CVE-2023-48235: 
NixOS vulnerability analysis and mitigation

CVE-2023-48235 is a security vulnerability discovered in Vim, an open source command line text editor, disclosed on November 16, 2023. The vulnerability occurs when parsing relative ex addresses, where an overflow can unintentionally occur in the existing overflow check due to negative line numbers causing an overflow when subtracted from LONG_MAX. The issue affects Vim versions prior to 9.0.2110 (Vim Advisory, OSS Security).

The vulnerability is classified as an Integer Overflow or Wraparound (CWE-190) with a CVSS v3.1 base score of 4.3 (MEDIUM) according to NIST, and 2.8 (LOW) according to GitHub. The issue occurs specifically in the ex address parsing functionality where the line number becomes negative, causing an arithmetic overflow when performing the calculation LONG_MAX - lnum. The vulnerability requires user interaction and has been assigned the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L (NVD, Vim Advisory).

The impact of this vulnerability is considered low, as it requires user interaction to exploit and may not consistently result in a crash. If successfully exploited, the vulnerability could lead to a denial of service condition (Vim Advisory, NetApp Advisory).

The vulnerability has been fixed in Vim version 9.0.2110. The fix involves verifying that the line number (lnum) is positive before performing the overflow check. Users are advised to upgrade to version 9.0.2110 or later. The patch was implemented in commit 060623e (Vim Patch, Vim Advisory).

The vulnerability was responsibly disclosed and quickly patched. Multiple Linux distributions, including Fedora and Ubuntu, have released security updates to address this vulnerability along with other related Vim security issues. NetApp has also acknowledged the vulnerability and is investigating its impact on their products (Fedora Update, NetApp Advisory).