import CS git vim-8.0.1763-27.el8_10
This commit is contained in:
parent
7eafbd7e98
commit
01a7da4d65
@ -0,0 +1,37 @@
|
||||
From 448ae03067c85a48c9c73517fb9f7046be3ed200 Mon Sep 17 00:00:00 2001
|
||||
From: RHEL Packaging Agent <redhat-ymir-agent@redhat.com>
|
||||
Date: Wed, 3 Jun 2026 10:56:51 +0000
|
||||
Subject: [PATCH] patch 9.2.0479: [security]: runtime(tar): command injection
|
||||
in tar plugin
|
||||
|
||||
Problem: [security]: runtime(tar): command injection in tar plugin
|
||||
(Christopher Lusk)
|
||||
Solution: Use the correct shellescape(args, 1) form for a :! command
|
||||
|
||||
Github Advisory:
|
||||
https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
|
||||
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
---
|
||||
runtime/autoload/tar.vim | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
|
||||
index e320b9a..b60e94a 100644
|
||||
--- a/runtime/autoload/tar.vim
|
||||
+++ b/runtime/autoload/tar.vim
|
||||
@@ -588,9 +588,9 @@ fun! tar#Vimuntar(...)
|
||||
" if necessary, decompress the tarball; then, extract it
|
||||
if tartail =~ '\.tgz'
|
||||
if executable("gunzip")
|
||||
- silent exe "!gunzip ".shellescape(tartail)
|
||||
+ silent exe "!gunzip ".shellescape(tartail, 1)
|
||||
elseif executable("gzip")
|
||||
- silent exe "!gzip -d ".shellescape(tartail)
|
||||
+ silent exe "!gzip -d ".shellescape(tartail, 1)
|
||||
else
|
||||
echoerr "unable to decompress<".tartail."> on this sytem"
|
||||
if simplify(curdir) != simplify(tarhome)
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -0,0 +1,77 @@
|
||||
From 458f4aac609d31b2e6108c9883221168cf4d0b28 Mon Sep 17 00:00:00 2001
|
||||
From: RHEL Packaging Agent <redhat-ymir-agent@redhat.com>
|
||||
Date: Tue, 23 Jun 2026 20:47:37 +0000
|
||||
Subject: [PATCH] patch 9.2.0495: [security]: runtime(netrw): code injection
|
||||
via NetrwBookHistSave()
|
||||
|
||||
Problem: [security]: runtime(netrw): code injection via
|
||||
NetrwBookHistSave()
|
||||
Solution: Properly quote the directory name using string() function
|
||||
(Srinivas Piskala Ganesh Babu)
|
||||
|
||||
Adapted for vim 8.0: netrw.vim is at runtime/autoload/netrw.vim,
|
||||
setline uses (cnt+lastline) instead of lastline, loop uses while
|
||||
instead of for. Stripped src/version.c and Last Change comment.
|
||||
Created minimal test_plugin_netrw.vim with only the injection test.
|
||||
---
|
||||
runtime/autoload/netrw.vim | 2 +-
|
||||
src/testdir/Make_all.mak | 1 +
|
||||
src/testdir/test_plugin_netrw.vim | 21 +++++++++++++++++++++
|
||||
3 files changed, 23 insertions(+), 1 deletion(-)
|
||||
create mode 100644 src/testdir/test_plugin_netrw.vim
|
||||
|
||||
diff --git a/runtime/autoload/netrw.vim b/runtime/autoload/netrw.vim
|
||||
index 89f749c..7534467 100644
|
||||
--- a/runtime/autoload/netrw.vim
|
||||
+++ b/runtime/autoload/netrw.vim
|
||||
@@ -3558,7 +3558,7 @@ fun! s:NetrwBookHistSave()
|
||||
let lastline = line("$")
|
||||
let cnt = 1
|
||||
while cnt <= g:netrw_dirhist_cnt
|
||||
- call setline((cnt+lastline),'let g:netrw_dirhist_'.cnt."='".g:netrw_dirhist_{cnt}."'")
|
||||
+ call setline((cnt+lastline),'let g:netrw_dirhist_'.cnt.'='.string(g:netrw_dirhist_{cnt}))
|
||||
let cnt= cnt + 1
|
||||
endwhile
|
||||
exe "sil! w! ".savefile
|
||||
diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak
|
||||
index 5f1c38c..4b34928 100644
|
||||
--- a/src/testdir/Make_all.mak
|
||||
+++ b/src/testdir/Make_all.mak
|
||||
@@ -145,6 +145,7 @@ NEW_TESTS = test_arabic.res \
|
||||
test_packadd.res \
|
||||
test_paste.res \
|
||||
test_perl.res \
|
||||
+ test_plugin_netrw.res \
|
||||
test_plus_arg_edit.res \
|
||||
test_preview.res \
|
||||
test_profile.res \
|
||||
diff --git a/src/testdir/test_plugin_netrw.vim b/src/testdir/test_plugin_netrw.vim
|
||||
new file mode 100644
|
||||
index 0000000..737617f
|
||||
--- /dev/null
|
||||
+++ b/src/testdir/test_plugin_netrw.vim
|
||||
@@ -0,0 +1,21 @@
|
||||
+source shared.vim
|
||||
+
|
||||
+func Test_netrw_injection()
|
||||
+ let g:netrw_home = getcwd()
|
||||
+ let savefile = g:netrw_home . '/.netrwhist'
|
||||
+ let g:netrw_dirhistmax = 10
|
||||
+ let g:netrw_dirhist_cnt = 1
|
||||
+ let g:netrw_dirhist_1 = "x'|let g:injected = 1|let y='z"
|
||||
+ call delete(savefile)
|
||||
+ try
|
||||
+ call netrw#Call('NetrwBookHistSave')
|
||||
+ call assert_true(filereadable(savefile), savefile . ' must be written')
|
||||
+ unlet g:netrw_dirhist_1
|
||||
+ execute 'source ' . fnameescape(savefile)
|
||||
+ call assert_false(exists("g:injected"), 'injected statement must not execute')
|
||||
+ call assert_equal("x'|let g:injected = 1|let y='z", g:netrw_dirhist_1, 'dirname must round-trip')
|
||||
+ finally
|
||||
+ call delete(savefile)
|
||||
+ unlet! g:netrw_home g:netrw_dirhistmax g:netrw_dirhist_cnt g:netrw_dirhist_1 g:injected
|
||||
+ endtry
|
||||
+endfunc
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -0,0 +1,77 @@
|
||||
From ea20c181c76ef339b5cf1ae02ce3f7593c57d14d Mon Sep 17 00:00:00 2001
|
||||
From: Christian Brabandt <cb@256bit.org>
|
||||
Date: Sun, 17 May 2026 19:39:24 +0000
|
||||
Subject: [PATCH] patch 9.2.0496: [security]: Code Injection in cucumber
|
||||
filetype plugin
|
||||
|
||||
Problem: [security]: Code Injection in cucumber filetype plugin
|
||||
(Christopher Lusk)
|
||||
Solution: Use rubys Regexp.new() with the untrusted pattern
|
||||
|
||||
Github Security Advisory:
|
||||
https://github.com/vim/vim/security/advisories/GHSA-4473-94jm-w5x9
|
||||
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
---
|
||||
runtime/ftplugin/cucumber.vim | 3 ++-
|
||||
src/testdir/test_filetype.vim | 33 +++++++++++++++++++++++++++++++++
|
||||
2 files changed, 35 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/runtime/ftplugin/cucumber.vim b/runtime/ftplugin/cucumber.vim
|
||||
index f4848d1..3361f1d 100644
|
||||
--- a/runtime/ftplugin/cucumber.vim
|
||||
+++ b/runtime/ftplugin/cucumber.vim
|
||||
@@ -96,7 +96,8 @@ function! s:stepmatch(receiver,target)
|
||||
catch
|
||||
endtry
|
||||
if has("ruby") && pattern !~ '\\\@<!#{'
|
||||
- ruby VIM.command("return #{if (begin; Kernel.eval('/'+VIM.evaluate('pattern')+'/'); rescue SyntaxError; end) === VIM.evaluate('a:target') then 1 else 0 end}")
|
||||
+ " Use Regexp.new, so the pattern stays untrusted data and cannot inject Ruby
|
||||
+ ruby VIM.command("return #{if (begin; Regexp.new(VIM.evaluate('pattern')); rescue RegexpError; end) === VIM.evaluate('a:target') then 1 else 0 end}")
|
||||
else
|
||||
return 0
|
||||
endif
|
||||
diff --git a/src/testdir/test_filetype.vim b/src/testdir/test_filetype.vim
|
||||
index 62dbc74..e484d2f 100644
|
||||
--- a/src/testdir/test_filetype.vim
|
||||
+++ b/src/testdir/test_filetype.vim
|
||||
@@ -595,3 +595,36 @@ func Test_script_detection()
|
||||
filetype off
|
||||
endfunc
|
||||
|
||||
+func Test_cucumber_code_injection()
|
||||
+ if !has('ruby')
|
||||
+ return
|
||||
+ endif
|
||||
+ filetype plugin on
|
||||
+
|
||||
+ call mkdir('Xcucu/features/step_definitions', 'p')
|
||||
+ call writefile([
|
||||
+ \ 'Feature: demo',
|
||||
+ \ ' Scenario: trigger',
|
||||
+ \ ' Given xyzzy',
|
||||
+ \ ], 'Xcucu/features/test.feature')
|
||||
+ let marker = getcwd() . '/Xcucu/MARKER'
|
||||
+ " Malicious step: terminates the regex literal, injects Ruby system(),
|
||||
+ " comments the trailing slash. With the fix, the pattern is passed to
|
||||
+ " Regexp.new() instead of Kernel.eval() and the payload is inert.
|
||||
+ call writefile([
|
||||
+ \ 'Given /xyzzy/; system("touch ' . marker . '"); #/ do',
|
||||
+ \ 'end',
|
||||
+ \ ], 'Xcucu/features/step_definitions/poc.rb')
|
||||
+
|
||||
+ new Xcucu/features/test.feature
|
||||
+ call assert_equal('cucumber', &filetype)
|
||||
+ call cursor(3, 1)
|
||||
+ " Triggers s:jump -> s:steps -> s:stepmatch on every discovered step,
|
||||
+ " including the malicious one. Suppress preview and error messages.
|
||||
+ silent! normal [d
|
||||
+ call assert_false(filereadable(marker), 'Ruby injection executed')
|
||||
+ bwipe!
|
||||
+ call delete('Xcucu', 'rf')
|
||||
+ filetype plugin off
|
||||
+endfunc
|
||||
+
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -0,0 +1,141 @@
|
||||
From d883881dfd546a59763be7bb253ac1165b6b5256 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Brabandt <cb@256bit.org>
|
||||
Date: Fri, 29 May 2026 19:05:53 +0000
|
||||
Subject: [PATCH] patch 9.2.0561: [security]: possible code execution with
|
||||
python3complete
|
||||
|
||||
Problem: [security]: possible code execution with python3complete
|
||||
Solution: Disable execution of import/from statements
|
||||
|
||||
Github Security Advisory:
|
||||
https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c
|
||||
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
---
|
||||
runtime/autoload/README.txt | 1 +
|
||||
runtime/autoload/python3complete.vim | 13 ++++++++++---
|
||||
runtime/autoload/pythoncomplete.vim | 13 ++++++++++---
|
||||
runtime/doc/filetype.txt | 15 ++++++++++++++-
|
||||
4 files changed, 35 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/runtime/autoload/README.txt b/runtime/autoload/README.txt
|
||||
index 3b18d3d..b225819 100644
|
||||
--- a/runtime/autoload/README.txt
|
||||
+++ b/runtime/autoload/README.txt
|
||||
@@ -17,6 +17,7 @@ htmlcomplete.vim HTML
|
||||
javascriptcomplete.vim Javascript
|
||||
phpcomplete.vim PHP
|
||||
pythoncomplete.vim Python
|
||||
+python3complete.vim Python
|
||||
rubycomplete.vim Ruby
|
||||
syntaxcomplete.vim from syntax highlighting
|
||||
xmlcomplete.vim XML (uses files in the xml directory)
|
||||
diff --git a/runtime/autoload/python3complete.vim b/runtime/autoload/python3complete.vim
|
||||
index f0f3aad..5dcfb73 100644
|
||||
--- a/runtime/autoload/python3complete.vim
|
||||
+++ b/runtime/autoload/python3complete.vim
|
||||
@@ -128,11 +128,20 @@ class Completer(object):
|
||||
|
||||
def evalsource(self,text,line=0):
|
||||
sc = self.parser.parse(text,line)
|
||||
+ try: allow_imports = int(
|
||||
+ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)"))
|
||||
+ except Exception:
|
||||
+ allow_imports = 0
|
||||
src = sc.get_code()
|
||||
dbg("source: %s" % src)
|
||||
try: exec(src,self.compldict)
|
||||
except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1]))
|
||||
for l in sc.locals:
|
||||
+ # Executing import/from statements harvested from the buffer runs
|
||||
+ # arbitrary package code; only do so when the user opted in.
|
||||
+ if not allow_imports and (l.startswith('import')
|
||||
+ or l.startswith('from ')):
|
||||
+ continue
|
||||
try: exec(l,self.compldict)
|
||||
except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l))
|
||||
|
||||
@@ -296,13 +305,11 @@ class Scope(object):
|
||||
def get_code(self):
|
||||
str = ""
|
||||
if len(self.docstr) > 0: str += '"""'+self.docstr+'"""\n'
|
||||
- for l in self.locals:
|
||||
- if l.startswith('import'): str += l+'\n'
|
||||
str += 'class _PyCmplNoType:\n def __getattr__(self,name):\n return None\n'
|
||||
for sub in self.subscopes:
|
||||
str += sub.get_code()
|
||||
for l in self.locals:
|
||||
- if not l.startswith('import'): str += l+'\n'
|
||||
+ if not l.startswith('import') and not l.startswith('from '): str += l+'\n'
|
||||
|
||||
return str
|
||||
|
||||
diff --git a/runtime/autoload/pythoncomplete.vim b/runtime/autoload/pythoncomplete.vim
|
||||
index ecc3664..6f72b11 100644
|
||||
--- a/runtime/autoload/pythoncomplete.vim
|
||||
+++ b/runtime/autoload/pythoncomplete.vim
|
||||
@@ -145,11 +145,20 @@ class Completer(object):
|
||||
|
||||
def evalsource(self,text,line=0):
|
||||
sc = self.parser.parse(text,line)
|
||||
+ try: allow_imports = int(
|
||||
+ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)"))
|
||||
+ except Exception:
|
||||
+ allow_imports = 0
|
||||
src = sc.get_code()
|
||||
dbg("source: %s" % src)
|
||||
try: exec(src) in self.compldict
|
||||
except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1]))
|
||||
for l in sc.locals:
|
||||
+ # Executing import/from statements harvested from the buffer runs
|
||||
+ # arbitrary package code; only do so when the user opted in.
|
||||
+ if not allow_imports and (l.startswith('import')
|
||||
+ or l.startswith('from ')):
|
||||
+ continue
|
||||
try: exec(l) in self.compldict
|
||||
except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l))
|
||||
|
||||
@@ -314,13 +323,11 @@ class Scope(object):
|
||||
def get_code(self):
|
||||
str = ""
|
||||
if len(self.docstr) > 0: str += '"""'+self.docstr+'"""\n'
|
||||
- for l in self.locals:
|
||||
- if l.startswith('import'): str += l+'\n'
|
||||
str += 'class _PyCmplNoType:\n def __getattr__(self,name):\n return None\n'
|
||||
for sub in self.subscopes:
|
||||
str += sub.get_code()
|
||||
for l in self.locals:
|
||||
- if not l.startswith('import'): str += l+'\n'
|
||||
+ if not l.startswith('import') and not l.startswith('from '): str += l+'\n'
|
||||
|
||||
return str
|
||||
|
||||
diff --git a/runtime/doc/filetype.txt b/runtime/doc/filetype.txt
|
||||
index a5f2a1c..8ebe52a 100644
|
||||
--- a/runtime/doc/filetype.txt
|
||||
+++ b/runtime/doc/filetype.txt
|
||||
@@ -641,7 +641,20 @@ By default the following options are set, in accordance with PEP8: >
|
||||
To disable this behaviour, set the following variable in your vimrc: >
|
||||
|
||||
let g:python_recommended_style = 0
|
||||
-
|
||||
+<
|
||||
+Python omni-completion |compl-omni| is provided by python3complete.vim (or
|
||||
+pythoncomplete.vim) for Vim builds with the |+python|/|+python3| interpreter.
|
||||
+By default it does not inspect the import / from statements found in the
|
||||
+buffer. This means completion of names defined in the buffer itself (classes,
|
||||
+functions, variables) works, but completion of members of imported modules is
|
||||
+not offered.
|
||||
+
|
||||
+To enable completion of imported module members, set: >
|
||||
+ let g:pythoncomplete_allow_import = 1
|
||||
+<
|
||||
+WARNING: enabling this causes omni-completion to execute the import statements
|
||||
+found in the buffer through Python's import machinery, which runs the imported
|
||||
+modules' top-level code. Only enable this for code you trust.
|
||||
|
||||
RPM SPEC *ft-spec-plugin*
|
||||
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -0,0 +1,87 @@
|
||||
From 864113433a67171b3292b9e9dc8ca0f1e4249529 Mon Sep 17 00:00:00 2001
|
||||
From: thinca <thinca@gmail.com>
|
||||
Date: Sun, 31 May 2026 12:33:07 +0000
|
||||
Subject: [PATCH] patch 9.2.0568: pythoncomplete: g:pythoncomplete_allow_import
|
||||
had no effect
|
||||
|
||||
Problem: The security patch 9.2.0561 added a vim.eval() call inside
|
||||
Completer.evalsource() to honor g:pythoncomplete_allow_import.
|
||||
But the 'vim' module is only imported inside the outer
|
||||
vimcomplete() / vimpy3complete() function, not at the script's
|
||||
top level, so referring to it from a Completer method raises
|
||||
NameError. The surrounding bare 'except' silently swallows
|
||||
the error and leaves allow_imports at 0, meaning the opt-in
|
||||
never takes effect -- 'import os' (and any other
|
||||
buffer-level import) is always skipped, no candidates are
|
||||
produced for 'os.<...>' and
|
||||
Test_popup_and_preview_autocommand() fails on the Windows
|
||||
CI matrix (Linux skips the test because Python 2 is absent).
|
||||
Solution: Re-import 'vim' at the top of evalsource() in both
|
||||
pythoncomplete.vim and python3complete.vim so the eval reads
|
||||
the global, and set g:pythoncomplete_allow_import = 1 in the
|
||||
test (it is the opt-in intended for callers that trust the
|
||||
buffer contents) (thinca).
|
||||
|
||||
closes: #20386
|
||||
|
||||
Signed-off-by: thinca <thinca@gmail.com>
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
---
|
||||
runtime/autoload/python3complete.vim | 3 +++
|
||||
runtime/autoload/pythoncomplete.vim | 3 +++
|
||||
src/testdir/test_popup.vim | 4 ++++
|
||||
3 files changed, 10 insertions(+)
|
||||
|
||||
diff --git a/runtime/autoload/python3complete.vim b/runtime/autoload/python3complete.vim
|
||||
index 5dcfb73..cd8786d 100644
|
||||
--- a/runtime/autoload/python3complete.vim
|
||||
+++ b/runtime/autoload/python3complete.vim
|
||||
@@ -127,6 +127,9 @@ class Completer(object):
|
||||
self.parser = PyParser()
|
||||
|
||||
def evalsource(self,text,line=0):
|
||||
+ # vim is imported locally in vimpy3complete(); re-import here so the
|
||||
+ # vim.eval() below works (otherwise NameError, silently caught).
|
||||
+ import vim
|
||||
sc = self.parser.parse(text,line)
|
||||
try: allow_imports = int(
|
||||
vim.eval("get(g:, 'pythoncomplete_allow_import', 0)"))
|
||||
diff --git a/runtime/autoload/pythoncomplete.vim b/runtime/autoload/pythoncomplete.vim
|
||||
index 6f72b11..a4dc18c 100644
|
||||
--- a/runtime/autoload/pythoncomplete.vim
|
||||
+++ b/runtime/autoload/pythoncomplete.vim
|
||||
@@ -144,6 +144,9 @@ class Completer(object):
|
||||
self.parser = PyParser()
|
||||
|
||||
def evalsource(self,text,line=0):
|
||||
+ # vim is imported locally in vimcomplete(); re-import here so the
|
||||
+ # vim.eval() below works (otherwise NameError, silently caught).
|
||||
+ import vim
|
||||
sc = self.parser.parse(text,line)
|
||||
try: allow_imports = int(
|
||||
vim.eval("get(g:, 'pythoncomplete_allow_import', 0)"))
|
||||
diff --git a/src/testdir/test_popup.vim b/src/testdir/test_popup.vim
|
||||
index ed31985..49ea6c6 100644
|
||||
--- a/src/testdir/test_popup.vim
|
||||
+++ b/src/testdir/test_popup.vim
|
||||
@@ -680,6 +680,9 @@ func Test_popup_and_preview_autocommand()
|
||||
au!
|
||||
au BufAdd * nested tab sball
|
||||
augroup END
|
||||
+ " Let pythoncomplete follow the buffer's 'import os' (off by default
|
||||
+ " since v9.2.0561) so 'os.' can be completed.
|
||||
+ let g:pythoncomplete_allow_import = 1
|
||||
set omnifunc=pythoncomplete#Complete
|
||||
call setline(1, 'import os')
|
||||
" make the line long
|
||||
@@ -702,6 +705,7 @@ func Test_popup_and_preview_autocommand()
|
||||
augroup END
|
||||
augroup! MyBufAdd
|
||||
bw!
|
||||
+ unlet g:pythoncomplete_allow_import
|
||||
endfunc
|
||||
|
||||
func Test_balloon_split()
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -24,7 +24,7 @@ Summary: The VIM editor
|
||||
URL: http://www.vim.org/
|
||||
Name: vim
|
||||
Version: %{baseversion}.%{patchlevel}
|
||||
Release: 24%{?dist}
|
||||
Release: 27%{?dist}
|
||||
License: Vim and MIT
|
||||
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
|
||||
Source1: vim.sh
|
||||
@ -165,6 +165,35 @@ Patch3057: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch
|
||||
# https://redhat.atlassian.net/browse/RHEL-171485
|
||||
# https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb
|
||||
Patch3058: 0001-patch-9.2.0357-security-command-injection-via-backti.patch
|
||||
# RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via shellescape
|
||||
# https://redhat.atlassian.net/browse/RHEL-178234
|
||||
# https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1
|
||||
# Omitted src/version.c hunk and test file (Vim9 script not available in vim 8.0)
|
||||
Patch3059: 0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch
|
||||
# RHEL-185863 CVE-2026-47167 vim: Code Injection in cucumber filetype plugin
|
||||
# https://redhat.atlassian.net/browse/RHEL-185863
|
||||
# https://github.com/vim/vim/commit/a65a52d684bc58535ad28a4ae824d22e76399934
|
||||
# Changes from upstream:
|
||||
# - stripped src/version.c patchlevel hunk
|
||||
# - stripped 'Last Changes' header comments from cucumber.vim
|
||||
# - adapted test: replaced CheckFeature with has() guard, used mkdir 'p' flag
|
||||
# with manual cleanup instead of 'pR' (not available in vim 8.0)
|
||||
Patch3060: 0001-patch-9.2.0496-security-Code-Injection-in-cucumber-f.patch
|
||||
# RHEL-186656 CVE-2026-47162 vim: netrw code injection via NetrwBookHistSave()
|
||||
# https://redhat.atlassian.net/browse/RHEL-186656
|
||||
# https://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179ae08ee6146a2694b
|
||||
# Adapted for vim 8.0: netrw.vim path differs, setline uses (cnt+lastline),
|
||||
# stripped src/version.c and Last Change comment, created minimal test file
|
||||
Patch3061: 0001-patch-9.2.0495-security-runtime-netrw-code-injection.patch
|
||||
# RHEL-186648 CVE-2026-52858 possible code execution with python3complete
|
||||
# https://redhat.atlassian.net/browse/RHEL-186648
|
||||
# https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d
|
||||
# stripped src/version.c hunk and omitted v0.10 changelog comments
|
||||
Patch3062: 0001-patch-9.2.0561-security-possible-code-execution-with.patch
|
||||
# https://github.com/vim/vim/commit/868ad62cb8bf8038322eab2badd31bd98b02b9df
|
||||
# stripped src/version.c hunk
|
||||
Patch3063: 0001-patch-9.2.0568-pythoncomplete-g-pythoncomplete_allow.patch
|
||||
|
||||
|
||||
# gcc is no longer in buildroot by default
|
||||
BuildRequires: gcc
|
||||
@ -404,6 +433,12 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
||||
%patch -P 3056 -p1 -b .zip-abs-write
|
||||
%patch -P 3057 -p1 -b .zip-abs-extract
|
||||
%patch -P 3058 -p1 -b .tag-backtick-inject
|
||||
%patch -P 3059 -p1 -b .tar-shellescape-fix
|
||||
%patch -P 3060 -p1 -b .cucumber-code-injection
|
||||
%patch -P 3061 -p1 -b .netrw-injection
|
||||
%patch -P 3062 -p1 -b .CVE-2026-52858
|
||||
%patch -P 3063 -p1 -b .CVE-2026-52858-fix
|
||||
|
||||
|
||||
%build
|
||||
%if 0%{?rhel} > 7
|
||||
@ -922,6 +957,17 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
||||
%{_datadir}/icons/locolor/*/apps/*
|
||||
|
||||
%changelog
|
||||
* Wed Jul 01 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 2:8.0.1763-27
|
||||
- RHEL-186656 CVE-2026-47162 vim: netrw code injection via NetrwBookHistSave
|
||||
- RHEL-186648 CVE-2026-52858 vim: possible code execution with python3complete
|
||||
|
||||
* Tue Jun 30 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 2:8.0.1763-26
|
||||
- CVE-2026-47167 vim: Code Injection in cucumber filetype plugin
|
||||
|
||||
* Wed Jun 03 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 2:8.0.1763-25
|
||||
- RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via
|
||||
shellescape
|
||||
|
||||
* Thu May 21 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-24
|
||||
- CVE-2026-41411 vim: Command injection via backticks in tag files
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user