Journalists are busying themselves to tell Apple users the sky is falling, given the quiet hint from Apple about exploitation of CVE-2022-42827…
An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Actively exploited?
That’s a giant flashing red light buried by Apple halfway down their security advisory page.
Meanwhile a far more interesting and crazy detail nobody is taking about is that MacOS Ventura security lists forty, that’s four zero, vulnerabilities fixed in a text editor (Vim).
CVE-2022-0261 (7.8 High)
CVE-2022-0318 (9.8 Critical)
CVE-2022-0319 (5.5 Medium)
CVE-2022-0351 (7.8 High)
CVE-2022-0359 (7.8 High)
CVE-2022-0361 (7.8 High)
CVE-2022-0368 (7.8 High)
CVE-2022-0392 (7.8 High)
CVE-2022-0554 (7.8 High)
CVE-2022-0572 (7.8 High)
CVE-2022-0629 (6.1 Medium)
CVE-2022-0685 (7.8 High)
CVE-2022-0696 (5.5 Medium)
CVE-2022-0714 (5.5 Medium)
CVE-2022-0729 (6.5 Medium)
CVE-2022-0943 (7.8 High)
CVE-2022-1381 (7.8 High)
CVE-2022-1420 (5.5 Medium)
CVE-2022-1725 (5.5 Medium)
CVE-2022-1616 (7.8 High)
CVE-2022-1619 (7.8 High)
CVE-2022-1620 (7.8 High)
CVE-2022-1621 (7.8 High)
CVE-2022-1629 (7.8 High)
CVE-2022-1674 (5.5 Medium)
CVE-2022-1733 (7.8 High)
CVE-2022-1735 (7.8 High)
CVE-2022-1769 (7.8 High)
CVE-2022-1927 (9.8 Critical)
CVE-2022-1942 (7.8 High)
CVE-2022-1968 (7.8 High)
CVE-2022-1851 (7.8 High)
CVE-2022-1897 (7.8 High)
CVE-2022-1898 (7.8 High)
CVE-2022-1720 (7.8 High)
CVE-2022-2000 (7.8 High)
CVE-2022-2042 (9.8 Critical)
CVE-2022-2124 (7.8 High)
CVE-2022-2125 (7.8 High)
CVE-2022-2126 (7.8 High)
Whoa. That’s a… giant flashing red dumpster fire buried halfway down the page.
And I don’t understand Apple’s list. It seems random at best. Why not sequential by ID or severity?
Or to say it another way, here are critical ones listed together:
- CVE-2022-0318 (9.8 Critical): Reported Jan 18, 2022. Heap-based Buffer Overflow in vim/vim prior to 8.2. Found by @zfeixq.
- CVE-2022-1927 (9.8 Critical): Reported May 22, 2022. Buffer Over-read in GitHub repository vim/vim prior to 8.2. Found by TDHX ICS Security @jieyongma
- CVE-2022-2042 (9.8 Critical): Reported Jun 6, 2022. Use After Free in GitHub repository vim/vim prior to 8.2. Found by Muhammad Aldo Firmansyah @thecrott
January, then May then June… critical vulns fixed by Apple months later in October.
The scatter shot mess is detailed by Bram Moolenar who has been posting continuously on a bounty site for months while discussing fixes.
Use After Free in function did_set_string_option fix in vim / vim Sep 28
Stack-based Buffer Overflow in function win_redr_ruler fix in vim / vim Sep 27
Use After Free in function process_next_cpt_value fix in vim / vim Sep 24
Stack-based Buffer Overflow in function ex_finally fix in vim / vim Sep 24
Access violation near NULL on destination operand eval.c:2603:37 in segmentation fault fix in vim / vim Sep 22
Use After Free in function movemark fix in vim / vim Sep 21
Use After Free in function getcmdline_int fix in vim / vim Sep 17
Heap-based Buffer Overflow in function utfc_ptr2len fix in vim / vim Sep 16
Null Dereference in vim_regcomp() fix in vim / vim Sep 7
Use After Free in function do_tag fix in vim / vim Sep 5
Use After Free in function do_cmdline fix in vim / vim Sep 2
Use After Free in Function qf_buf_add_line( ) fix in vim / vim Aug 29
Use After Free in function get_next_valid_entry fix in vim / vim Aug 27
Use After Free in function qf_fill_buffer fix in vim / vim Aug 24
NULL Pointer Dereference in function do_mouse fix in vim / vim Aug 24
Use After Free in function vim_vsnprintf_typval fix in vim / vim Aug 22
NULL Pointer Dereference in function sug_filltree fix in vim / vim Aug 21
Use After Free in function find_var_also_in_script fix in vim / vim Aug 18
NULL Pointer Dereference in function generate_loadvar fix in vim / vim Aug 17
use after free in function generate_PCALL fix in vim / vim Aug 16
Heap-based Buffer Overflow in function latin_ptr2len fix in vim / vim Aug 16
Buffer Over-read in function utf_head_off fix in vim / vim Aug 16
Use After Free in function string_quote fix in vim / vim Aug 14
Out-of-bounds read in function check_vim9_unlet in vim/vim fix in vim / vim Aug 14
Heap-based Buffer Overflow in function compile_lock_unlock in vim/vim fix in vim / vim Aug 14
Undefined behavior in diff_write_buffer() fix in vim / vim Jul 30
Out-of-bounds Read in function utf_ptr2char fix in vim / vim Jul 29
heap-buffer-overflow occurs in function eval_string ./vim/src/typval.c:2226 fix in vim / vim Jul 29
Heap-based buffer overflow in function vim_iswordp_buf fix in vim / vim Jul 28
Heap-based Buffer Overflow in function ins_compl_infercase_gettext() fix in vim / vim Jul 23
Heap Use After Free in function skipwhite fix in vim / vim Jul 7
Heap-based buffer overflow in function ins_compl_add fix in vim / vim Jul 7
Heap-based Buffer Overflow in function ins_compl_add fix in vim / vim Jul 7
Stack-based Buffer Overflow in function spell_dump_compl fix in vim / vim Jul 4
Heap Use After Free in function ex_diffgetput fix in vim / vim Jul 2
Out-of-bound write in function parse_command_modifiers fix in vim / vim Jul 2
Out-of-bound read data in function suggest_trie_walk() abusing array byts fix in vim / vim Jul 1
Out-of-bounds Read in function ins_bytes fix in vim / vim Jul 1
Integer Overflow in function del_typebuf fix in vim / vim Jul 1
Heap-based Buffer Overflow in function utfc_ptr2len fix in vim / vim Jul 1
Heap-based buffer overflow in function inc fix in vim / vim Jun 30
Out-of-bound read in function msg_outtrans_special fix in vim / vim Jun 29
Null pointer dereference in function skipwhite fix in vim / vim Jun 27
Out-of-bound write in function ml_append_int fix in vim / vim Jun 26
Null pointer dereference in function diff_check fix in vim / vim Jun 26
Heap-based buffer overflow in function ins_bs fix in vim / vim Jun 26
Out-of-bound read in function msg_outtrans_attr fix in vim / vim Jun 25
Out-of-bounds Read in function get_lisp_indent fix in vim / vim Jun 22
Heap-based Buffer Overflow in function utf_ptr2char fix in vim / vim Jun 22
Buffer Over-read in function put_on_cmdline fix in vim / vim Jun 22
Memory leaks in function vim_strsave fix in vim / vim Jun 21
Out-of-bounds write in function vim_regsub_both fix in vim / vim Jun 18
Out-of-bounds Read in function suggest_trie_walk fix in vim / vim Jun 18
Heap-based Buffer Overflow in function get_lisp_indent fix in vim / vim Jun 18
Buffer Over-read in function current_quote fix in vim / vim Jun 18
use after free in skipwhite fix in vim / vim Jun 9
Out-of-bounds write in function append_command fix in vim / vim Jun 6
Use After Free in function utf_ptr2char fix in vim / vim
Jun 1Heap-based Buffer Overflow in function vim_regsub_both fix in vim / vim May 30
Buffer Over-read in function utf_ptr2char fix in vim / vim May 28
Use After Free in function find_pattern_in_path fix in vim / vim May 26
Out-of-bounds write in function vim_regsub_both fix in vim / vim May 26
Heap-based Buffer Overflow in function utf_head_off fix in vim / vim May 25
Out-of-bounds read in function gchar_cursor fix in vim / vim May 24
heap-use-after-free in function find_pattern_in_path fix in vim / vim May 18
And the list goes on and on… which begs the question of whether a “bounty” system is over-inflating results for enrichment instead of efficiencies.
Take for example, these two entries listed as separate and distinct each with their own bounties.
- Heap-based buffer overflow in function ins_compl_add fix in vim / vim Jul 7
- Heap-based Buffer Overflow in function ins_compl_add fix in vim / vim Jul 7
The description of the first is “CVE-2022-2343:Heap-based buffer overflow in function ins_compl_add at insexpand.c:751” and the second is “CVE-2022-2344: Heap-based Buffer Overflow in function ins_compl_add at insexpand.c:751”
What’s the diff?
Why not one have one CVE? Why not have a single bounty? Maybe it’s a mistake.