From 01a7da4d659ab046252bd7d0de6858439b8a4c2d Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Mon, 13 Jul 2026 03:58:18 -0400 Subject: [PATCH] import CS git vim-8.0.1763-27.el8_10 --- ...security-runtime-tar-command-injecti.patch | 37 +++++ ...ecurity-runtime-netrw-code-injection.patch | 77 ++++++++++ ...ecurity-Code-Injection-in-cucumber-f.patch | 77 ++++++++++ ...ecurity-possible-code-execution-with.patch | 141 ++++++++++++++++++ ...ythoncomplete-g-pythoncomplete_allow.patch | 87 +++++++++++ SPECS/vim.spec | 48 +++++- 6 files changed, 466 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch create mode 100644 SOURCES/0001-patch-9.2.0495-security-runtime-netrw-code-injection.patch create mode 100644 SOURCES/0001-patch-9.2.0496-security-Code-Injection-in-cucumber-f.patch create mode 100644 SOURCES/0001-patch-9.2.0561-security-possible-code-execution-with.patch create mode 100644 SOURCES/0001-patch-9.2.0568-pythoncomplete-g-pythoncomplete_allow.patch diff --git a/SOURCES/0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch b/SOURCES/0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch new file mode 100644 index 00000000..1cf1117b --- /dev/null +++ b/SOURCES/0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch @@ -0,0 +1,37 @@ +From 448ae03067c85a48c9c73517fb9f7046be3ed200 Mon Sep 17 00:00:00 2001 +From: RHEL Packaging Agent +Date: Wed, 3 Jun 2026 10:56:51 +0000 +Subject: [PATCH] patch 9.2.0479: [security]: runtime(tar): command injection + in tar plugin + +Problem: [security]: runtime(tar): command injection in tar plugin + (Christopher Lusk) +Solution: Use the correct shellescape(args, 1) form for a :! command + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w + +Signed-off-by: Christian Brabandt +--- + runtime/autoload/tar.vim | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim +index e320b9a..b60e94a 100644 +--- a/runtime/autoload/tar.vim ++++ b/runtime/autoload/tar.vim +@@ -588,9 +588,9 @@ fun! tar#Vimuntar(...) + " if necessary, decompress the tarball; then, extract it + if tartail =~ '\.tgz' + if executable("gunzip") +- silent exe "!gunzip ".shellescape(tartail) ++ silent exe "!gunzip ".shellescape(tartail, 1) + elseif executable("gzip") +- silent exe "!gzip -d ".shellescape(tartail) ++ silent exe "!gzip -d ".shellescape(tartail, 1) + else + echoerr "unable to decompress<".tartail."> on this sytem" + if simplify(curdir) != simplify(tarhome) +-- +2.52.0 + diff --git a/SOURCES/0001-patch-9.2.0495-security-runtime-netrw-code-injection.patch b/SOURCES/0001-patch-9.2.0495-security-runtime-netrw-code-injection.patch new file mode 100644 index 00000000..f5b7e263 --- /dev/null +++ b/SOURCES/0001-patch-9.2.0495-security-runtime-netrw-code-injection.patch @@ -0,0 +1,77 @@ +From 458f4aac609d31b2e6108c9883221168cf4d0b28 Mon Sep 17 00:00:00 2001 +From: RHEL Packaging Agent +Date: Tue, 23 Jun 2026 20:47:37 +0000 +Subject: [PATCH] patch 9.2.0495: [security]: runtime(netrw): code injection + via NetrwBookHistSave() + +Problem: [security]: runtime(netrw): code injection via + NetrwBookHistSave() +Solution: Properly quote the directory name using string() function + (Srinivas Piskala Ganesh Babu) + +Adapted for vim 8.0: netrw.vim is at runtime/autoload/netrw.vim, +setline uses (cnt+lastline) instead of lastline, loop uses while +instead of for. Stripped src/version.c and Last Change comment. +Created minimal test_plugin_netrw.vim with only the injection test. +--- + runtime/autoload/netrw.vim | 2 +- + src/testdir/Make_all.mak | 1 + + src/testdir/test_plugin_netrw.vim | 21 +++++++++++++++++++++ + 3 files changed, 23 insertions(+), 1 deletion(-) + create mode 100644 src/testdir/test_plugin_netrw.vim + +diff --git a/runtime/autoload/netrw.vim b/runtime/autoload/netrw.vim +index 89f749c..7534467 100644 +--- a/runtime/autoload/netrw.vim ++++ b/runtime/autoload/netrw.vim +@@ -3558,7 +3558,7 @@ fun! s:NetrwBookHistSave() + let lastline = line("$") + let cnt = 1 + while cnt <= g:netrw_dirhist_cnt +- call setline((cnt+lastline),'let g:netrw_dirhist_'.cnt."='".g:netrw_dirhist_{cnt}."'") ++ call setline((cnt+lastline),'let g:netrw_dirhist_'.cnt.'='.string(g:netrw_dirhist_{cnt})) + let cnt= cnt + 1 + endwhile + exe "sil! w! ".savefile +diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak +index 5f1c38c..4b34928 100644 +--- a/src/testdir/Make_all.mak ++++ b/src/testdir/Make_all.mak +@@ -145,6 +145,7 @@ NEW_TESTS = test_arabic.res \ + test_packadd.res \ + test_paste.res \ + test_perl.res \ ++ test_plugin_netrw.res \ + test_plus_arg_edit.res \ + test_preview.res \ + test_profile.res \ +diff --git a/src/testdir/test_plugin_netrw.vim b/src/testdir/test_plugin_netrw.vim +new file mode 100644 +index 0000000..737617f +--- /dev/null ++++ b/src/testdir/test_plugin_netrw.vim +@@ -0,0 +1,21 @@ ++source shared.vim ++ ++func Test_netrw_injection() ++ let g:netrw_home = getcwd() ++ let savefile = g:netrw_home . '/.netrwhist' ++ let g:netrw_dirhistmax = 10 ++ let g:netrw_dirhist_cnt = 1 ++ let g:netrw_dirhist_1 = "x'|let g:injected = 1|let y='z" ++ call delete(savefile) ++ try ++ call netrw#Call('NetrwBookHistSave') ++ call assert_true(filereadable(savefile), savefile . ' must be written') ++ unlet g:netrw_dirhist_1 ++ execute 'source ' . fnameescape(savefile) ++ call assert_false(exists("g:injected"), 'injected statement must not execute') ++ call assert_equal("x'|let g:injected = 1|let y='z", g:netrw_dirhist_1, 'dirname must round-trip') ++ finally ++ call delete(savefile) ++ unlet! g:netrw_home g:netrw_dirhistmax g:netrw_dirhist_cnt g:netrw_dirhist_1 g:injected ++ endtry ++endfunc +-- +2.52.0 + diff --git a/SOURCES/0001-patch-9.2.0496-security-Code-Injection-in-cucumber-f.patch b/SOURCES/0001-patch-9.2.0496-security-Code-Injection-in-cucumber-f.patch new file mode 100644 index 00000000..7624c0a7 --- /dev/null +++ b/SOURCES/0001-patch-9.2.0496-security-Code-Injection-in-cucumber-f.patch @@ -0,0 +1,77 @@ +From ea20c181c76ef339b5cf1ae02ce3f7593c57d14d Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 17 May 2026 19:39:24 +0000 +Subject: [PATCH] patch 9.2.0496: [security]: Code Injection in cucumber + filetype plugin + +Problem: [security]: Code Injection in cucumber filetype plugin + (Christopher Lusk) +Solution: Use rubys Regexp.new() with the untrusted pattern + +Github Security Advisory: +https://github.com/vim/vim/security/advisories/GHSA-4473-94jm-w5x9 + +Signed-off-by: Christian Brabandt +--- + runtime/ftplugin/cucumber.vim | 3 ++- + src/testdir/test_filetype.vim | 33 +++++++++++++++++++++++++++++++++ + 2 files changed, 35 insertions(+), 1 deletion(-) + +diff --git a/runtime/ftplugin/cucumber.vim b/runtime/ftplugin/cucumber.vim +index f4848d1..3361f1d 100644 +--- a/runtime/ftplugin/cucumber.vim ++++ b/runtime/ftplugin/cucumber.vim +@@ -96,7 +96,8 @@ function! s:stepmatch(receiver,target) + catch + endtry + if has("ruby") && pattern !~ '\\\@ s:steps -> s:stepmatch on every discovered step, ++ " including the malicious one. Suppress preview and error messages. ++ silent! normal [d ++ call assert_false(filereadable(marker), 'Ruby injection executed') ++ bwipe! ++ call delete('Xcucu', 'rf') ++ filetype plugin off ++endfunc ++ +-- +2.52.0 + diff --git a/SOURCES/0001-patch-9.2.0561-security-possible-code-execution-with.patch b/SOURCES/0001-patch-9.2.0561-security-possible-code-execution-with.patch new file mode 100644 index 00000000..9c797dae --- /dev/null +++ b/SOURCES/0001-patch-9.2.0561-security-possible-code-execution-with.patch @@ -0,0 +1,141 @@ +From d883881dfd546a59763be7bb253ac1165b6b5256 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Fri, 29 May 2026 19:05:53 +0000 +Subject: [PATCH] patch 9.2.0561: [security]: possible code execution with + python3complete + +Problem: [security]: possible code execution with python3complete +Solution: Disable execution of import/from statements + +Github Security Advisory: +https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c + +Signed-off-by: Christian Brabandt +--- + runtime/autoload/README.txt | 1 + + runtime/autoload/python3complete.vim | 13 ++++++++++--- + runtime/autoload/pythoncomplete.vim | 13 ++++++++++--- + runtime/doc/filetype.txt | 15 ++++++++++++++- + 4 files changed, 35 insertions(+), 7 deletions(-) + +diff --git a/runtime/autoload/README.txt b/runtime/autoload/README.txt +index 3b18d3d..b225819 100644 +--- a/runtime/autoload/README.txt ++++ b/runtime/autoload/README.txt +@@ -17,6 +17,7 @@ htmlcomplete.vim HTML + javascriptcomplete.vim Javascript + phpcomplete.vim PHP + pythoncomplete.vim Python ++python3complete.vim Python + rubycomplete.vim Ruby + syntaxcomplete.vim from syntax highlighting + xmlcomplete.vim XML (uses files in the xml directory) +diff --git a/runtime/autoload/python3complete.vim b/runtime/autoload/python3complete.vim +index f0f3aad..5dcfb73 100644 +--- a/runtime/autoload/python3complete.vim ++++ b/runtime/autoload/python3complete.vim +@@ -128,11 +128,20 @@ class Completer(object): + + def evalsource(self,text,line=0): + sc = self.parser.parse(text,line) ++ try: allow_imports = int( ++ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)")) ++ except Exception: ++ allow_imports = 0 + src = sc.get_code() + dbg("source: %s" % src) + try: exec(src,self.compldict) + except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1])) + for l in sc.locals: ++ # Executing import/from statements harvested from the buffer runs ++ # arbitrary package code; only do so when the user opted in. ++ if not allow_imports and (l.startswith('import') ++ or l.startswith('from ')): ++ continue + try: exec(l,self.compldict) + except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l)) + +@@ -296,13 +305,11 @@ class Scope(object): + def get_code(self): + str = "" + if len(self.docstr) > 0: str += '"""'+self.docstr+'"""\n' +- for l in self.locals: +- if l.startswith('import'): str += l+'\n' + str += 'class _PyCmplNoType:\n def __getattr__(self,name):\n return None\n' + for sub in self.subscopes: + str += sub.get_code() + for l in self.locals: +- if not l.startswith('import'): str += l+'\n' ++ if not l.startswith('import') and not l.startswith('from '): str += l+'\n' + + return str + +diff --git a/runtime/autoload/pythoncomplete.vim b/runtime/autoload/pythoncomplete.vim +index ecc3664..6f72b11 100644 +--- a/runtime/autoload/pythoncomplete.vim ++++ b/runtime/autoload/pythoncomplete.vim +@@ -145,11 +145,20 @@ class Completer(object): + + def evalsource(self,text,line=0): + sc = self.parser.parse(text,line) ++ try: allow_imports = int( ++ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)")) ++ except Exception: ++ allow_imports = 0 + src = sc.get_code() + dbg("source: %s" % src) + try: exec(src) in self.compldict + except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1])) + for l in sc.locals: ++ # Executing import/from statements harvested from the buffer runs ++ # arbitrary package code; only do so when the user opted in. ++ if not allow_imports and (l.startswith('import') ++ or l.startswith('from ')): ++ continue + try: exec(l) in self.compldict + except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l)) + +@@ -314,13 +323,11 @@ class Scope(object): + def get_code(self): + str = "" + if len(self.docstr) > 0: str += '"""'+self.docstr+'"""\n' +- for l in self.locals: +- if l.startswith('import'): str += l+'\n' + str += 'class _PyCmplNoType:\n def __getattr__(self,name):\n return None\n' + for sub in self.subscopes: + str += sub.get_code() + for l in self.locals: +- if not l.startswith('import'): str += l+'\n' ++ if not l.startswith('import') and not l.startswith('from '): str += l+'\n' + + return str + +diff --git a/runtime/doc/filetype.txt b/runtime/doc/filetype.txt +index a5f2a1c..8ebe52a 100644 +--- a/runtime/doc/filetype.txt ++++ b/runtime/doc/filetype.txt +@@ -641,7 +641,20 @@ By default the following options are set, in accordance with PEP8: > + To disable this behaviour, set the following variable in your vimrc: > + + let g:python_recommended_style = 0 +- ++< ++Python omni-completion |compl-omni| is provided by python3complete.vim (or ++pythoncomplete.vim) for Vim builds with the |+python|/|+python3| interpreter. ++By default it does not inspect the import / from statements found in the ++buffer. This means completion of names defined in the buffer itself (classes, ++functions, variables) works, but completion of members of imported modules is ++not offered. ++ ++To enable completion of imported module members, set: > ++ let g:pythoncomplete_allow_import = 1 ++< ++WARNING: enabling this causes omni-completion to execute the import statements ++found in the buffer through Python's import machinery, which runs the imported ++modules' top-level code. Only enable this for code you trust. + + RPM SPEC *ft-spec-plugin* + +-- +2.52.0 + diff --git a/SOURCES/0001-patch-9.2.0568-pythoncomplete-g-pythoncomplete_allow.patch b/SOURCES/0001-patch-9.2.0568-pythoncomplete-g-pythoncomplete_allow.patch new file mode 100644 index 00000000..8c12154f --- /dev/null +++ b/SOURCES/0001-patch-9.2.0568-pythoncomplete-g-pythoncomplete_allow.patch @@ -0,0 +1,87 @@ +From 864113433a67171b3292b9e9dc8ca0f1e4249529 Mon Sep 17 00:00:00 2001 +From: thinca +Date: Sun, 31 May 2026 12:33:07 +0000 +Subject: [PATCH] patch 9.2.0568: pythoncomplete: g:pythoncomplete_allow_import + had no effect + +Problem: The security patch 9.2.0561 added a vim.eval() call inside + Completer.evalsource() to honor g:pythoncomplete_allow_import. + But the 'vim' module is only imported inside the outer + vimcomplete() / vimpy3complete() function, not at the script's + top level, so referring to it from a Completer method raises + NameError. The surrounding bare 'except' silently swallows + the error and leaves allow_imports at 0, meaning the opt-in + never takes effect -- 'import os' (and any other + buffer-level import) is always skipped, no candidates are + produced for 'os.<...>' and + Test_popup_and_preview_autocommand() fails on the Windows + CI matrix (Linux skips the test because Python 2 is absent). +Solution: Re-import 'vim' at the top of evalsource() in both + pythoncomplete.vim and python3complete.vim so the eval reads + the global, and set g:pythoncomplete_allow_import = 1 in the + test (it is the opt-in intended for callers that trust the + buffer contents) (thinca). + +closes: #20386 + +Signed-off-by: thinca +Signed-off-by: Christian Brabandt +--- + runtime/autoload/python3complete.vim | 3 +++ + runtime/autoload/pythoncomplete.vim | 3 +++ + src/testdir/test_popup.vim | 4 ++++ + 3 files changed, 10 insertions(+) + +diff --git a/runtime/autoload/python3complete.vim b/runtime/autoload/python3complete.vim +index 5dcfb73..cd8786d 100644 +--- a/runtime/autoload/python3complete.vim ++++ b/runtime/autoload/python3complete.vim +@@ -127,6 +127,9 @@ class Completer(object): + self.parser = PyParser() + + def evalsource(self,text,line=0): ++ # vim is imported locally in vimpy3complete(); re-import here so the ++ # vim.eval() below works (otherwise NameError, silently caught). ++ import vim + sc = self.parser.parse(text,line) + try: allow_imports = int( + vim.eval("get(g:, 'pythoncomplete_allow_import', 0)")) +diff --git a/runtime/autoload/pythoncomplete.vim b/runtime/autoload/pythoncomplete.vim +index 6f72b11..a4dc18c 100644 +--- a/runtime/autoload/pythoncomplete.vim ++++ b/runtime/autoload/pythoncomplete.vim +@@ -144,6 +144,9 @@ class Completer(object): + self.parser = PyParser() + + def evalsource(self,text,line=0): ++ # vim is imported locally in vimcomplete(); re-import here so the ++ # vim.eval() below works (otherwise NameError, silently caught). ++ import vim + sc = self.parser.parse(text,line) + try: allow_imports = int( + vim.eval("get(g:, 'pythoncomplete_allow_import', 0)")) +diff --git a/src/testdir/test_popup.vim b/src/testdir/test_popup.vim +index ed31985..49ea6c6 100644 +--- a/src/testdir/test_popup.vim ++++ b/src/testdir/test_popup.vim +@@ -680,6 +680,9 @@ func Test_popup_and_preview_autocommand() + au! + au BufAdd * nested tab sball + augroup END ++ " Let pythoncomplete follow the buffer's 'import os' (off by default ++ " since v9.2.0561) so 'os.' can be completed. ++ let g:pythoncomplete_allow_import = 1 + set omnifunc=pythoncomplete#Complete + call setline(1, 'import os') + " make the line long +@@ -702,6 +705,7 @@ func Test_popup_and_preview_autocommand() + augroup END + augroup! MyBufAdd + bw! ++ unlet g:pythoncomplete_allow_import + endfunc + + func Test_balloon_split() +-- +2.52.0 + diff --git a/SPECS/vim.spec b/SPECS/vim.spec index 28566adb..e44b0b75 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -24,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 24%{?dist} +Release: 27%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -165,6 +165,35 @@ Patch3057: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch # https://redhat.atlassian.net/browse/RHEL-171485 # https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb Patch3058: 0001-patch-9.2.0357-security-command-injection-via-backti.patch +# RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via shellescape +# https://redhat.atlassian.net/browse/RHEL-178234 +# https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 +# Omitted src/version.c hunk and test file (Vim9 script not available in vim 8.0) +Patch3059: 0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch +# RHEL-185863 CVE-2026-47167 vim: Code Injection in cucumber filetype plugin +# https://redhat.atlassian.net/browse/RHEL-185863 +# https://github.com/vim/vim/commit/a65a52d684bc58535ad28a4ae824d22e76399934 +# Changes from upstream: +# - stripped src/version.c patchlevel hunk +# - stripped 'Last Changes' header comments from cucumber.vim +# - adapted test: replaced CheckFeature with has() guard, used mkdir 'p' flag +# with manual cleanup instead of 'pR' (not available in vim 8.0) +Patch3060: 0001-patch-9.2.0496-security-Code-Injection-in-cucumber-f.patch +# RHEL-186656 CVE-2026-47162 vim: netrw code injection via NetrwBookHistSave() +# https://redhat.atlassian.net/browse/RHEL-186656 +# https://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179ae08ee6146a2694b +# Adapted for vim 8.0: netrw.vim path differs, setline uses (cnt+lastline), +# stripped src/version.c and Last Change comment, created minimal test file +Patch3061: 0001-patch-9.2.0495-security-runtime-netrw-code-injection.patch +# RHEL-186648 CVE-2026-52858 possible code execution with python3complete +# https://redhat.atlassian.net/browse/RHEL-186648 +# https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d +# stripped src/version.c hunk and omitted v0.10 changelog comments +Patch3062: 0001-patch-9.2.0561-security-possible-code-execution-with.patch +# https://github.com/vim/vim/commit/868ad62cb8bf8038322eab2badd31bd98b02b9df +# stripped src/version.c hunk +Patch3063: 0001-patch-9.2.0568-pythoncomplete-g-pythoncomplete_allow.patch + # gcc is no longer in buildroot by default BuildRequires: gcc @@ -404,6 +433,12 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch -P 3056 -p1 -b .zip-abs-write %patch -P 3057 -p1 -b .zip-abs-extract %patch -P 3058 -p1 -b .tag-backtick-inject +%patch -P 3059 -p1 -b .tar-shellescape-fix +%patch -P 3060 -p1 -b .cucumber-code-injection +%patch -P 3061 -p1 -b .netrw-injection +%patch -P 3062 -p1 -b .CVE-2026-52858 +%patch -P 3063 -p1 -b .CVE-2026-52858-fix + %build %if 0%{?rhel} > 7 @@ -922,6 +957,17 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog +* Wed Jul 01 2026 RHEL Packaging Agent - 2:8.0.1763-27 +- RHEL-186656 CVE-2026-47162 vim: netrw code injection via NetrwBookHistSave +- RHEL-186648 CVE-2026-52858 vim: possible code execution with python3complete + +* Tue Jun 30 2026 RHEL Packaging Agent - 2:8.0.1763-26 +- CVE-2026-47167 vim: Code Injection in cucumber filetype plugin + +* Wed Jun 03 2026 RHEL Packaging Agent - 2:8.0.1763-25 +- RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via + shellescape + * Thu May 21 2026 Zdenek Dohnal - 2:8.0.1763-24 - CVE-2026-41411 vim: Command injection via backticks in tag files