diff --git a/meta/recipes-support/vim/files/CVE-2026-33412.patch b/meta/recipes-support/vim/files/CVE-2026-33412.patch new file mode 100644 index 0000000000..44d7ae6d24 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-33412.patch @@ -0,0 +1,52 @@ +From 645ed6597d1ea896c712cd7ddbb6edee79577e9a Mon Sep 17 00:00:00 2001 +From: pyllyukko +Date: Thu, 19 Mar 2026 19:58:05 +0000 +Subject: [PATCH] patch 9.2.0202: [security]: command injection via newline in + glob() + +Problem: The glob() function on Unix-like systems does not escape + newline characters when expanding wildcards. A maliciously + crafted string containing '\n' can be used as a command + separator to execute arbitrary shell commands via + mch_expand_wildcards(). This depends on the user's 'shell' + setting. +Solution: Add the newline character ('\n') to the SHELL_SPECIAL + definition to ensure it is properly escaped before being + passed to the shell (pyllyukko). + +closes: #19746 + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c + +Signed-off-by: pyllyukko +Signed-off-by: Christian Brabandt + +CVE: CVE-2026-33412 +Upstream-Status: Backport [https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a] + +Backport Changes: +- Excluded changes to src/version.c from this backport. The recipe tracks Vim + tag v9.2.0110, so upstream patchlevel bookkeeping updates are not needed for + the security fix. + +Signed-off-by: Ashish Sharma +--- + src/os_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/os_unix.c b/src/os_unix.c +index cf195e62e1..d767956b1a 100644 +--- a/src/os_unix.c ++++ b/src/os_unix.c +@@ -7106,7 +7106,7 @@ mch_expandpath( + # define SEEK_END 2 + # endif + +-# define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|" ++# define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|\n" + + int + mch_expand_wildcards( +-- +2.50.1 diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 9a5ec9652f..7a3c65b5c2 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -16,6 +16,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://disable_acl_header_check.patch \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ + file://CVE-2026-33412.patch \ " PV .= ".0110"