From patchwork Mon Jun 22 07:26:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hitendra Prajapati X-Patchwork-Id: 90615 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F455CDB471 for ; Mon, 22 Jun 2026 07:26:30 +0000 (UTC) Received: from mail-dy1-f169.google.com (mail-dy1-f169.google.com [74.125.82.169]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.37802.1782113189579474346 for ; Mon, 22 Jun 2026 00:26:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=WnHUEeup; spf=pass (domain: mvista.com, ip: 74.125.82.169, mailfrom: hprajapati@mvista.com) Received: by mail-dy1-f169.google.com with SMTP id 5a478bee46e88-3078e0dcd67so4552859eec.0 for ; Mon, 22 Jun 2026 00:26:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1782113189; x=1782717989; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=tNKoy8LBCxDXIje7TlkQtAikCs5WX+Hl2n4502ggyJU=; b=WnHUEeupg99Ub7KBm+Z643wKwVxuHBU6dsjTuoqS/Fy3KpceYEbAb6V6bbHOLQjYIG f7v/sVmR+CBJikMqB2hEloPNTvdp5Co9EFYhmICpq9/0F0g6UonXt5UxjnUCYDsTEToe /zTPta1LUv7n4eX5eaN8sZbsMUwdWkuVLyAoc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782113189; x=1782717989; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=tNKoy8LBCxDXIje7TlkQtAikCs5WX+Hl2n4502ggyJU=; b=ekUKRrIxGcFfvYImUHAvbqeANT5+H9TLhTUpliqYy/O22Gv5Lg+SUDRyQ60nlAngBH Lusp/pNPsC1WXSg8aZQ5wTe+wQwBChcX51T4/yjM6lV5oYfgdBV/GZ+PsnOjEKO9qhxC F6VqCsz9QVpxc+3epINQ0LwPzVfH2svPV+Y+T2Xr0tGTmN07gHJk9h2aYuFL4gfC2cOA NFloNu8O4jbSg87zeoY/UxrqlLU8//ZgJDsL6pBg/YdIb0zBJMj5IuyohmiKW5BdFY+j hQmr4ICiFk96nCiGT4NDMNn4r5OrFoQ4N7zEaVplZd4Y2G9Qu3224qEi7O6MdHWnsixV v65g== X-Gm-Message-State: AOJu0Ywjr8irse7m80qNH2bGb7c9dmu1xlWVeBJC6vG9c6pMY9WbGoi1 RM3KiQUBNq0qXSwUmPmQnH5kN69FYkty3ZGdm35jdyB+mPV34Jl/BMT8/cbKY/gWP7RVg26cuWI 5JAg8 X-Gm-Gg: AfdE7cke0mefANPRjnNEeJtqzXiU6j842SMJUjHsgwEuZ8YlbSfee+PmHr8iINkfSgN 4XKHky8UAwVhYLd4BXCH5mEUHSEqxjpVstJbtiwV5eQjZOHp66edDk8oHvqImv2AU/RLhdU4+eS mGBMYPCo+fdrp9nUQXOV6iOHARO7ASvRMxPWcGjueNZhYDu/6OpUVNDbUwr5EXaosXHoK9TMY4z YO+WGp9s7wcl+vuIJKF+1+a3OCAGzOoNNTTprXltNkz8wF0lWnF/xbKSSgbuEoLXn+K4BZpOFaz APWWjXG2Mxdhq70esd22P7l/l9k6cU1BdQMZIOUtFz7dTBVaa3gNrLaBJizLH8Fy2S7UvPpEBP7 BA8dNbgCe4Y0L44DdAQVxKo1DyUP8XOg67y3A7PKRwTNrRgSXjKmgYNozkqmW7XmWLKXqIPMZjF 0nwB+z6AuZ8N/sx80nmoEpirmbLA== X-Received: by 2002:a05:7300:2150:b0:2ce:25be:c8e8 with SMTP id 5a478bee46e88-30c071533cemr9617062eec.17.1782113188730; Mon, 22 Jun 2026 00:26:28 -0700 (PDT) Received: from MVIN00013.mvista.com ([103.250.136.200]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-30c1be5c5desm9516503eec.28.2026.06.22.00.26.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jun 2026 00:26:28 -0700 (PDT) From: Hitendra Prajapati To: openembedded-core@lists.openembedded.org Cc: Hitendra Prajapati Subject: [scarthgap][PATCH] vim: Security fix for CVE-2026-28420 & CVE-2026-46483 Date: Mon, 22 Jun 2026 12:56:19 +0530 Message-ID: <20260622072620.23436-1-hprajapati@mvista.com> X-Mailer: git-send-email 2.50.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 22 Jun 2026 07:26:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239271 Pick patch from [1] & [2] also mentioned at NVD report in 3 & 4 [1] https://github.com/vim/vim/commit/bb6de2105b160e729c340631435cd62f3e69bd32 [2] https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-28420 [4] https://nvd.nist.gov/vuln/detail/CVE-2026-46483 --- .../vim/files/CVE-2026-28420.patch | 162 ++++++++++++++++++ .../vim/files/CVE-2026-46483.patch | 77 +++++++++ meta/recipes-support/vim/vim.inc | 2 + 3 files changed, 241 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-28420.patch create mode 100644 meta/recipes-support/vim/files/CVE-2026-46483.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-28420.patch b/meta/recipes-support/vim/files/CVE-2026-28420.patch new file mode 100644 index 0000000000..72e87d470a --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-28420.patch @@ -0,0 +1,162 @@ +From bb6de2105b160e729c340631435cd62f3e69bd32 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Mon, 23 Feb 2026 20:29:43 +0000 +Subject: [PATCH] patch 9.2.0076: [security]: buffer-overflow in terminal + handling + +Problem: When processing terminal output with many combining characters + from supplementary planes (4-byte UTF-8), a heap-buffer + overflow occurs. Additionally, the loop iterating over + cell characters can read past the end of the vterm array + (ehdgks0627, un3xploitable). +Solution: Use VTERM_MAX_CHARS_PER_CELL * 4 for ga_grow() to ensure + sufficient space. Add a boundary check to the character + loop to prevent index out-of-bounds access. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg + +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport from [https://github.com/vim/vim/commit/bb6de2105b160e729c340631435cd62f3e69bd32] +CVE: CVE-2026-28420 +Signed-off-by: Hitendra Prajapati +--- + src/terminal.c | 5 +- + .../samples/terminal_max_combining_chars.txt | 80 +++++++++++++++++++ + src/testdir/test_terminal3.vim | 14 ++++ + 3 files changed, 97 insertions(+), 2 deletions(-) + create mode 100644 src/testdir/samples/terminal_max_combining_chars.txt + +diff --git a/src/terminal.c b/src/terminal.c +index 921b234..78990ac 100644 +--- a/src/terminal.c ++++ b/src/terminal.c +@@ -3533,12 +3533,13 @@ handle_pushline(int cols, const VTermScreenCell *cells, void *user) + { + for (col = 0; col < len; col += cells[col].width) + { +- if (ga_grow(&ga, MB_MAXBYTES) == FAIL) ++ if (ga_grow(&ga, VTERM_MAX_CHARS_PER_CELL * 4) == FAIL) + { + ga.ga_len = 0; + break; + } +- for (i = 0; (c = cells[col].chars[i]) > 0 || i == 0; ++i) ++ for (i = 0; i < VTERM_MAX_CHARS_PER_CELL && ++ ((c = cells[col].chars[i]) > 0 || i == 0); ++i) + ga.ga_len += utf_char2bytes(c == NUL ? ' ' : c, + (char_u *)ga.ga_data + ga.ga_len); + cell2cellattr(&cells[col], &p[col]); +diff --git a/src/testdir/samples/terminal_max_combining_chars.txt b/src/testdir/samples/terminal_max_combining_chars.txt +new file mode 100644 +index 0000000..a4f508d +--- /dev/null ++++ b/src/testdir/samples/terminal_max_combining_chars.txt +@@ -0,0 +1,80 @@ ++padding line 000 ++padding line 001 ++padding line 002 ++padding line 003 ++padding line 004 ++padding line 005 ++padding line 006 ++padding line 007 ++padding line 008 ++padding line 009 ++padding line 010 ++padding line 011 ++padding line 012 ++padding line 013 ++padding line 014 ++padding line 015 ++padding line 016 ++padding line 017 ++padding line 018 ++padding line 019 ++padding line 020 ++padding line 021 ++padding line 022 ++padding line 023 ++padding line 024 ++padding line 025 ++padding line 026 ++padding line 027 ++padding line 028 ++padding line 029 ++padding line 030 ++padding line 031 ++padding line 032 ++padding line 033 ++padding line 034 ++padding line 035 ++padding line 036 ++padding line 037 ++padding line 038 ++padding line 039 ++padding line 040 ++padding line 041 ++padding line 042 ++padding line 043 ++padding line 044 ++padding line 045 ++padding line 046 ++padding line 047 ++padding line 048 ++padding line 049 ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA