update: vim

[dongsupark]

Name: vim
CVEs: CVE-2025-1215, CVE-2025-22134, CVE-2025-24014, GHSA-63p5-mwg2-787v, CVE-2025-27423, CVE-2025-29768
CVSSs: 2.8, 4.2, 4.2, 4.2, 7.1, 4.4
Action Needed: update to >= 9.1.1198

Summary:

• CVE-2025-1215: A vulnerability classified as problematic was found in vim up to 9.1.1096. This vulnerability affects unknown code of the file src/main.c. The manipulation of the argument --log leads to memory corruption. It is possible to launch the attack on the local host. Upgrading to version 9.1.1097 is able to address this issue. The patch is identified as c5654b84480822817bb7b69ebc97c174c91185e9. It is recommended to upgrade the affected component.
  • https://bugzilla.redhat.com/show_bug.cgi?id=2345318
• CVE-2025-22134: A heap-buffer-overflow with visual mode was found in Vim < 9.1.1003
• CVE-2025-24014: crolling however may be triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn't been allocated (since there is no screen). This vulnerability is fixed in 9.1.1043.
• GHSA-63p5-mwg2-787v: Vim allows to redirect screen messages using the :redir ex command to
  register, variables and files. It also allows to show the contents of registers using the :registers or :display ex command. When redirecting the output of :display to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the :display command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the + and * registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers * or +.
  • https://seclists.org/oss-sec/2025/q1/139
• CVE-2025-27423: Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL). The issue has been fixed as of Vim patch v9.1.1164
• CVE-2025-29768: Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim patch v9.1.1198.
  • https://bugzilla.redhat.com/show_bug.cgi?id=2352418

refmap.gentoo: CVE-2025-22134: https://bugs.gentoo.org/947924, others: TBD

[dongsupark]

Added GHSA-63p5-mwg2-787v

[dongsupark]

Added CVE-2025-27423.

[dongsupark]

Added CVE-2025-29768.