From patchwork Tue Jun 30 04:43:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hitendra Prajapati X-Patchwork-Id: 91325 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BFDA1C43458 for ; Tue, 30 Jun 2026 04:43:55 +0000 (UTC) Received: from mail-dy1-f172.google.com (mail-dy1-f172.google.com [74.125.82.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.14478.1782794633300954241 for ; Mon, 29 Jun 2026 21:43:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=X/+56kga; spf=pass (domain: mvista.com, ip: 74.125.82.172, mailfrom: hprajapati@mvista.com) Received: by mail-dy1-f172.google.com with SMTP id 5a478bee46e88-30ec1ddd510so2480195eec.1 for ; Mon, 29 Jun 2026 21:43:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1782794633; x=1783399433; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1Kec7xpznYGHsXApFlOi+gAKUhbzwfxwEkKKHZ9YIOg=; b=X/+56kgasowFTlJjr6gR9XRCafyOLGhzSU7FvOcq5+VdKzlAmnJ6p6zCjqMvM0yE4i 6hvflzPaWbjf6hGNO8rDaLfv3OihCdo1sr7UgOoE7+G4si5os/sKO+EZYhuEi0f/8Hyd ju35Ah/2gumTMgrbeKsQvAvTBvHOyiHnV0KBo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782794633; x=1783399433; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1Kec7xpznYGHsXApFlOi+gAKUhbzwfxwEkKKHZ9YIOg=; b=MAKIkuso6IJzhFACiLKCedY8eVmTL/hxXFgzeJod4ZjPib1Ifh1U3SXmZ8jhf1zTlc 3sc5mQ0PZdZjOvhJTxkqEnvaJlOdMwEwznEvHG70xwb+vu272ylsyme/uRDWPtjuEjyR cyfaKv8vmtNQi1dYKOBbe2Umcw6LEVqXeFs3XhvvajlobkGz0rr7zFXV+wt2oo/5AmRv LbSQjdWw5UbeE33prENxtbL9sqm2sNuOm5niXI6k/S2wxXxUvXz+EgkrdDlZBh+OWk3F FVv9s8NM8wOqxrvlWV5Qv1UEY94/BSSEWYJYVigAJgR82/MlfBYFUHlnUKUe/kfvXyXT cMAg== X-Gm-Message-State: AOJu0YwIueyy/LquOYwYYCrBLUvCyLExccCPYq+DSt719SjoO4IPgDP7 UPmFt5OnjiNVNQ4zL9Op330TlFqdG77UOfnIXoO80Pg9yRtgADlfoH59S8HmMVmG6HbyKNlBMpT cDYCxE80= X-Gm-Gg: AfdE7clN9+ndXXvvPyzmbgUFW89QIYQcXFdnu+fHKPobXQ+KqTh3KfpbZ9tlxV7ycTq +htq3yO4Jj4oIn6ccCUvEK2979NfSWInFZS5pBKCHIiMGQ1evergwoOLW3axyNrVvxj+/YsK4T7 9yrjtg6XpQjwYLwNhhgYbtIUUrRPMjBtIzZ8ZLO1dpDRnEeluk+bZ9cu2/FfjfzCLaB5K+NWvvo VkrWE6nPTvcE82EVdBXwEtrYZ6MUaxlerjebv8lD2XjHItNrRlUuJ4TDPyFNuq/hjjing/Eh2OT rcx4fFcxPh/Ru20IcoHF+C3thYP3wa7Teo7nikLPTlELvOvfDeFPyXoa0wIVIz9Mq2Wh1NVHqQ+ LqsNDrnpdQPov+jnIXJpBvpAW9VfxrK+DRp2lbYvOlR9aJJCsDd4T7eBVQjF4+bMA2THiQdQB50 FaQmMhRh+UVDfMbMNkannqXIbekA== X-Received: by 2002:a05:7300:ec01:b0:30c:ab4f:46a3 with SMTP id 5a478bee46e88-30ee14ba7b4mr1572570eec.39.1782794632380; Mon, 29 Jun 2026 21:43:52 -0700 (PDT) Received: from MVIN00013.mvista.com ([103.250.136.242]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-30ee326c7a7sm3380307eec.29.2026.06.29.21.43.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 21:43:52 -0700 (PDT) From: Hitendra Prajapati To: openembedded-core@lists.openembedded.org Cc: Hitendra Prajapati Subject: [wrynose][PATCH 1/3] vim: fix for CVE-2026-41411 & CVE-2026-44656 Date: Tue, 30 Jun 2026 10:13:39 +0530 Message-ID: <20260630044343.12138-1-hprajapati@mvista.com> X-Mailer: git-send-email 2.50.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Jun 2026 04:43:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239835 Pick patch from [1] & [2] also mentioned at NVD report in [3] & [4] [1] https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb [2] https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-41411 [4] https://nvd.nist.gov/vuln/detail/CVE-2026-44656 More info : CVE-2026-41411 - Disallow backticks before attempting to expand filenames. CVE-2026-44656 - Prevent shell execution from 'path' backticks via modelines. Signed-off-by: Hitendra Prajapati --- .../vim/files/CVE-2026-41411.patch | 75 +++++++++++ .../vim/files/CVE-2026-44656.patch | 124 ++++++++++++++++++ meta/recipes-support/vim/vim.inc | 2 + 3 files changed, 201 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-41411.patch create mode 100644 meta/recipes-support/vim/files/CVE-2026-44656.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-41411.patch b/meta/recipes-support/vim/files/CVE-2026-41411.patch new file mode 100644 index 0000000000..13d613c204 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-41411.patch @@ -0,0 +1,75 @@ +From c78194e41d5a0b05b0ddf383b6679b1503f977fb Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Wed, 15 Apr 2026 20:17:17 +0000 +Subject: [PATCH] patch 9.2.0357: [security]: command injection via backticks + in tag files + +Problem: [security]: command injection via backticks in tag files + (Srinivas Piskala Ganesh Babu, Andy Ngo) +Solution: Disallow backticks before attempting to expand filenames. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8 + +Supported by AI + +Signed-off-by: Christian Brabandt + +CVE: CVE-2026-41411 +Upstream-Status: Backport [https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb] +Signed-off-by: Hitendra Prajapati +--- + src/tag.c | 4 +++- + src/testdir/test_tagjump.vim | 22 ++++++++++++++++++++++ + 2 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/src/tag.c b/src/tag.c +index d3e27e6023..0f12e384b5 100644 +--- a/src/tag.c ++++ b/src/tag.c +@@ -4137,8 +4137,10 @@ expand_tag_fname(char_u *fname, char_u *tag_fname, int expand) + + /* + * Expand file name (for environment variables) when needed. ++ * Disallow backticks, they could execute arbitrary shell ++ * commands. This is not needed for tag filenames. + */ +- if (expand && mch_has_wildcard(fname)) ++ if (expand && mch_has_wildcard(fname) && vim_strchr(fname, '`') == NULL) + { + ExpandInit(&xpc); + xpc.xp_context = EXPAND_FILES; +diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim +index bbab3c70e8..c0fa7b02e6 100644 +--- a/src/testdir/test_tagjump.vim ++++ b/src/testdir/test_tagjump.vim +@@ -1693,4 +1693,26 @@ func Test_tag_excmd_with_number_vim9script() + bwipe! + endfunc + ++" Test that backtick expressions in tag filenames are not expanded. ++" This prevents command injection via malicious tags files. ++func Test_tag_backtick_filename_not_expanded() ++ let pwned_file = 'Xtags_pwnd' ++ call assert_false(filereadable(pwned_file)) ++ ++ let tagline = "main\t`touch " .. pwned_file .. "`\t/^int main/;\"\tf" ++ call writefile([tagline], 'Xbt_tags', 'D') ++ call writefile(['int main(int argc, char **argv) {', '}'], 'Xbt_main.c', 'D') ++ ++ set tags=Xbt_tags ++ sp Xbt_main.c ++ ++ " The :tag command should fail to find the file, but must NOT execute ++ " the backtick shell command. ++ call assert_fails('tag main', 'E429:') ++ call assert_false(filereadable(pwned_file)) ++ ++ set tags& ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.34.1 + diff --git a/meta/recipes-support/vim/files/CVE-2026-44656.patch b/meta/recipes-support/vim/files/CVE-2026-44656.patch new file mode 100644 index 0000000000..971e4c145b --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-44656.patch @@ -0,0 +1,124 @@ +From 190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 3 May 2026 16:10:03 +0000 +Subject: [PATCH] patch 9.2.0435: [security]: backticks in 'path' may cause + shell execution on completion + +Problem: [security]: Backticks enclosed shell commands in the 'path' + option value are executed during completion (q1uf3ng). +Solution: Skip path entries containing backticks, add P_SECURE to 'path' + option, so that it cannot be set from a modeline (for symmetry with + the 'cdpath' option) + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg + +Supported by AI. + +Signed-off-by: Christian Brabandt + +CVE: CVE-2026-44656 +Upstream-Status: Backport [https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0] +Signed-off-by: Hitendra Prajapati +--- + runtime/doc/options.txt | 3 +++ + src/findfile.c | 4 ++++ + src/optiondefs.h | 2 +- + src/testdir/test_find_complete.vim | 17 +++++++++++++++++ + src/testdir/test_modeline.vim | 14 ++++++++++++++ + 5 files changed, 39 insertions(+), 1 deletion(-) + +diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt +index f083d6ff10..8a4d782262 100644 +--- a/runtime/doc/options.txt ++++ b/runtime/doc/options.txt +@@ -6750,6 +6750,9 @@ A jump table for the options with a short description can be found at |Q_op|. + < Replace the ';' with a ':' or whatever separator is used. Note that + this doesn't work when $INCL contains a comma or white space. + ++ This option cannot be set from a |modeline| or in the |sandbox|, for ++ security reasons. ++ + *'perldll'* + 'perldll' string (default depends on the build) + global +diff --git a/src/findfile.c b/src/findfile.c +index 0c5d1cf252..fccbc05a76 100644 +--- a/src/findfile.c ++++ b/src/findfile.c +@@ -2412,6 +2412,10 @@ expand_path_option( + { + buflen = copy_option_part(&path_option, buf, MAXPATHL, " ,"); + ++ // do not expand backticks, could have been set via a modeline ++ if (vim_strchr(buf, '`') != NULL) ++ continue; ++ + if (buf[0] == '.' && (buf[1] == NUL || vim_ispathsep(buf[1]))) + { + size_t plen; +diff --git a/src/optiondefs.h b/src/optiondefs.h +index a5e1fe99df..dac06119fc 100644 +--- a/src/optiondefs.h ++++ b/src/optiondefs.h +@@ -1954,7 +1954,7 @@ static struct vimoption options[] = + (char_u *)&p_pm, PV_NONE, + did_set_backupext_or_patchmode, NULL, + {(char_u *)"", (char_u *)0L} SCTX_INIT}, +- {"path", "pa", P_STRING|P_EXPAND|P_VI_DEF|P_COMMA|P_NODUP, ++ {"path", "pa", P_STRING|P_EXPAND|P_VI_DEF|P_SECURE|P_COMMA|P_NODUP, + (char_u *)&p_path, PV_PATH, NULL, NULL, + { + #if defined(AMIGA) || defined(MSWIN) +diff --git a/src/testdir/test_find_complete.vim b/src/testdir/test_find_complete.vim +index 079fb78043..8b8b71c303 100644 +--- a/src/testdir/test_find_complete.vim ++++ b/src/testdir/test_find_complete.vim +@@ -161,4 +161,21 @@ func Test_find_complete() + set path& + endfunc + ++" Verify that backticks in 'path' are not executed ++func Test_find_completion_backtick_in_path() ++ CheckUnix ++ CheckExecutable id ++ ++ new Xpoc.c ++ setl path+=`id>Xrce_marker` ++ " Triggering completion must not execute the backtick command. ++ call getcompletion('', 'file_in_path') ++ call assert_false(filereadable('Xrce_marker')) ++ call feedkeys(":find \t\n", "xt") ++ call assert_false(filereadable('Xrce_marker')) ++ ++ bwipe! ++ call delete('Xrce_marker') ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim +index 79fc7d14d5..20fb7e0677 100644 +--- a/src/testdir/test_modeline.vim ++++ b/src/testdir/test_modeline.vim +@@ -493,4 +493,18 @@ func Test_modeline_nowrap_lcs_extends() + set equalalways& + endfunc + ++" Verify that backticks in 'path' set from a modeline are not executed ++func Test_path_modeline() ++ let lines =<< trim END ++ // vim: set path+=foobar : ++ END ++ call writefile(lines, 'Xpoc.c', 'D') ++ ++ set nomodelinestrict modeline ++ call assert_fails('split Xpoc.c', 'E520:') ++ ++ bwipe! ++ set modelinestrict& modeline& ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.34.1 + diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index d6fdf45706..efd24650f4 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -16,6 +16,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://disable_acl_header_check.patch \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ + file://CVE-2026-44656.patch \ + file://CVE-2026-41411.patch \ " PV .= ".0340" From patchwork Tue Jun 30 04:43:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hitendra Prajapati X-Patchwork-Id: 91326 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BEE91C43458 for ; Tue, 30 Jun 2026 04:44:05 +0000 (UTC) Received: from mail-dy1-f176.google.com (mail-dy1-f176.google.com [74.125.82.176]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14146.1782794641407889746 for ; Mon, 29 Jun 2026 21:44:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=c+iG1ki0; spf=pass (domain: mvista.com, ip: 74.125.82.176, mailfrom: hprajapati@mvista.com) Received: by mail-dy1-f176.google.com with SMTP id 5a478bee46e88-30edfd9cff9so892663eec.1 for ; Mon, 29 Jun 2026 21:44:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1782794641; x=1783399441; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dWh7qxygroHvcYxy9NT4Ww4If1sJQfBSQdw3QaA4rrc=; b=c+iG1ki0jyI/D9tl7chbvuhTKQkBXa0FeEf8LsxkxdQTwTAfcAZ/qRto7oHmBvIuIk FtYOzfF/7bVjbrON2ah9A6UXRAan6YWTRITqd6rijchlDS6YXy1GUrSPQbPxX4MAnokZ B3WGOp2h11wbZ5QkiYaOSolLxHJzV3pbJDyrM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782794641; x=1783399441; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=dWh7qxygroHvcYxy9NT4Ww4If1sJQfBSQdw3QaA4rrc=; b=KhffyiqZONIgfmXozv4Y6ng+STIY/A1GPulcWDjiiPvVzOr/JWm0jgNI1sgTPZMNOc vqZrraJ/thXIY2kpB9GpsoThWs2pT59VE1EidqPrqy9htN7qFEpGtiNlzPf0nbsPZh87 VfJXMK9uIqLnbEB6KxzrFEXbta5pDm5PcfZp9Ylh6p1NN8hF1R8AExKPhJGjiEdXq9m2 bN3yD8J1Tsl1f3LG57qI2NumAaOmaS/B79y/DXrq5dtF49GYLSxM1ponZhL2XHdABdRG 8egRyGbphR4FYyogFITUkLB9+DPrLV/nhtVvxvfAleQxLCFQsYYL4/f8FjmKJ3s84tlp poLQ== X-Gm-Message-State: AOJu0Yz9qhogrMjcyNRqtsFhCyTpe+awmYZvPx1ZD2d5EuAvzZngU6aZ bf3WGZc1zwl9V+MkXy8lbU2VVTwz50ruczyErVX7rp6BYUXj8FtJ+Szfzko2q8OvTfyaE+Hogbf Kzb3KSJI= X-Gm-Gg: AfdE7cnHt0A8Dc5fYR+aLEqlWIiJBu/E2UebEZ3YuxQok5+y8te7Sb/h2hR/u3k1dl0 xHcEPiBmzjwMPSZq0DuYFMZ9rb+kFSg/E3j6rqBIm8s3+dQNwTyCbjWYhi7hREn+egYHhLXVk4v TA9MZqhrJt9h9O5YaLGVFAPhR0FRSvMbfQFaqDiKyeX6awJP5CXDAScnY7BTBNo1YpsxLQJkrF5 ZlFO3Tz/t1+R7Q+Fuov+SX62d8V/0/uxMLZDxunlKQpoGzgDvmXsUoIEku5vl5NsO2YR54ssMGA mB87H8gx5H7+w3IaG92YLJf0LIIjd3NX3opnmEyprkRKicCovSzm/2Mu9FIPx6SXTiGdtcOhhvr hgAbtlz9h/xMTuNR8K/NYAlIAkeHCDMk9pO/U9pqLlczxkB4APWPHlYVYBxR60DIvPBJft7YGWd dtQPfZ9OJW/KUQq8es1r0mvXDQrBCm71imZbyi X-Received: by 2002:a05:7300:478f:b0:30c:639f:ff8f with SMTP id 5a478bee46e88-30ee128a234mr1454656eec.8.1782794640639; Mon, 29 Jun 2026 21:44:00 -0700 (PDT) Received: from MVIN00013.mvista.com ([103.250.136.242]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-30ee326c7a7sm3380307eec.29.2026.06.29.21.43.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 21:44:00 -0700 (PDT) From: Hitendra Prajapati To: openembedded-core@lists.openembedded.org Cc: Hitendra Prajapati Subject: [wrynose][PATCH 2/3] vim: fix for CVE-2026-45130 & CVE-2026-46483 Date: Tue, 30 Jun 2026 10:13:40 +0530 Message-ID: <20260630044343.12138-2-hprajapati@mvista.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260630044343.12138-1-hprajapati@mvista.com> References: <20260630044343.12138-1-hprajapati@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Jun 2026 04:44:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239836 Pick patch from [1] & [2] also mentioned at NVD report in [3] & [4] [1] https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8 [2] https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-45130 [4] https://nvd.nist.gov/vuln/detail/CVE-2026-46483 Signed-off-by: Hitendra Prajapati --- .../vim/files/CVE-2026-45130.patch | 115 ++++++++++++++++++ .../vim/files/CVE-2026-46483.patch | 77 ++++++++++++ meta/recipes-support/vim/vim.inc | 2 + 3 files changed, 194 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-45130.patch create mode 100644 meta/recipes-support/vim/files/CVE-2026-46483.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-45130.patch b/meta/recipes-support/vim/files/CVE-2026-45130.patch new file mode 100644 index 0000000000..a86ba79e74 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-45130.patch @@ -0,0 +1,115 @@ +From 92993329178cb1f72d700fff45ca86e1c2d369f8 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Wed, 6 May 2026 20:50:00 +0200 +Subject: [PATCH] patch 9.2.0450: [security]: heap buffer overflow in + spellfile.c read_compound() + +Problem: read_compound() in spellfile.c computes the size of the regex + pattern buffer using signed-int arithmetic on the attacker + controlled SN_COMPOUND sectionlen. With sectionlen=0x40000008 + and UTF-8 encoding active the multiplication wraps to 27 while + the per-byte loop writes up to ~1B bytes, overflowing the heap. + Reachable when loading a crafted .spl file (e.g. via 'set spell' + after a modeline sets 'spelllang'). The cp/ap/crp allocations + have the same int + 1 overflow class (Daniel Cervera) +Solution: Use type size_t as buffer size and reject values larger than + COMPOUND_MAX_LEN (100000). Apply the same size_t treatment to + the cp/ap/crp allocations. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv + +Co-Authored-By: Claude Opus 4.7 (1M context) +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport [https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8] +CVE: CVE-2026-45130 +Signed-off-by: Hitendra Prajapati +--- + src/spellfile.c | 20 ++++++++++++++------ + src/testdir/test_spellfile.vim | 4 ++++ + 2 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/src/spellfile.c b/src/spellfile.c +index a9a347a89a..5102dad5b6 100644 +--- a/src/spellfile.c ++++ b/src/spellfile.c +@@ -290,6 +290,9 @@ + #define CF_WORD 0x01 + #define CF_UPPER 0x02 + ++// Max allowed length for COMPOUND section ++#define COMPOUND_MAX_LEN 100000 ++ + /* + * Loop through all the siblings of a node (including the node) + */ +@@ -1219,6 +1222,8 @@ read_compound(FILE *fd, slang_T *slang, int len) + char_u *crp; + int cnt; + garray_T *gap; ++ size_t patsize; ++ size_t flagsize; + + if (todo < 2) + return SP_FORMERROR; // need at least two bytes +@@ -1275,16 +1280,19 @@ read_compound(FILE *fd, slang_T *slang, int len) + // "a[bc]/a*b+" -> "^\(a[bc]\|a*b\+\)$". + // Inserting backslashes may double the length, "^\(\)$" is 7 bytes. + // Conversion to utf-8 may double the size. +- c = todo * 2 + 7; ++ if ((size_t)todo > COMPOUND_MAX_LEN) ++ return SP_FORMERROR; ++ patsize = (size_t)todo * 2 + 7; + if (enc_utf8) +- c += todo * 2; +- pat = alloc(c); ++ patsize += (size_t)todo * 2; ++ flagsize = (size_t)todo + 1; ++ pat = alloc(patsize); + if (pat == NULL) + return SP_OTHERERROR; + + // We also need a list of all flags that can appear at the start and one + // for all flags. +- cp = alloc(todo + 1); ++ cp = alloc(flagsize); + if (cp == NULL) + { + vim_free(pat); +@@ -1293,7 +1301,7 @@ read_compound(FILE *fd, slang_T *slang, int len) + slang->sl_compstartflags = cp; + *cp = NUL; + +- ap = alloc(todo + 1); ++ ap = alloc(flagsize); + if (ap == NULL) + { + vim_free(pat); +@@ -1305,7 +1313,7 @@ read_compound(FILE *fd, slang_T *slang, int len) + // And a list of all patterns in their original form, for checking whether + // compounding may work in match_compoundrule(). This is freed when we + // encounter a wildcard, the check doesn't work then. +- crp = alloc(todo + 1); ++ crp = alloc(flagsize); + slang->sl_comprules = crp; + + pp = pat; +diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim +index f46a25d99e..8f3ef4907d 100644 +--- a/src/testdir/test_spellfile.vim ++++ b/src/testdir/test_spellfile.vim +@@ -334,6 +334,10 @@ func Test_spellfile_format_error() + " SN_COMPOUND: incorrect comppatlen + call Spellfile_Test(0z080000000007040101000000020165, 'E758:') + ++ " SN_COMPOUND: oversized sectionlen ++ let v = eval('0z08004000000803010161' .. repeat('61', 50) .. 'FF') ++ call Spellfile_Test(v, 'E759:') ++ + " SN_INFO: missing info + call Spellfile_Test(0z0F0000000005040101, '') + +-- +2.34.1 + diff --git a/meta/recipes-support/vim/files/CVE-2026-46483.patch b/meta/recipes-support/vim/files/CVE-2026-46483.patch new file mode 100644 index 0000000000..72167d4c25 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-46483.patch @@ -0,0 +1,77 @@ +From 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Thu, 14 May 2026 15:35:28 +0000 +Subject: [PATCH] patch 9.2.0479: [security]: runtime(tar): command injection + in tar plugin + +Problem: [security]: runtime(tar): command injection in tar plugin + (Christopher Lusk) +Solution: Use the correct shellescape(args, 1) form for a :! command + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w + +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport [https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1] +CVE: CVE-2026-46483 +Signed-off-by: Hitendra Prajapati +--- + runtime/autoload/tar.vim | 5 +++-- + src/testdir/test_plugin_tar.vim | 19 +++++++++++++++++++ + 2 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim +index 722a0ab680..d2db9d3b18 100644 +--- a/runtime/autoload/tar.vim ++++ b/runtime/autoload/tar.vim +@@ -23,6 +23,7 @@ + " 2026 Apr 06 by Vim Project: fix bugs with lz4 support (#19925) + " 2026 Apr 09 by Vim Project: fix bugs with zstd support (#19930) + " 2026 Apr 09 by Vim Project: fix bug with dotted filename (#19930) ++" 2026 May 14 by Vim Project: use correct shellescape() call in Vimuntar() + " + " Contains many ideas from Michael Toren's + " +@@ -812,9 +813,9 @@ fun! tar#Vimuntar(...) + " if necessary, decompress the tarball; then, extract it + if tartail =~ '\.tgz' + if executable("gunzip") +- silent exe "!gunzip ".shellescape(tartail) ++ silent exe "!gunzip ".shellescape(tartail, 1) + elseif executable("gzip") +- silent exe "!gzip -d ".shellescape(tartail) ++ silent exe "!gzip -d ".shellescape(tartail, 1) + else + echoerr "unable to decompress<".tartail."> on this system" + if simplify(curdir) != simplify(tarhome) +diff --git a/src/testdir/test_plugin_tar.vim b/src/testdir/test_plugin_tar.vim +index 80b7a76d6d..f1ee9130c6 100644 +--- a/src/testdir/test_plugin_tar.vim ++++ b/src/testdir/test_plugin_tar.vim +@@ -313,3 +313,22 @@ def g:Test_extract_with_dotted_filename() + delete('X.txt') + bw! + enddef ++ ++def g:Test_extract_command_injection() ++ CheckExecutable gunzip ++ CheckExecutable touch ++ var tgz = eval('0z1F8B08087795056A000364756D6D792E74617200EDCE2B12C2300004D01C254' .. ++ '7480269CE534080A8495BD1DBF3996106C3A08A7ACFACD8157B59A7690BFB4A0FC3707C666E357D' .. ++ 'E65BC8B5A47CC8A5D61A522EA5B510D3CEBF5ED679197B8CE17CEDB7F9D4C76FBB5F3D000000000' .. ++ '000000000FCD11D32415E2C00280000') ++ var dirname = tempname() ++ ++ mkdir(dirname, 'R') ++ var tar = dirname .. "/';%$(touch pwned)'.tgz" ++ writefile(tgz, tar) ++ new ++ exe "e " .. fnameescape(tar) ++ exe ":Vimuntar " .. dirname ++ assert_false(filereadable(dirname .. "/pwned")) ++ bw! ++enddef +-- +2.34.1 + diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index efd24650f4..6eafc53c74 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -18,6 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://no-path-adjust.patch \ file://CVE-2026-44656.patch \ file://CVE-2026-41411.patch \ + file://CVE-2026-45130.patch \ + file://CVE-2026-46483.patch \ " PV .= ".0340" From patchwork Tue Jun 30 04:43:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Hitendra Prajapati X-Patchwork-Id: 91327 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8754C43458 for ; Tue, 30 Jun 2026 04:44:15 +0000 (UTC) Received: from mail-dy1-f182.google.com (mail-dy1-f182.google.com [74.125.82.182]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14149.1782794649864113803 for ; Mon, 29 Jun 2026 21:44:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=PG5y2vyU; spf=pass (domain: mvista.com, ip: 74.125.82.182, mailfrom: hprajapati@mvista.com) Received: by mail-dy1-f182.google.com with SMTP id 5a478bee46e88-30edbb0dc5fso1611031eec.0 for ; Mon, 29 Jun 2026 21:44:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1782794649; x=1783399449; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MKUiMchy3Ql+4Kd36aUH1Kge9Xcje3V09vzERvFFoAY=; b=PG5y2vyUhGprw4fXIhl+2KqgDm40haEeBZzSHEsNn8ce5sOnaZkY3qyDzAJVOPHObT 6HZijiQgylSOvFIQQe9jDY7dnKgfE9+VmaJyczn61rRTwivArqD9s2Od3K+ijIrO1VkI 4IbWMgr0XfRb8Vy70Ihw7bcXPzyK2sGIsLNGY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782794649; x=1783399449; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=MKUiMchy3Ql+4Kd36aUH1Kge9Xcje3V09vzERvFFoAY=; b=GK6Y35z+x/bFcXYrGScjZwJC8tdELVvBOzReU0BLCmM+/xGu24hA72T6fVcDENf5uo Oqi1gUhdklnes+nlokCH8wPVygOezqobGCbs8BwZSIaxdnyH+OIcfwNvZSj8D2B0D8R9 x+e/KvMhqSH+E6m/7Uf8HIVUQwXofy1J7gejjTYPuqDoZ3MTAscB6XKtuyhnalOJxBSB tv0I6WCzuSAse4qnfpict22J+8ZIgGWw1QNYHSBKK3qmw/pFEOrnVOcbHEOV5mUCo2yp X2xLXNroKk+mbQCMjmywVUbP/cQG/GHvFRcmFDU4w7DqKODkCEwjd87cQOw9PwNNi9rP PqKQ== X-Gm-Message-State: AOJu0Yxxd8RZvlG0ItebrRMxUbKq9VlP/fEr4RTXG2Ft1ke97EN4kooQ LpPFZ9C2Bqtj/iSHxZGYP3FWihW4qu3ssL7c9oJlNIxDRUq/mZaaRbnZUHLdU+0hFmOpXNyIJJA l37XeLuM= X-Gm-Gg: AfdE7ck1HOuDSQp/JnjC1Gp2Hx5tYFp4Qj87RtZGrnkYFhSg1otz/giX2Z5tNR00y2X ARhqHWh/4QLoTj/XPMDE/NOM3C01yg2zjsht20w1jyzO1L4t3+W7T5Oew/0rx+r7pbQlwcPtV7D oUaQDjMdApRJfh0jjmV2RC3jv8r1nhSnbBilt/eV2x6i1E/ICI0Hj2f5xgsilO/OhXNjIe1nGbf 9Z2t67S/+WzooW4xQPiu2NvDAdEw4IceJP7pEbCqt/jXdXHXh87E1+6sPK03vjQtu6Qz6z8ZofC RbwQYzAshmhLDemHOCdhkfi3SFuoDUtXPKTXLcqgZhdsWvOhB0IIUFEr+Ko3rqxFyROxe3L//M3 0xBl4Rg6bK6dkXGRn45ivuaPefJ1HjUM9KeHVd0/DyLswK9aabkYHkuTb7KqBIMxQhn2f0azwYv jeDM47ixy12jnqf+67j2kCDDwCRw== X-Received: by 2002:a05:693c:2d8b:b0:30c:a62b:d033 with SMTP id 5a478bee46e88-30ee1347f41mr1801488eec.15.1782794648882; Mon, 29 Jun 2026 21:44:08 -0700 (PDT) Received: from MVIN00013.mvista.com ([103.250.136.242]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-30ee326c7a7sm3380307eec.29.2026.06.29.21.44.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 21:44:08 -0700 (PDT) From: Hitendra Prajapati To: openembedded-core@lists.openembedded.org Cc: Hitendra Prajapati Subject: [wrynose][PATCH 3/3] vim: Fix for CVE-2026-52858,CVE-2026-52859,CVE-2026-52860 Date: Tue, 30 Jun 2026 10:13:41 +0530 Message-ID: <20260630044343.12138-3-hprajapati@mvista.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260630044343.12138-1-hprajapati@mvista.com> References: <20260630044343.12138-1-hprajapati@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Jun 2026 04:44:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239837 Pick patch from [1], [2] & [3] also mentioned at NVD report in [4,5 & 6] [1] https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d [2] https://github.com/vim/vim/commit/63680c6d3d52477817b49cd1a66e7aabe8a7aa19 [3] https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2 [4] https://nvd.nist.gov/vuln/detail/CVE-2026-52858 [5] https://nvd.nist.gov/vuln/detail/CVE-2026-52859 [6] https://nvd.nist.gov/vuln/detail/CVE-2026-52860 Signed-off-by: Hitendra Prajapati --- .../vim/files/CVE-2026-52858.patch | 167 +++++++ .../vim/files/CVE-2026-52859.patch | 274 +++++++++++ .../vim/files/CVE-2026-52860.patch | 446 ++++++++++++++++++ meta/recipes-support/vim/vim.inc | 3 + 4 files changed, 890 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-52858.patch create mode 100644 meta/recipes-support/vim/files/CVE-2026-52859.patch create mode 100644 meta/recipes-support/vim/files/CVE-2026-52860.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-52858.patch b/meta/recipes-support/vim/files/CVE-2026-52858.patch new file mode 100644 index 0000000000..38d477eeb9 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-52858.patch @@ -0,0 +1,167 @@ +From 4b850457e12e1a678dd209f2868154f7553cbf8d Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Fri, 29 May 2026 19:05:53 +0000 +Subject: [PATCH] patch 9.2.0561: [security]: possible code execution with + python3complete + +Problem: [security]: possible code execution with python3complete +Solution: Disable execution of import/from statements + +Github Security Advisory: +https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c + +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport [https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d] +CVE: CVE-2026-52858 +Signed-off-by: Hitendra Prajapati +--- + runtime/autoload/README.txt | 1 + + runtime/autoload/python3complete.vim | 17 ++++++++++++++--- + runtime/autoload/pythoncomplete.vim | 17 ++++++++++++++--- + runtime/doc/filetype.txt | 15 ++++++++++++++- + 4 files changed, 43 insertions(+), 7 deletions(-) + +diff --git a/runtime/autoload/README.txt b/runtime/autoload/README.txt +index 3b18d3dde5..b22581963e 100644 +--- a/runtime/autoload/README.txt ++++ b/runtime/autoload/README.txt +@@ -17,6 +17,7 @@ htmlcomplete.vim HTML + javascriptcomplete.vim Javascript + phpcomplete.vim PHP + pythoncomplete.vim Python ++python3complete.vim Python + rubycomplete.vim Ruby + syntaxcomplete.vim from syntax highlighting + xmlcomplete.vim XML (uses files in the xml directory) +diff --git a/runtime/autoload/python3complete.vim b/runtime/autoload/python3complete.vim +index 3e54433f41..2b6a652525 100644 +--- a/runtime/autoload/python3complete.vim ++++ b/runtime/autoload/python3complete.vim +@@ -14,6 +14,10 @@ + " i.e. "import url" + " Continue parsing on invalid line?? + " ++" v 0.10 by Vim project ++" * disables importing local modules, unless the global Vim variable ++" g:pythoncomplete_allow_import is set to non-zero ++" + " v 0.9 + " * Fixed docstring parsing for classes and functions + " * Fixed parsing of *args and **kwargs type arguments +@@ -132,11 +136,20 @@ class Completer(object): + + def evalsource(self,text,line=0): + sc = self.parser.parse(text,line) ++ try: allow_imports = int( ++ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)")) ++ except Exception: ++ allow_imports = 0 + src = sc.get_code() + dbg("source: %s" % src) + try: exec(src,self.compldict) + except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1])) + for l in sc.locals: ++ # Executing import/from statements harvested from the buffer runs ++ # arbitrary package code; only do so when the user opted in. ++ if not allow_imports and (l.startswith('import') ++ or l.startswith('from ')): ++ continue + try: exec(l,self.compldict) + except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l)) + +@@ -300,13 +313,11 @@ class Scope(object): + def get_code(self): + str = "" + if len(self.docstr) > 0: str += '"""'+self.docstr+'"""\n' +- for l in self.locals: +- if l.startswith('import'): str += l+'\n' + str += 'class _PyCmplNoType:\n def __getattr__(self,name):\n return None\n' + for sub in self.subscopes: + str += sub.get_code() + for l in self.locals: +- if not l.startswith('import'): str += l+'\n' ++ if not l.startswith('import') and not l.startswith('from '): str += l+'\n' + + return str + +diff --git a/runtime/autoload/pythoncomplete.vim b/runtime/autoload/pythoncomplete.vim +index aa28bb721f..10147767ef 100644 +--- a/runtime/autoload/pythoncomplete.vim ++++ b/runtime/autoload/pythoncomplete.vim +@@ -12,6 +12,10 @@ + " i.e. "import url" + " Continue parsing on invalid line?? + " ++" v 0.10 by Vim project ++" * disables importing local modules, unless the global Vim variable ++" g:pythoncomplete_allow_import is set to non-zero ++" + " v 0.9 + " * Fixed docstring parsing for classes and functions + " * Fixed parsing of *args and **kwargs type arguments +@@ -146,11 +150,20 @@ class Completer(object): + + def evalsource(self,text,line=0): + sc = self.parser.parse(text,line) ++ try: allow_imports = int( ++ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)")) ++ except Exception: ++ allow_imports = 0 + src = sc.get_code() + dbg("source: %s" % src) + try: exec(src) in self.compldict + except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1])) + for l in sc.locals: ++ # Executing import/from statements harvested from the buffer runs ++ # arbitrary package code; only do so when the user opted in. ++ if not allow_imports and (l.startswith('import') ++ or l.startswith('from ')): ++ continue + try: exec(l) in self.compldict + except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l)) + +@@ -315,13 +328,11 @@ class Scope(object): + def get_code(self): + str = "" + if len(self.docstr) > 0: str += '"""'+self.docstr+'"""\n' +- for l in self.locals: +- if l.startswith('import'): str += l+'\n' + str += 'class _PyCmplNoType:\n def __getattr__(self,name):\n return None\n' + for sub in self.subscopes: + str += sub.get_code() + for l in self.locals: +- if not l.startswith('import'): str += l+'\n' ++ if not l.startswith('import') and not l.startswith('from '): str += l+'\n' + + return str + +diff --git a/runtime/doc/filetype.txt b/runtime/doc/filetype.txt +index 461f801ccc..24d833cd54 100644 +--- a/runtime/doc/filetype.txt ++++ b/runtime/doc/filetype.txt +@@ -982,7 +982,20 @@ By default the following options are set, in accordance with PEP8: > + To disable this behavior, set the following variable in your vimrc: > + + let g:python_recommended_style = 0 +- ++< ++Python omni-completion |compl-omni| is provided by python3complete.vim (or ++pythoncomplete.vim) for Vim builds with the |+python|/|+python3| interpreter. ++By default it does not inspect the import / from statements found in the ++buffer. This means completion of names defined in the buffer itself (classes, ++functions, variables) works, but completion of members of imported modules is ++not offered. ++ ++To enable completion of imported module members, set: > ++ let g:pythoncomplete_allow_import = 1 ++< ++WARNING: enabling this causes omni-completion to execute the import statements ++found in the buffer through Python's import machinery, which runs the imported ++modules' top-level code. Only enable this for code you trust. + + QF QUICKFIX *qf.vim* *ft-qf-plugin* + +-- +2.34.1 + diff --git a/meta/recipes-support/vim/files/CVE-2026-52859.patch b/meta/recipes-support/vim/files/CVE-2026-52859.patch new file mode 100644 index 0000000000..7a91dab496 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-52859.patch @@ -0,0 +1,274 @@ +From 63680c6d3d52477817b49cd1a66e7aabe8a7aa19 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sat, 30 May 2026 16:34:40 +0000 +Subject: [PATCH] patch 9.2.0565: [security]: out-of-bounds read in + update_snapshot() + +Problem: Out-of-bounds read in update_snapshot() when a terminal cell + fills all VTERM_MAX_CHARS_PER_CELL slots (a base character + plus five combining marks): the loop over cell.chars[] has no + upper bound and libvterm leaves the array unterminated when full, so + it reads past the array and appends out-of-bounds values to a + buffer sized for only VTERM_MAX_CHARS_PER_CELL characters. +Solution: Bound the loop with i < VTERM_MAX_CHARS_PER_CELL, mirroring + the loop in handle_pushline() (Christian Brabandt). + +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport [https://github.com/vim/vim/commit/63680c6d3d52477817b49cd1a66e7aabe8a7aa19] +CVE: CVE-2026-52859 +Signed-off-by: Hitendra Prajapati +--- + src/terminal.c | 3 +- + src/testdir/samples/combining_chars.txt | 200 ++++++++++++++++++++++++ + src/testdir/test_terminal3.vim | 15 ++ + 3 files changed, 217 insertions(+), 1 deletion(-) + create mode 100644 src/testdir/samples/combining_chars.txt + +diff --git a/src/terminal.c b/src/terminal.c +index 6a9c286e29..f42125bf22 100644 +--- a/src/terminal.c ++++ b/src/terminal.c +@@ -2265,7 +2265,8 @@ update_snapshot(term_T *term) + int i; + int c; + +- for (i = 0; (c = cell.chars[i]) > 0 || i == 0; ++i) ++ for (i = 0; i < VTERM_MAX_CHARS_PER_CELL && ++ ((c = cell.chars[i]) > 0 || i == 0); ++i) + ga.ga_len += utf_char2bytes(c == NUL ? ' ' : c, + (char_u *)ga.ga_data + ga.ga_len); + } +diff --git a/src/testdir/samples/combining_chars.txt b/src/testdir/samples/combining_chars.txt +new file mode 100644 +index 0000000000..d9a3c171fb +--- /dev/null ++++ b/src/testdir/samples/combining_chars.txt +@@ -0,0 +1,200 @@ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ +diff --git a/src/testdir/test_terminal3.vim b/src/testdir/test_terminal3.vim +index 04c7c925e3..738a4c6284 100644 +--- a/src/testdir/test_terminal3.vim ++++ b/src/testdir/test_terminal3.vim +@@ -1241,4 +1241,19 @@ func Test_terminal_csi_args_overflow() + call StopVimInTerminal(buf) + endfunc + ++func Test_terminal_output_combining_chars() ++ CheckUnix ++ new ++ let cmd = "cat samples/combining_chars.txt" ++ let buf = term_start(cmd, {'curwin': 1, 'term_finish': 'open', 'term_rows': 10, 'term_cols': 30}) ++ call WaitForAssert({-> assert_match('finished', term_getstatus(buf))}) ++ call TermWait(buf) ++ let lines = getbufline(buf, 1, '$') ++ " get byte lengths to confirm combining chars present ++ let lens = map(copy(lines), 'len(v:val)') ++ let expected = repeat([11], 190) + repeat([14], 10) ++ call assert_equal(expected, lens) ++ bw! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.34.1 + diff --git a/meta/recipes-support/vim/files/CVE-2026-52860.patch b/meta/recipes-support/vim/files/CVE-2026-52860.patch new file mode 100644 index 0000000000..1e370847f6 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-52860.patch @@ -0,0 +1,446 @@ +From c8c63673bc4253212820626aeeb75999d9a539d2 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Thu, 4 Jun 2026 21:06:09 +0000 +Subject: [PATCH] patch 9.2.0597: [security]: possible code execution with + python complete + +Problem: [security]: another possible code execution with python complete + (David Carliez) +Solution: Strip default expressions and annotations from generated + source for pythoncomplete and python3complete. + +Github Security Advisory: +https://github.com/vim/vim/security/advisories/GHSA-65p9-mwwx-7468 + +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport [https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2] +CVE: CVE-2026-52860 +Signed-off-by: Hitendra Prajapati +--- + runtime/autoload/python3complete.vim | 43 +++- + runtime/autoload/pythoncomplete.vim | 43 +++- + src/testdir/Make_all.mak | 2 + + src/testdir/test_plugin_python3complete.vim | 224 ++++++++++++++++++++ + 4 files changed, 304 insertions(+), 8 deletions(-) + create mode 100644 src/testdir/test_plugin_python3complete.vim + +diff --git a/runtime/autoload/python3complete.vim b/runtime/autoload/python3complete.vim +index 2b6a652525..c4ef19d82f 100644 +--- a/runtime/autoload/python3complete.vim ++++ b/runtime/autoload/python3complete.vim +@@ -1,8 +1,8 @@ + "python3complete.vim - Omni Completion for python + " Maintainer: + " Previous Maintainer: Aaron Griffin +-" Version: 0.9 +-" Last Updated: 2022 Mar 30 ++" Version: 0.10 ++" Last Updated: 2026 Jun 04 + " + " Roland Puntaier: this file contains adaptations for python3 and is parallel to pythoncomplete.vim + " +@@ -17,6 +17,11 @@ + " v 0.10 by Vim project + " * disables importing local modules, unless the global Vim variable + " g:pythoncomplete_allow_import is set to non-zero ++" * strip default values and annotations from function parameter lists ++" before exec(), and whitelist class base lists to dotted names: the ++" previous code passed buffer-supplied expressions to exec() which ++" Python evaluates at definition time, allowing arbitrary code ++" execution via crafted def/class headers + " + " v 0.9 + " * Fixed docstring parsing for classes and functions +@@ -100,6 +105,24 @@ warnings.simplefilter(action='ignore', category=FutureWarning) + + import sys, tokenize, io, types + from token import NAME, DEDENT, NEWLINE, STRING ++import re ++ ++# Used by Class.get_code(): a base class expression is only included in the ++# code passed to exec() if it is a pure dotted name (e.g. "Base", "mod.Base", ++# "pkg.sub.Cls"). Anything containing calls, subscripts, "=", ":" or other ++# operators is dropped, since exec()-ing it would evaluate buffer-supplied ++# expressions. See the security note in the file header. ++_DOTTED_NAME_RE = re.compile(r'^[A-Za-z_]\w*(\s*\.\s*[A-Za-z_]\w*)*$') ++ ++def _strip_param(p): ++ # Return the bare parameter name from a parameter spec harvested by ++ # _parenparse(), discarding any default value or annotation. Default ++ # values and annotations would otherwise be evaluated by exec() at ++ # function-definition time. Star prefixes ("*args", "**kw") and bare ++ # "*" / "/" are preserved as written. ++ p = p.split('=', 1)[0] ++ p = p.split(':', 1)[0] ++ return p.strip() + + debugstmts=[] + def dbg(s): debugstmts.append(s) +@@ -347,7 +370,13 @@ class Class(Scope): + return c + def get_code(self): + str = '%sclass %s' % (self.currentindent(),self.name) +- if len(self.supers) > 0: str += '(%s)' % ','.join(self.supers) ++ # Only include base class expressions that are pure dotted names. ++ # Anything else (calls, subscripts, conditionals, ...) is dropped ++ # because exec() would evaluate it at class-definition time. See ++ # the security note in the file header. ++ safe_supers = [s.strip() for s in self.supers ++ if _DOTTED_NAME_RE.match(s.strip())] ++ if len(safe_supers) > 0: str += '(%s)' % ','.join(safe_supers) + str += ':\n' + if len(self.docstr) > 0: str += self.childindent()+'"""'+self.docstr+'"""\n' + if len(self.subscopes) > 0: +@@ -364,8 +393,14 @@ class Function(Scope): + def copy_decl(self,indent=0): + return Function(self.name,self.params,indent, self.docstr) + def get_code(self): ++ # Strip default values and annotations from each parameter before ++ # joining: exec() evaluates these at definition time and a hostile ++ # buffer could otherwise execute arbitrary code via crafted def ++ # headers. See file header for details. ++ safe_params = [_strip_param(p) for p in self.params] ++ safe_params = [p for p in safe_params if p] + str = "%sdef %s(%s):\n" % \ +- (self.currentindent(),self.name,','.join(self.params)) ++ (self.currentindent(),self.name,','.join(safe_params)) + if len(self.docstr) > 0: str += self.childindent()+'"""'+self.docstr+'"""\n' + str += "%spass\n" % self.childindent() + return str +diff --git a/runtime/autoload/pythoncomplete.vim b/runtime/autoload/pythoncomplete.vim +index 10147767ef..39b1efd299 100644 +--- a/runtime/autoload/pythoncomplete.vim ++++ b/runtime/autoload/pythoncomplete.vim +@@ -1,8 +1,8 @@ + "pythoncomplete.vim - Omni Completion for python + " Maintainer: + " Previous Maintainer: Aaron Griffin +-" Version: 0.9 +-" Last Updated: 2020 Oct 9 ++" Version: 0.10 ++" Last Updated: 2026 Jun 04 + " + " Changes + " TODO: +@@ -15,6 +15,11 @@ + " v 0.10 by Vim project + " * disables importing local modules, unless the global Vim variable + " g:pythoncomplete_allow_import is set to non-zero ++" * strip default values and annotations from function parameter lists ++" before exec(), and whitelist class base lists to dotted names: the ++" previous code passed buffer-supplied expressions to exec() which ++" Python evaluates at definition time, allowing arbitrary code ++" execution via crafted def/class headers + " + " v 0.9 + " * Fixed docstring parsing for classes and functions +@@ -95,6 +100,24 @@ function! s:DefPython() + python << PYTHONEOF + import sys, tokenize, cStringIO, types + from token import NAME, DEDENT, NEWLINE, STRING ++import re ++ ++# Used by Class.get_code(): a base class expression is only included in the ++# code passed to exec() if it is a pure dotted name (e.g. "Base", "mod.Base", ++# "pkg.sub.Cls"). Anything containing calls, subscripts, "=", ":" or other ++# operators is dropped, since exec()-ing it would evaluate buffer-supplied ++# expressions. See the security note in the file header. ++_DOTTED_NAME_RE = re.compile(r'^[A-Za-z_]\w*(\s*\.\s*[A-Za-z_]\w*)*$') ++ ++def _strip_param(p): ++ # Return the bare parameter name from a parameter spec harvested by ++ # _parenparse(), discarding any default value or annotation. Default ++ # values and annotations would otherwise be evaluated by exec() at ++ # function-definition time. Star prefixes ("*args", "**kw") and bare ++ # "*" / "/" are preserved as written. ++ p = p.split('=', 1)[0] ++ p = p.split(':', 1)[0] ++ return p.strip() + + debugstmts=[] + def dbg(s): debugstmts.append(s) +@@ -362,7 +385,13 @@ class Class(Scope): + return c + def get_code(self): + str = '%sclass %s' % (self.currentindent(),self.name) +- if len(self.supers) > 0: str += '(%s)' % ','.join(self.supers) ++ # Only include base class expressions that are pure dotted names. ++ # Anything else (calls, subscripts, conditionals, ...) is dropped ++ # because exec() would evaluate it at class-definition time. See ++ # the security note in the file header. ++ safe_supers = [s.strip() for s in self.supers ++ if _DOTTED_NAME_RE.match(s.strip())] ++ if len(safe_supers) > 0: str += '(%s)' % ','.join(safe_supers) + str += ':\n' + if len(self.docstr) > 0: str += self.childindent()+'"""'+self.docstr+'"""\n' + if len(self.subscopes) > 0: +@@ -379,8 +408,14 @@ class Function(Scope): + def copy_decl(self,indent=0): + return Function(self.name,self.params,indent, self.docstr) + def get_code(self): ++ # Strip default values and annotations from each parameter before ++ # joining: exec() evaluates these at definition time and a hostile ++ # buffer could otherwise execute arbitrary code via crafted def ++ # headers. See file header for details. ++ safe_params = [_strip_param(p) for p in self.params] ++ safe_params = [p for p in safe_params if p] + str = "%sdef %s(%s):\n" % \ +- (self.currentindent(),self.name,','.join(self.params)) ++ (self.currentindent(),self.name,','.join(safe_params)) + if len(self.docstr) > 0: str += self.childindent()+'"""'+self.docstr+'"""\n' + str += "%spass\n" % self.childindent() + return str +diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak +index f8c7f8bb46..b06d1af431 100644 +--- a/src/testdir/Make_all.mak ++++ b/src/testdir/Make_all.mak +@@ -250,6 +250,7 @@ NEW_TESTS = \ + test_plugin_man \ + test_plugin_matchparen \ + test_plugin_netrw \ ++ test_plugin_python3complete \ + test_plugin_osc52 \ + test_plugin_tar \ + test_plugin_termdebug \ +@@ -528,6 +529,7 @@ NEW_TESTS_RES = \ + test_plugin_man.res \ + test_plugin_matchparen.res \ + test_plugin_netrw.res \ ++ test_plugin_python3complete.res \ + test_plugin_osc52.res \ + test_plugin_tar.res \ + test_plugin_termdebug.res \ +diff --git a/src/testdir/test_plugin_python3complete.vim b/src/testdir/test_plugin_python3complete.vim +new file mode 100644 +index 0000000000..e2b0c6616d +--- /dev/null ++++ b/src/testdir/test_plugin_python3complete.vim +@@ -0,0 +1,224 @@ ++" Tests for the Python omni-completion plugin (runtime/autoload/python3complete.vim). ++" ++CheckFeature python3 ++ ++" Run omni-completion against the given buffer contents and assert that the ++" marker file was not created. Pre-patch behaviour exec()s reconstructed ++" def/class headers, which evaluates the buffer-supplied expression and ++" creates the marker file. Post-patch, the expressions are stripped. ++func s:CompleteAndExpectNoMarker(buffer_lines, marker_path, msg) ++ call delete(a:marker_path) ++ defer delete(a:marker_path) ++ let g:pythoncomplete_allow_import = 0 ++ new ++ setfiletype python ++ call setline(1, a:buffer_lines) ++ call cursor(line('$'), col([line('$'), '$'])) ++ ++ " The PoC trigger -- direct invocation of the omnifunc with an empty base. ++ " This is the same path Vim takes for CTRL-X CTRL-O. ++ silent! call python3complete#Complete(0, '') ++ ++ call assert_false(filereadable(a:marker_path), ++ \ a:msg . ' (marker ' . a:marker_path . ' was created)') ++ ++ bwipe! ++ unlet! g:pythoncomplete_allow_import ++endfunc ++ ++func Test_python3complete_no_exec_via_function_default() ++ let marker = tempname() ++ call s:CompleteAndExpectNoMarker([ ++ \ 'def f(x=open(' . string(marker) . ', "w").close()):', ++ \ ' pass', ++ \ 'f.', ++ \ ], marker, ++ \ 'function default expression was evaluated during omni-completion') ++endfunc ++ ++func Test_python3complete_no_exec_via_function_annotation() ++ let marker = tempname() ++ call s:CompleteAndExpectNoMarker([ ++ \ 'def f(x: open(' . string(marker) . ', "w").close()):', ++ \ ' pass', ++ \ 'f.', ++ \ ], marker, ++ \ 'function annotation expression was evaluated during omni-completion') ++endfunc ++ ++func Test_python3complete_no_exec_via_class_base() ++ let marker = tempname() ++ " "or object" gives the class a valid base after the side-effecting ++ " open().close() expression returns None. Without "or object" the ++ " exec would raise TypeError, but the file would still be created ++ " before the exception -- the assertion would still hold. Using ++ " "or object" keeps the buffer parseable as valid Python. ++ call s:CompleteAndExpectNoMarker([ ++ \ 'class Foo(open(' . string(marker) . ', "w").close() or object):', ++ \ ' pass', ++ \ 'Foo.', ++ \ ], marker, ++ \ 'class base expression was evaluated during omni-completion') ++endfunc ++ ++func Test_python3complete_no_exec_with_multiple_params() ++ " The strip must apply to every parameter, not just the first. ++ let marker = tempname() ++ call s:CompleteAndExpectNoMarker([ ++ \ 'def f(a, b=1, c=open(' . string(marker) . ', "w").close(), d=2):', ++ \ ' pass', ++ \ 'f.', ++ \ ], marker, ++ \ 'non-first parameter default was evaluated during omni-completion') ++endfunc ++ ++func Test_python3complete_no_exec_via_starargs_default() ++ " "*args" and "**kw" must still be preserved after stripping; ensure a ++ " default following them is also stripped. ++ let marker = tempname() ++ call s:CompleteAndExpectNoMarker([ ++ \ 'def f(*args, key=open(' . string(marker) . ', "w").close(), **kw):', ++ \ ' pass', ++ \ 'f.', ++ \ ], marker, ++ \ 'keyword-only default after *args was evaluated during omni-completion') ++endfunc ++ ++func Test_python3complete_normal_completion_still_works() ++ " Positive control: completion against a buffer with a legitimate class ++ " must still produce completion items. The stripping logic should not ++ " break the normal completion path. ++ let g:pythoncomplete_allow_import = 0 ++ ++ new ++ setfiletype python ++ call setline(1, [ ++ \ 'class MyHelper:', ++ \ ' def alpha(self): pass', ++ \ ' def beta(self): pass', ++ \ 'h = MyHelper()', ++ \ 'h.', ++ \ ]) ++ call cursor(5, 3) ++ ++ " First call returns the column to start completion at; second returns ++ " the list of completion items. ++ let start = python3complete#Complete(1, '') ++ call assert_true(start >= 0, ++ \ 'python3complete#Complete(1, "") returned ' . start) ++ ++ let items = python3complete#Complete(0, '') ++ " Items should be a list (possibly empty if the parser can't resolve "h", ++ " but should not be a parse error from our stripping changes). ++ call assert_equal(type([]), type(items), ++ \ 'python3complete#Complete(0, "") did not return a list') ++ ++ bwipe! ++ unlet! g:pythoncomplete_allow_import ++endfunc ++ ++func Test_python3complete_inherited_completion_via_dotted_base() ++ " Positive control for the class-base whitelist: a dotted-name base class ++ " (the common, safe case) must still be carried into the reconstructed ++ " source so that completion on a subclass can resolve inherited members. ++ let g:pythoncomplete_allow_import = 0 ++ ++ new ++ setfiletype python ++ call setline(1, [ ++ \ 'class Base:', ++ \ ' def shared(self): pass', ++ \ 'class Derived(Base):', ++ \ ' def own(self): pass', ++ \ 'd = Derived()', ++ \ 'd.', ++ \ ]) ++ call cursor(6, 3) ++ ++ let items = python3complete#Complete(0, '') ++ call assert_equal(type([]), type(items), ++ \ 'completion against a subclass with a dotted base did not return a list') ++ ++ bwipe! ++ unlet! g:pythoncomplete_allow_import ++endfunc ++ ++" Build a tiny Python module that creates a marker file as a side effect of ++" being imported, add its directory to sys.path, run omni-completion against ++" a buffer containing `import vimtest_marker_mod`, and report whether the ++" marker file was created. Used by the two allow_import tests below. ++func s:RunImportCompletion(allow_import_value) ++ let g:pythoncomplete_allow_import = a:allow_import_value ++ let marker = tempname() ++ let module_dir = tempname() ++ call mkdir(module_dir, 'R') ++ ++ call writefile([ ++ \ 'open(' . string(marker) . ', "w").close()', ++ \ ], module_dir . '/vimtest_marker_mod.py') ++ ++ defer delete(marker) ++ ++ " Pass module_dir to Python via a g: variable so vim.eval() can read it. ++ let g:pythoncomplete_test_module_dir = module_dir ++ py3 << EOF ++import sys, vim ++_p = vim.eval('g:pythoncomplete_test_module_dir') ++if _p not in sys.path: ++ sys.path.insert(0, _p) ++# Drop any cached copy so the module body re-runs and the marker side ++# effect fires on import. ++sys.modules.pop('vimtest_marker_mod', None) ++EOF ++ ++ new ++ setfiletype python ++ call setline(1, [ ++ \ 'import vimtest_marker_mod', ++ \ 'vimtest_marker_mod.', ++ \ ]) ++ call cursor(2, 2) ++ ++ silent! call python3complete#Complete(0, '') ++ ++ let ran = filereadable(marker) ++ ++ bwipe! ++ unlet g:pythoncomplete_allow_import ++ ++ " Teardown: restore sys.path, drop the cached module so a subsequent ++ " test run starts clean, clean up the temp module dir. ++ py3 << EOF ++import sys, vim ++_p = vim.eval('g:pythoncomplete_test_module_dir') ++if _p in sys.path: ++ sys.path.remove(_p) ++sys.modules.pop('vimtest_marker_mod', None) ++EOF ++ unlet g:pythoncomplete_test_module_dir ++ call delete(module_dir, 'rf') ++ call delete(marker) ++ unlet! g:pythoncomplete_allow_import ++ ++ return ran ++endfunc ++ ++func Test_python3complete_allow_import_off_blocks_imports() ++ " GHSA-52mc-rq6p-rc7c mitigation: with the default flag value (0), an ++ " `import` line harvested from the buffer must NOT be exec()'d. The ++ " marker module's side effect (creating a file when its body runs) is ++ " the observable proof that the exec did or did not happen. ++ call assert_false(s:RunImportCompletion(0), ++ \ 'g:pythoncomplete_allow_import=0 did not block the buffer import') ++endfunc ++ ++func Test_python3complete_allow_import_on_runs_imports() ++ " Symmetric positive control: with the flag set to non-zero, the harvested ++ " import IS exec()'d and the module loads. Without this control the ++ " negative test above could pass for unrelated reasons (e.g. completion ++ " failing to parse the buffer at all). ++ call assert_true(s:RunImportCompletion(1), ++ \ 'g:pythoncomplete_allow_import=1 did not run the buffer import') ++endfunc ++ ++" vim: shiftwidth=2 sts=2 expandtab +-- +2.34.1 + diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 6eafc53c74..e34cc17fe5 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -20,6 +20,9 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://CVE-2026-41411.patch \ file://CVE-2026-45130.patch \ file://CVE-2026-46483.patch \ + file://CVE-2026-52858.patch \ + file://CVE-2026-52859.patch \ + file://CVE-2026-52860.patch \ " PV .= ".0340"