diff --git a/meta/recipes-support/vim/files/CVE-2026-28417.patch b/meta/recipes-support/vim/files/CVE-2026-28417.patch new file mode 100644 index 0000000000..6598323c41 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-28417.patch @@ -0,0 +1,92 @@ +From 79348dbbc09332130f4c86045e1541d68514fcc1 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 22 Feb 2026 21:24:48 +0000 +Subject: [PATCH] patch 9.2.0073: [security]: possible command injection using + netrw + +Problem: [security]: Insufficient validation of hostname and port in + netrw URIs allows command injection via shell metacharacters + (ehdgks0627, un3xploitable). +Solution: Implement stricter RFC1123 hostname and IP validation. + Use shellescape() for the provided hostname and port. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336 + +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport from [https://github.com/vim/vim/commit/79348dbbc09332130f4c86045e1541d68514fcc1] +CVE: CVE-2026-28417 +Signed-off-by: Hitendra Prajapati +--- + .../pack/dist/opt/netrw/autoload/netrw.vim | 34 +++++++++++++------ + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/runtime/pack/dist/opt/netrw/autoload/netrw.vim b/runtime/pack/dist/opt/netrw/autoload/netrw.vim +index 1c98104..7ebcd92 100644 +--- a/runtime/pack/dist/opt/netrw/autoload/netrw.vim ++++ b/runtime/pack/dist/opt/netrw/autoload/netrw.vim +@@ -5,6 +5,7 @@ + " 2025 Aug 07 by Vim Project (use correct "=~#" for netrw_stylesize option #17901) + " 2025 Aug 07 by Vim Project (netrw#BrowseX() distinguishes remote files #17794) + " 2025 Aug 22 by Vim Project netrw#Explore handle terminal correctly #18069 ++" 2026 Feb 27 by Vim Project Make the hostname validation more strict + " Copyright: Copyright (C) 2016 Charles E. Campbell {{{1 + " Permission is hereby granted to use and distribute this code, + " with or without modifications, provided that this copyright +@@ -2575,13 +2576,26 @@ endfunction + + " s:NetrwValidateHostname: Validate that the hostname is valid {{{2 + " Input: +-" hostname ++" hostname, may include an optional username, e.g. user@hostname ++" allow a alphanumeric hostname or an IPv(4/6) address + " Output: + " true if g:netrw_machine is valid according to RFC1123 #Section 2 + function s:NetrwValidateHostname(hostname) +- " RFC1123#section-2 mandates, a valid hostname starts with letters or digits +- " so reject everyhing else +- return a:hostname =~? '^[a-z0-9]' ++ " Username: ++ let user_pat = '\%([a-zA-Z0-9._-]\+@\)\?' ++ " Hostname: 1-64 chars, alphanumeric/dots/hyphens. ++ " No underscores. No leading/trailing dots/hyphens. ++ let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]{,62}[a-zA-Z0-9]\)\?$' ++ ++ " IPv4: 1-3 digits separated by dots ++ let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}$' ++ ++ " IPv6: Hex, colons, and optional brackets ++ let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?$' ++ ++ return a:hostname =~? '^'.user_pat.host_pat || ++ \ a:hostname =~? '^'.user_pat.ipv4_pat || ++ \ a:hostname =~? '^'.user_pat.ipv6_pat + endfunction + + " NetUserPass: set username and password for subsequent ftp transfer {{{2 +@@ -8948,15 +8962,15 @@ endfunction + " s:MakeSshCmd: transforms input command using USEPORT HOSTNAME into {{{2 + " a correct command for use with a system() call + function s:MakeSshCmd(sshcmd) +- if s:user == "" +- let sshcmd = substitute(a:sshcmd,'\',s:machine,'') +- else +- let sshcmd = substitute(a:sshcmd,'\',s:user."@".s:machine,'') ++ let machine = shellescape(s:machine, 1) ++ if s:user != '' ++ let machine = shellescape(s:user, 1).'@'.machine + endif ++ let sshcmd = substitute(a:sshcmd,'\',machine,'') + if exists("g:netrw_port") && g:netrw_port != "" +- let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.g:netrw_port,'') ++ let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.shellescape(g:netrw_port,1),'') + elseif exists("s:port") && s:port != "" +- let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.s:port,'') ++ let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.shellescape(s:port,1),'') + else + let sshcmd= substitute(sshcmd,"USEPORT ",'','') + endif +-- +2.34.1 + diff --git a/meta/recipes-support/vim/files/CVE-2026-32249.patch b/meta/recipes-support/vim/files/CVE-2026-32249.patch new file mode 100644 index 0000000000..841db9e016 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-32249.patch @@ -0,0 +1,117 @@ +From 36d6e87542cf823d833e451e09a90ee429899cec Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Wed, 11 Mar 2026 14:16:29 +0100 +Subject: [PATCH] patch 9.2.0137: [security]: crash with composing char in + collection range + +Problem: Using a composing character as the end of a range inside a + collection may corrupt the NFA postfix stack + (Nathan Mills, after v9.1.0011) +Solution: When a character is used as the endpoint of a range, do not emit + its composing characters separately. Range handling only uses + the base codepoint. + +supported by AI + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r + +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport from [https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec] +CVE: CVE-2026-32249 +Signed-off-by: Hitendra Prajapati +--- + src/regexp_nfa.c | 17 +++++++++++++++-- + src/testdir/test_regexp_utf8.vim | 19 +++++++++++++++++++ + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c +index 6ad682b..7905ec1 100644 +--- a/src/regexp_nfa.c ++++ b/src/regexp_nfa.c +@@ -1765,6 +1765,7 @@ collection: + if (*endp == ']') + { + int plen; ++ bool range_endpoint; + /* + * Try to reverse engineer character classes. For example, + * recognize that [0-9] stands for \d and [A-Za-z_] for \h, +@@ -1812,6 +1813,7 @@ collection: + while (regparse < endp) + { + int oldstartc = startc; ++ range_endpoint = false; + + startc = -1; + got_coll_char = FALSE; +@@ -1975,6 +1977,7 @@ collection: + if (emit_range) + { + int endc = startc; ++ range_endpoint = true; + + startc = oldstartc; + if (startc > endc) +@@ -2053,7 +2056,14 @@ collection: + } + } + +- if (enc_utf8 && (utf_ptr2len(regparse) != (plen = utfc_ptr2len(regparse)))) ++ // ++ // If this character was consumed as the end of a range, do not emit its ++ // composing characters separately. Range handling only uses the base ++ // codepoint; emitting the composing part again would duplicate the ++ // character in the postfix stream and corrupt the NFA stack. ++ // ++ if (!range_endpoint && enc_utf8 && ++ (utf_ptr2len(regparse) != (plen = utfc_ptr2len(regparse)))) + { + int i = utf_ptr2len(regparse); + +@@ -3187,7 +3197,10 @@ nfa_max_width(nfa_state_T *startstate, int depth) + ++len; + if (state->c != NFA_ANY) + { +- // skip over the characters ++ // Skip over the compiled collection. ++ // malformed NFAs must not crash width estimation. ++ if (state->out1 == NULL || state->out1->out == NULL) ++ return -1; + state = state->out1->out; + continue; + } +diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim +index a4353f1..3b58416 100644 +--- a/src/testdir/test_regexp_utf8.vim ++++ b/src/testdir/test_regexp_utf8.vim +@@ -615,6 +615,25 @@ func Test_search_multibyte_match_ascii() + call assert_equal(['ſſ','ſ'], noic_match3, "No-Ignorecase Collection Regex-engine: " .. &re) + endfor + bw! ++ set ignorecase&vim re&vim ++endfun ++ ++func Test_regex_collection_range_with_composing_crash() ++ " Regression test: composing char in collection range caused NFA crash/E874 ++ new ++ call setline(1, ['00', '0ֻ', '01']) ++ let patterns = [ '0[0-0ֻ]\@", 'E486:') ++ endfor ++ endfor ++ ++ bwipe! + endfunc + + " vim: shiftwidth=2 sts=2 expandtab +-- +2.34.1 + diff --git a/meta/recipes-support/vim/files/CVE-2026-45130.patch b/meta/recipes-support/vim/files/CVE-2026-45130.patch new file mode 100644 index 0000000000..f44dfd66d6 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-45130.patch @@ -0,0 +1,115 @@ +From 92993329178cb1f72d700fff45ca86e1c2d369f8 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Wed, 6 May 2026 20:50:00 +0200 +Subject: [PATCH] patch 9.2.0450: [security]: heap buffer overflow in + spellfile.c read_compound() + +Problem: read_compound() in spellfile.c computes the size of the regex + pattern buffer using signed-int arithmetic on the attacker + controlled SN_COMPOUND sectionlen. With sectionlen=0x40000008 + and UTF-8 encoding active the multiplication wraps to 27 while + the per-byte loop writes up to ~1B bytes, overflowing the heap. + Reachable when loading a crafted .spl file (e.g. via 'set spell' + after a modeline sets 'spelllang'). The cp/ap/crp allocations + have the same int + 1 overflow class (Daniel Cervera) +Solution: Use type size_t as buffer size and reject values larger than + COMPOUND_MAX_LEN (100000). Apply the same size_t treatment to + the cp/ap/crp allocations. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv + +Co-Authored-By: Claude Opus 4.7 (1M context) +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport from [https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8] +CVE: CVE-2026-45130 +Signed-off-by: Hitendra Prajapati +--- + src/spellfile.c | 20 ++++++++++++++------ + src/testdir/test_spellfile.vim | 4 ++++ + 2 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/src/spellfile.c b/src/spellfile.c +index 0b9536d..768e9fd 100644 +--- a/src/spellfile.c ++++ b/src/spellfile.c +@@ -296,6 +296,9 @@ + #define CF_WORD 0x01 + #define CF_UPPER 0x02 + ++// Max allowed length for COMPOUND section ++#define COMPOUND_MAX_LEN 100000 ++ + /* + * Loop through all the siblings of a node (including the node) + */ +@@ -1225,6 +1228,8 @@ read_compound(FILE *fd, slang_T *slang, int len) + char_u *crp; + int cnt; + garray_T *gap; ++ size_t patsize; ++ size_t flagsize; + + if (todo < 2) + return SP_FORMERROR; // need at least two bytes +@@ -1281,16 +1286,19 @@ read_compound(FILE *fd, slang_T *slang, int len) + // "a[bc]/a*b+" -> "^\(a[bc]\|a*b\+\)$". + // Inserting backslashes may double the length, "^\(\)$" is 7 bytes. + // Conversion to utf-8 may double the size. +- c = todo * 2 + 7; ++ if ((size_t)todo > COMPOUND_MAX_LEN) ++ return SP_FORMERROR; ++ patsize = (size_t)todo * 2 + 7; + if (enc_utf8) +- c += todo * 2; +- pat = alloc(c); ++ patsize += (size_t)todo * 2; ++ flagsize = (size_t)todo + 1; ++ pat = alloc(patsize); + if (pat == NULL) + return SP_OTHERERROR; + + // We also need a list of all flags that can appear at the start and one + // for all flags. +- cp = alloc(todo + 1); ++ cp = alloc(flagsize); + if (cp == NULL) + { + vim_free(pat); +@@ -1299,7 +1307,7 @@ read_compound(FILE *fd, slang_T *slang, int len) + slang->sl_compstartflags = cp; + *cp = NUL; + +- ap = alloc(todo + 1); ++ ap = alloc(flagsize); + if (ap == NULL) + { + vim_free(pat); +@@ -1311,7 +1319,7 @@ read_compound(FILE *fd, slang_T *slang, int len) + // And a list of all patterns in their original form, for checking whether + // compounding may work in match_compoundrule(). This is freed when we + // encounter a wildcard, the check doesn't work then. +- crp = alloc(todo + 1); ++ crp = alloc(flagsize); + slang->sl_comprules = crp; + + pp = pat; +diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim +index b72974e..d345492 100644 +--- a/src/testdir/test_spellfile.vim ++++ b/src/testdir/test_spellfile.vim +@@ -334,6 +334,10 @@ func Test_spellfile_format_error() + " SN_COMPOUND: incorrect comppatlen + call Spellfile_Test(0z080000000007040101000000020165, 'E758:') + ++ " SN_COMPOUND: oversized sectionlen ++ let v = eval('0z08004000000803010161' .. repeat('61', 50) .. 'FF') ++ call Spellfile_Test(v, 'E759:') ++ + " SN_INFO: missing info + call Spellfile_Test(0z0F0000000005040101, '') + +-- +2.34.1 + diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 3a988fbe7d..262833ea33 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -28,6 +28,9 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://CVE-2026-44656.patch \ file://CVE-2026-41411.patch \ file://CVE-2026-28421.patch \ + file://CVE-2026-32249.patch \ + file://CVE-2026-28417.patch \ + file://CVE-2026-45130.patch \ " PV .= ".1683"