bsc#1235695).
• CVE-2025-24014: NULL pointer dereference may lead to segmentation fault when in silent Ex mode (bsc#1236151).
• CVE-2025-1215: memory corruption when manipulating the --log argument (bsc#1237137).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.5
  zypper in -t patch SUSE-2025-723=1
• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2025-723=1
• SUSE Linux Enterprise Micro 5.5
  zypper in -t patch SUSE-SLE-Micro-5.5-2025-723=1
• Basesystem Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2025-723=1
• Desktop Applications Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP6-2025-723=1

Package List:

• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 i586)
  • vim-9.1.1101-150500.20.21.1
  • vim-small-debuginfo-9.1.1101-150500.20.21.1
  • vim-debuginfo-9.1.1101-150500.20.21.1
  • gvim-debuginfo-9.1.1101-150500.20.21.1
  • gvim-9.1.1101-150500.20.21.1
  • vim-small-9.1.1101-150500.20.21.1
  • vim-debugsource-9.1.1101-150500.20.21.1
• openSUSE Leap 15.5 (noarch)
  • vim-data-common-9.1.1101-150500.20.21.1
  • vim-data-9.1.1101-150500.20.21.1
• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
  • vim-9.1.1101-150500.20.21.1
  • vim-small-debuginfo-9.1.1101-150500.20.21.1
  • vim-debuginfo-9.1.1101-150500.20.21.1
  • gvim-debuginfo-9.1.1101-150500.20.21.1
  • gvim-9.1.1101-150500.20.21.1
  • vim-small-9.1.1101-150500.20.21.1
  • vim-debugsource-9.1.1101-150500.20.21.1
• openSUSE Leap 15.6 (noarch)
  • vim-data-common-9.1.1101-150500.20.21.1
  • vim-data-9.1.1101-150500.20.21.1
• SUSE Linux Enterprise Micro 5.5 (noarch)
  • vim-data-common-9.1.1101-150500.20.21.1
• SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64)
  • vim-small-debuginfo-9.1.1101-150500.20.21.1
  • vim-small-9.1.1101-150500.20.21.1
  • vim-debugsource-9.1.1101-150500.20.21.1
  • vim-debuginfo-9.1.1101-150500.20.21.1
• Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • vim-9.1.1101-150500.20.21.1
  • vim-small-debuginfo-9.1.1101-150500.20.21.1
  • vim-debuginfo-9.1.1101-150500.20.21.1
  • vim-small-9.1.1101-150500.20.21.1
  • vim-debugsource-9.1.1101-150500.20.21.1
• Basesystem Module 15-SP6 (noarch)
  • vim-data-common-9.1.1101-150500.20.21.1
  • vim-data-9.1.1101-150500.20.21.1
• Desktop Applications Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • vim-debuginfo-9.1.1101-150500.20.21.1
  • gvim-9.1.1101-150500.20.21.1
  • vim-debugsource-9.1.1101-150500.20.21.1
  • gvim-debuginfo-9.1.1101-150500.20.21.1

References:

• https://www.suse.com/security/cve/CVE-2024-43790.html
• https://www.suse.com/security/cve/CVE-2024-43802.html
• https://www.suse.com/security/cve/CVE-2024-45306.html
• https://www.suse.com/security/cve/CVE-2025-1215.html
• https://www.suse.com/security/cve/CVE-2025-22134.html
• https://www.suse.com/security/cve/CVE-2025-24014.html
• https://bugzilla.suse.com/show_bug.cgi?id=1229685
• https://bugzilla.suse.com/show_bug.cgi?id=1229822
• https://bugzilla.suse.com/show_bug.cgi?id=1230078
• https://bugzilla.suse.com/show_bug.cgi?id=1235695
• https://bugzilla.suse.com/show_bug.cgi?id=1236151
• https://bugzilla.suse.com/show_bug.cgi?id=1237137