From patchwork Tue Jun 30 04:42:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hitendra Prajapati X-Patchwork-Id: 91323 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF21BC43458 for ; Tue, 30 Jun 2026 04:43:05 +0000 (UTC) Received: from mail-dy1-f177.google.com (mail-dy1-f177.google.com [74.125.82.177]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14126.1782794578949244308 for ; Mon, 29 Jun 2026 21:42:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=c8p8HmHH; spf=pass (domain: mvista.com, ip: 74.125.82.177, mailfrom: hprajapati@mvista.com) Received: by mail-dy1-f177.google.com with SMTP id 5a478bee46e88-30bf8b2bd20so7929194eec.0 for ; Mon, 29 Jun 2026 21:42:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1782794578; x=1783399378; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1Kec7xpznYGHsXApFlOi+gAKUhbzwfxwEkKKHZ9YIOg=; b=c8p8HmHHUXniMNAnxAbm4uoD+uQsWOVb1HohFm+HKn9WS28eYmAPiKaYyMx5uDJtrm usPFYewvZHngMaTVqDvdP888+8JYbVYuppyqGk9BvyICyvLKdk6+A2cCWD65oF42FBhb vzz4Mj9GZXCYZrBLZhaSiSTbHyFDoF0cDo4Vs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782794578; x=1783399378; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1Kec7xpznYGHsXApFlOi+gAKUhbzwfxwEkKKHZ9YIOg=; b=byJd6V+nVv1HtZSkfYTuXu6/QvqJvwupo2KOMgbXpHne3CoZgqolYwVNufrHOf1XYL rGvcw4+tLQzM+2/yingQ1Q1y+BAXfpoO/+0bl8W1dYcloR85QopV6Lf2KWcPmaJG6+gk 29Hm/5Y9PLHVVNvCaZuh0qeRj8UoSOAuuq9zHq/ZaaTpGwRWoOdAUXHTIMD7ZkbAtvil T8QhS205icNaaDYg1onHEPmHYHD9CGfqcaPo8b0gkIQfVRNfZMNfPLMXR0dvYEXTVW0s qceXn4c7LsABvP4zlGgRpNaPbCelt70SCkTUKLzbXONS23MpY5bP7pa8lGH4iHOUni3Q KBgg== X-Gm-Message-State: AOJu0YyMAatXPWbG3pShtMaDqYGhmVjV0p0EqNAVd+MrPlgiFFdEn86p zxrboS0IMIIDNQGb4IcJASnkViOywFwLGn23jlfjZmiqV4I1P5F8xKwbzjBC5fLEiaRZhT8w/L/ 9UxgFgN4= X-Gm-Gg: AfdE7cm95qEm1pjxl5YU4CSu+cPX03jYMpcncAdPHWMW/yR0VSbOdElEspZ5sbuJThO bmELg8rTz5dv6b6SV9C7eyNU3xJg/Ph3cbTnogwgMZdbP46e5eWXQeRh4mEUaKX+WPOXHRxqo+j iMqVaxoJZd9oZ3hUnV8Xz9sCpqS3Q2AEP4FWr2HNt8TMcwlCIQvqKrYX+VPD5b0X4GUU5USJh5M bKZxx2qh5CY1bXrL9iaIGvP55vIjeFJEqCUk4WHMG7nRzjKcEcx7eUZkXkSoCEDOO7YvSUxh+IP 6s3LcZDJwc2eOrVAMYiZIDKqhECsyZTmsUuRUcvCbVrcJYKzU7Aw1VMjkFkGz+xCCnxnPJ6J5if /SrczkD7+cnCdHjBCocAK3bYRFHM+HRCkUmJK/gws2I9kQADkJJBIaOAvSZ2ER8HXgeq1yk2mdg qGp54Kidnn6MKytSHgTjBavsFuA1BJXLI5NnsB X-Received: by 2002:a05:7301:578a:b0:30b:f73f:ff6e with SMTP id 5a478bee46e88-30ee11fc7c0mr1365127eec.11.1782794578156; Mon, 29 Jun 2026 21:42:58 -0700 (PDT) Received: from MVIN00013.mvista.com ([103.250.136.242]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-30ee3168af7sm4851047eec.19.2026.06.29.21.42.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 21:42:57 -0700 (PDT) From: Hitendra Prajapati To: openembedded-core@lists.openembedded.org Cc: Hitendra Prajapati Subject: [scarthgap][PATCH 1/3] vim: fix for CVE-2026-41411 & CVE-2026-44656 Date: Tue, 30 Jun 2026 10:12:42 +0530 Message-ID: <20260630044249.12023-1-hprajapati@mvista.com> X-Mailer: git-send-email 2.50.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Jun 2026 04:43:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239833 Pick patch from [1] & [2] also mentioned at NVD report in [3] & [4] [1] https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb [2] https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-41411 [4] https://nvd.nist.gov/vuln/detail/CVE-2026-44656 More info : CVE-2026-41411 - Disallow backticks before attempting to expand filenames. CVE-2026-44656 - Prevent shell execution from 'path' backticks via modelines. Signed-off-by: Hitendra Prajapati --- .../vim/files/CVE-2026-41411.patch | 75 +++++++++++ .../vim/files/CVE-2026-44656.patch | 124 ++++++++++++++++++ meta/recipes-support/vim/vim.inc | 2 + 3 files changed, 201 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-41411.patch create mode 100644 meta/recipes-support/vim/files/CVE-2026-44656.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-41411.patch b/meta/recipes-support/vim/files/CVE-2026-41411.patch new file mode 100644 index 0000000000..13d613c204 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-41411.patch @@ -0,0 +1,75 @@ +From c78194e41d5a0b05b0ddf383b6679b1503f977fb Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Wed, 15 Apr 2026 20:17:17 +0000 +Subject: [PATCH] patch 9.2.0357: [security]: command injection via backticks + in tag files + +Problem: [security]: command injection via backticks in tag files + (Srinivas Piskala Ganesh Babu, Andy Ngo) +Solution: Disallow backticks before attempting to expand filenames. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8 + +Supported by AI + +Signed-off-by: Christian Brabandt + +CVE: CVE-2026-41411 +Upstream-Status: Backport [https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb] +Signed-off-by: Hitendra Prajapati +--- + src/tag.c | 4 +++- + src/testdir/test_tagjump.vim | 22 ++++++++++++++++++++++ + 2 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/src/tag.c b/src/tag.c +index d3e27e6023..0f12e384b5 100644 +--- a/src/tag.c ++++ b/src/tag.c +@@ -4137,8 +4137,10 @@ expand_tag_fname(char_u *fname, char_u *tag_fname, int expand) + + /* + * Expand file name (for environment variables) when needed. ++ * Disallow backticks, they could execute arbitrary shell ++ * commands. This is not needed for tag filenames. + */ +- if (expand && mch_has_wildcard(fname)) ++ if (expand && mch_has_wildcard(fname) && vim_strchr(fname, '`') == NULL) + { + ExpandInit(&xpc); + xpc.xp_context = EXPAND_FILES; +diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim +index bbab3c70e8..c0fa7b02e6 100644 +--- a/src/testdir/test_tagjump.vim ++++ b/src/testdir/test_tagjump.vim +@@ -1693,4 +1693,26 @@ func Test_tag_excmd_with_number_vim9script() + bwipe! + endfunc + ++" Test that backtick expressions in tag filenames are not expanded. ++" This prevents command injection via malicious tags files. ++func Test_tag_backtick_filename_not_expanded() ++ let pwned_file = 'Xtags_pwnd' ++ call assert_false(filereadable(pwned_file)) ++ ++ let tagline = "main\t`touch " .. pwned_file .. "`\t/^int main/;\"\tf" ++ call writefile([tagline], 'Xbt_tags', 'D') ++ call writefile(['int main(int argc, char **argv) {', '}'], 'Xbt_main.c', 'D') ++ ++ set tags=Xbt_tags ++ sp Xbt_main.c ++ ++ " The :tag command should fail to find the file, but must NOT execute ++ " the backtick shell command. ++ call assert_fails('tag main', 'E429:') ++ call assert_false(filereadable(pwned_file)) ++ ++ set tags& ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.34.1 + diff --git a/meta/recipes-support/vim/files/CVE-2026-44656.patch b/meta/recipes-support/vim/files/CVE-2026-44656.patch new file mode 100644 index 0000000000..971e4c145b --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-44656.patch @@ -0,0 +1,124 @@ +From 190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 3 May 2026 16:10:03 +0000 +Subject: [PATCH] patch 9.2.0435: [security]: backticks in 'path' may cause + shell execution on completion + +Problem: [security]: Backticks enclosed shell commands in the 'path' + option value are executed during completion (q1uf3ng). +Solution: Skip path entries containing backticks, add P_SECURE to 'path' + option, so that it cannot be set from a modeline (for symmetry with + the 'cdpath' option) + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg + +Supported by AI. + +Signed-off-by: Christian Brabandt + +CVE: CVE-2026-44656 +Upstream-Status: Backport [https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0] +Signed-off-by: Hitendra Prajapati +--- + runtime/doc/options.txt | 3 +++ + src/findfile.c | 4 ++++ + src/optiondefs.h | 2 +- + src/testdir/test_find_complete.vim | 17 +++++++++++++++++ + src/testdir/test_modeline.vim | 14 ++++++++++++++ + 5 files changed, 39 insertions(+), 1 deletion(-) + +diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt +index f083d6ff10..8a4d782262 100644 +--- a/runtime/doc/options.txt ++++ b/runtime/doc/options.txt +@@ -6750,6 +6750,9 @@ A jump table for the options with a short description can be found at |Q_op|. + < Replace the ';' with a ':' or whatever separator is used. Note that + this doesn't work when $INCL contains a comma or white space. + ++ This option cannot be set from a |modeline| or in the |sandbox|, for ++ security reasons. ++ + *'perldll'* + 'perldll' string (default depends on the build) + global +diff --git a/src/findfile.c b/src/findfile.c +index 0c5d1cf252..fccbc05a76 100644 +--- a/src/findfile.c ++++ b/src/findfile.c +@@ -2412,6 +2412,10 @@ expand_path_option( + { + buflen = copy_option_part(&path_option, buf, MAXPATHL, " ,"); + ++ // do not expand backticks, could have been set via a modeline ++ if (vim_strchr(buf, '`') != NULL) ++ continue; ++ + if (buf[0] == '.' && (buf[1] == NUL || vim_ispathsep(buf[1]))) + { + size_t plen; +diff --git a/src/optiondefs.h b/src/optiondefs.h +index a5e1fe99df..dac06119fc 100644 +--- a/src/optiondefs.h ++++ b/src/optiondefs.h +@@ -1954,7 +1954,7 @@ static struct vimoption options[] = + (char_u *)&p_pm, PV_NONE, + did_set_backupext_or_patchmode, NULL, + {(char_u *)"", (char_u *)0L} SCTX_INIT}, +- {"path", "pa", P_STRING|P_EXPAND|P_VI_DEF|P_COMMA|P_NODUP, ++ {"path", "pa", P_STRING|P_EXPAND|P_VI_DEF|P_SECURE|P_COMMA|P_NODUP, + (char_u *)&p_path, PV_PATH, NULL, NULL, + { + #if defined(AMIGA) || defined(MSWIN) +diff --git a/src/testdir/test_find_complete.vim b/src/testdir/test_find_complete.vim +index 079fb78043..8b8b71c303 100644 +--- a/src/testdir/test_find_complete.vim ++++ b/src/testdir/test_find_complete.vim +@@ -161,4 +161,21 @@ func Test_find_complete() + set path& + endfunc + ++" Verify that backticks in 'path' are not executed ++func Test_find_completion_backtick_in_path() ++ CheckUnix ++ CheckExecutable id ++ ++ new Xpoc.c ++ setl path+=`id>Xrce_marker` ++ " Triggering completion must not execute the backtick command. ++ call getcompletion('', 'file_in_path') ++ call assert_false(filereadable('Xrce_marker')) ++ call feedkeys(":find \t\n", "xt") ++ call assert_false(filereadable('Xrce_marker')) ++ ++ bwipe! ++ call delete('Xrce_marker') ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim +index 79fc7d14d5..20fb7e0677 100644 +--- a/src/testdir/test_modeline.vim ++++ b/src/testdir/test_modeline.vim +@@ -493,4 +493,18 @@ func Test_modeline_nowrap_lcs_extends() + set equalalways& + endfunc + ++" Verify that backticks in 'path' set from a modeline are not executed ++func Test_path_modeline() ++ let lines =<< trim END ++ // vim: set path+=foobar : ++ END ++ call writefile(lines, 'Xpoc.c', 'D') ++ ++ set nomodelinestrict modeline ++ call assert_fails('split Xpoc.c', 'E520:') ++ ++ bwipe! ++ set modelinestrict& modeline& ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.34.1 + diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index d6fdf45706..efd24650f4 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -16,6 +16,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://disable_acl_header_check.patch \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ + file://CVE-2026-44656.patch \ + file://CVE-2026-41411.patch \ " PV .= ".0340" From patchwork Tue Jun 30 04:42:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hitendra Prajapati X-Patchwork-Id: 91324 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF139C43458 for ; Tue, 30 Jun 2026 04:43:15 +0000 (UTC) Received: from mail-dy1-f169.google.com (mail-dy1-f169.google.com [74.125.82.169]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14132.1782794589284564575 for ; Mon, 29 Jun 2026 21:43:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=kZ7qKxcu; spf=pass (domain: mvista.com, ip: 74.125.82.169, mailfrom: hprajapati@mvista.com) Received: by mail-dy1-f169.google.com with SMTP id 5a478bee46e88-30bf8b2bd20so7929351eec.0 for ; Mon, 29 Jun 2026 21:43:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1782794589; x=1783399389; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dWh7qxygroHvcYxy9NT4Ww4If1sJQfBSQdw3QaA4rrc=; b=kZ7qKxcuHA8eET41Jlo4aGYoKgha5I+/5/+FxWu17QyiKL31r7/gWPOuKcDaPzHtET K4hbFDSBtiEqjr9s0+15utj5PTOI4kMwZL7AvEYSjYkdiYs9647uZgsXnhhpCNrr9sT+ uMpd68EFTRVvpo886eKIHSMjM/JnOyw5fdvCo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782794589; x=1783399389; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=dWh7qxygroHvcYxy9NT4Ww4If1sJQfBSQdw3QaA4rrc=; b=gotvy1m+jG1CeumBTgC7SDQs4x5AB6JJN4E9B2V4LauOLUOxFZcnoQ+crMl+uTsWEb JQQ4RAisRyFKUAdU1sJ8eaD5gFMce2Og2Upt6jyjzNjeH5gfMUk+GsqFGMNIeZf8F+X3 Idb1W4PB+dApBft4oQkiJ5xjuJ0cghlcpZgphDbUMP/ya6jp2r6OBAYVdmAmoDpDGlrD 2+QQl2N/v+QxfyRgVf/t0E50CMUmZxD2Hqa4rBxMDex4IbXMIZOjyS2RnDnIrRjSPunw +1dAA0JW+bRfQqEB9ZF+U2jLZwu8BKXaHoWEQqpPE8GEHoT0cp/MC4UjOUK2ftze6aq5 lECQ== X-Gm-Message-State: AOJu0YzSPpAts3TFWaN2gzBq8JoSHAXeIG/JzLk/3Nv6Xnwue3L+w7sy qb935wK3dFO5LvT+H47zBIiabTLvTLilq0mLQcEofs39eh4pJjGxF6OchrD6VNI56FwHRJD9Zng NQzKAHMg= X-Gm-Gg: AfdE7ck44fTnHRZJXrR8783t7Z+CgP7y4J40lL1Gto6X3dnywlBBZXzPkzb+VQs11e8 ZbMUNW2eghNziKOjpElegUV1I8zab0EEXbJJQzcrw6JKiG+r1kJ35wb0JPOCi6sLrO7Yyo8mUcY OryuZdtU8avBNYG32kc239DsfQMKiIkmupY18cjnnSUiSStkYhUpgHoHM2mNCxiULgeJ4LschZB XnXeqq//i35IVyZD6TCChDKBxyxXaxCBtMTvrr78i+AZwuWgcJfm/3VfccRYICNSVxqGUweFZt/ YibWeTm/4nEwEcFYUeaSV44FWyIdTXf8U5qWOfxys9xMPM0vmzyxOudeHYxqmstdOy3Jg0xDJHX S8tECSAPTPxQ2HHjqjcT7P5gTUDF2/mP+TcUbHcmwQC0HhhyTHc29nd4yHW0wQ6HZX0tU4nsSmP gFWglt7J5fPNPDMVi6PyN2gaHZyw== X-Received: by 2002:a05:7301:6192:20b0:305:56a:c38f with SMTP id 5a478bee46e88-30ee134ff47mr1086626eec.26.1782794588456; Mon, 29 Jun 2026 21:43:08 -0700 (PDT) Received: from MVIN00013.mvista.com ([103.250.136.242]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-30ee3168af7sm4851047eec.19.2026.06.29.21.43.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 21:43:08 -0700 (PDT) From: Hitendra Prajapati To: openembedded-core@lists.openembedded.org Cc: Hitendra Prajapati Subject: [scarthgap][PATCH 2/3] vim: fix for CVE-2026-45130 & CVE-2026-46483 Date: Tue, 30 Jun 2026 10:12:43 +0530 Message-ID: <20260630044249.12023-2-hprajapati@mvista.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260630044249.12023-1-hprajapati@mvista.com> References: <20260630044249.12023-1-hprajapati@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Jun 2026 04:43:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239834 Pick patch from [1] & [2] also mentioned at NVD report in [3] & [4] [1] https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8 [2] https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-45130 [4] https://nvd.nist.gov/vuln/detail/CVE-2026-46483 Signed-off-by: Hitendra Prajapati --- .../vim/files/CVE-2026-45130.patch | 115 ++++++++++++++++++ .../vim/files/CVE-2026-46483.patch | 77 ++++++++++++ meta/recipes-support/vim/vim.inc | 2 + 3 files changed, 194 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-45130.patch create mode 100644 meta/recipes-support/vim/files/CVE-2026-46483.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-45130.patch b/meta/recipes-support/vim/files/CVE-2026-45130.patch new file mode 100644 index 0000000000..a86ba79e74 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-45130.patch @@ -0,0 +1,115 @@ +From 92993329178cb1f72d700fff45ca86e1c2d369f8 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Wed, 6 May 2026 20:50:00 +0200 +Subject: [PATCH] patch 9.2.0450: [security]: heap buffer overflow in + spellfile.c read_compound() + +Problem: read_compound() in spellfile.c computes the size of the regex + pattern buffer using signed-int arithmetic on the attacker + controlled SN_COMPOUND sectionlen. With sectionlen=0x40000008 + and UTF-8 encoding active the multiplication wraps to 27 while + the per-byte loop writes up to ~1B bytes, overflowing the heap. + Reachable when loading a crafted .spl file (e.g. via 'set spell' + after a modeline sets 'spelllang'). The cp/ap/crp allocations + have the same int + 1 overflow class (Daniel Cervera) +Solution: Use type size_t as buffer size and reject values larger than + COMPOUND_MAX_LEN (100000). Apply the same size_t treatment to + the cp/ap/crp allocations. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv + +Co-Authored-By: Claude Opus 4.7 (1M context) +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport [https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8] +CVE: CVE-2026-45130 +Signed-off-by: Hitendra Prajapati +--- + src/spellfile.c | 20 ++++++++++++++------ + src/testdir/test_spellfile.vim | 4 ++++ + 2 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/src/spellfile.c b/src/spellfile.c +index a9a347a89a..5102dad5b6 100644 +--- a/src/spellfile.c ++++ b/src/spellfile.c +@@ -290,6 +290,9 @@ + #define CF_WORD 0x01 + #define CF_UPPER 0x02 + ++// Max allowed length for COMPOUND section ++#define COMPOUND_MAX_LEN 100000 ++ + /* + * Loop through all the siblings of a node (including the node) + */ +@@ -1219,6 +1222,8 @@ read_compound(FILE *fd, slang_T *slang, int len) + char_u *crp; + int cnt; + garray_T *gap; ++ size_t patsize; ++ size_t flagsize; + + if (todo < 2) + return SP_FORMERROR; // need at least two bytes +@@ -1275,16 +1280,19 @@ read_compound(FILE *fd, slang_T *slang, int len) + // "a[bc]/a*b+" -> "^\(a[bc]\|a*b\+\)$". + // Inserting backslashes may double the length, "^\(\)$" is 7 bytes. + // Conversion to utf-8 may double the size. +- c = todo * 2 + 7; ++ if ((size_t)todo > COMPOUND_MAX_LEN) ++ return SP_FORMERROR; ++ patsize = (size_t)todo * 2 + 7; + if (enc_utf8) +- c += todo * 2; +- pat = alloc(c); ++ patsize += (size_t)todo * 2; ++ flagsize = (size_t)todo + 1; ++ pat = alloc(patsize); + if (pat == NULL) + return SP_OTHERERROR; + + // We also need a list of all flags that can appear at the start and one + // for all flags. +- cp = alloc(todo + 1); ++ cp = alloc(flagsize); + if (cp == NULL) + { + vim_free(pat); +@@ -1293,7 +1301,7 @@ read_compound(FILE *fd, slang_T *slang, int len) + slang->sl_compstartflags = cp; + *cp = NUL; + +- ap = alloc(todo + 1); ++ ap = alloc(flagsize); + if (ap == NULL) + { + vim_free(pat); +@@ -1305,7 +1313,7 @@ read_compound(FILE *fd, slang_T *slang, int len) + // And a list of all patterns in their original form, for checking whether + // compounding may work in match_compoundrule(). This is freed when we + // encounter a wildcard, the check doesn't work then. +- crp = alloc(todo + 1); ++ crp = alloc(flagsize); + slang->sl_comprules = crp; + + pp = pat; +diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim +index f46a25d99e..8f3ef4907d 100644 +--- a/src/testdir/test_spellfile.vim ++++ b/src/testdir/test_spellfile.vim +@@ -334,6 +334,10 @@ func Test_spellfile_format_error() + " SN_COMPOUND: incorrect comppatlen + call Spellfile_Test(0z080000000007040101000000020165, 'E758:') + ++ " SN_COMPOUND: oversized sectionlen ++ let v = eval('0z08004000000803010161' .. repeat('61', 50) .. 'FF') ++ call Spellfile_Test(v, 'E759:') ++ + " SN_INFO: missing info + call Spellfile_Test(0z0F0000000005040101, '') + +-- +2.34.1 + diff --git a/meta/recipes-support/vim/files/CVE-2026-46483.patch b/meta/recipes-support/vim/files/CVE-2026-46483.patch new file mode 100644 index 0000000000..72167d4c25 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-46483.patch @@ -0,0 +1,77 @@ +From 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Thu, 14 May 2026 15:35:28 +0000 +Subject: [PATCH] patch 9.2.0479: [security]: runtime(tar): command injection + in tar plugin + +Problem: [security]: runtime(tar): command injection in tar plugin + (Christopher Lusk) +Solution: Use the correct shellescape(args, 1) form for a :! command + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w + +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport [https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1] +CVE: CVE-2026-46483 +Signed-off-by: Hitendra Prajapati +--- + runtime/autoload/tar.vim | 5 +++-- + src/testdir/test_plugin_tar.vim | 19 +++++++++++++++++++ + 2 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim +index 722a0ab680..d2db9d3b18 100644 +--- a/runtime/autoload/tar.vim ++++ b/runtime/autoload/tar.vim +@@ -23,6 +23,7 @@ + " 2026 Apr 06 by Vim Project: fix bugs with lz4 support (#19925) + " 2026 Apr 09 by Vim Project: fix bugs with zstd support (#19930) + " 2026 Apr 09 by Vim Project: fix bug with dotted filename (#19930) ++" 2026 May 14 by Vim Project: use correct shellescape() call in Vimuntar() + " + " Contains many ideas from Michael Toren's + " +@@ -812,9 +813,9 @@ fun! tar#Vimuntar(...) + " if necessary, decompress the tarball; then, extract it + if tartail =~ '\.tgz' + if executable("gunzip") +- silent exe "!gunzip ".shellescape(tartail) ++ silent exe "!gunzip ".shellescape(tartail, 1) + elseif executable("gzip") +- silent exe "!gzip -d ".shellescape(tartail) ++ silent exe "!gzip -d ".shellescape(tartail, 1) + else + echoerr "unable to decompress<".tartail."> on this system" + if simplify(curdir) != simplify(tarhome) +diff --git a/src/testdir/test_plugin_tar.vim b/src/testdir/test_plugin_tar.vim +index 80b7a76d6d..f1ee9130c6 100644 +--- a/src/testdir/test_plugin_tar.vim ++++ b/src/testdir/test_plugin_tar.vim +@@ -313,3 +313,22 @@ def g:Test_extract_with_dotted_filename() + delete('X.txt') + bw! + enddef ++ ++def g:Test_extract_command_injection() ++ CheckExecutable gunzip ++ CheckExecutable touch ++ var tgz = eval('0z1F8B08087795056A000364756D6D792E74617200EDCE2B12C2300004D01C254' .. ++ '7480269CE534080A8495BD1DBF3996106C3A08A7ACFACD8157B59A7690BFB4A0FC3707C666E357D' .. ++ 'E65BC8B5A47CC8A5D61A522EA5B510D3CEBF5ED679197B8CE17CEDB7F9D4C76FBB5F3D000000000' .. ++ '000000000FCD11D32415E2C00280000') ++ var dirname = tempname() ++ ++ mkdir(dirname, 'R') ++ var tar = dirname .. "/';%$(touch pwned)'.tgz" ++ writefile(tgz, tar) ++ new ++ exe "e " .. fnameescape(tar) ++ exe ":Vimuntar " .. dirname ++ assert_false(filereadable(dirname .. "/pwned")) ++ bw! ++enddef +-- +2.34.1 + diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index efd24650f4..6eafc53c74 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -18,6 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://no-path-adjust.patch \ file://CVE-2026-44656.patch \ file://CVE-2026-41411.patch \ + file://CVE-2026-45130.patch \ + file://CVE-2026-46483.patch \ " PV .= ".0340"