import UBI vim-9.1.083-6.el10_1.3

0001-patch-9.2.0073-security-possible-command-injection-u.patch

@@ -0,0 +1,56 @@
+diff -up vim91/runtime/autoload/netrw.vim.CVE-2026-28417 vim91/runtime/autoload/netrw.vim
+--- vim91/runtime/autoload/netrw.vim.CVE-2026-28417	2026-03-17 19:22:17.101915588 +0100
++++ vim91/runtime/autoload/netrw.vim	2026-03-17 19:32:29.134514079 +0100
+@@ -3376,13 +3376,26 @@ endif
+ 
+ " s:NetrwValidateHostname:  Validate that the hostname is valid {{{2
+ " Input:
+-"   hostname
++"   hostname, may include an optional username, e.g. user@hostname
++"   allow a alphanumeric hostname or an IPv(4/6) address
+ " Output:
+ "  true if g:netrw_machine is valid according to RFC1123 #Section 2
+ fun! s:NetrwValidateHostname(hostname)
+-    " RFC1123#section-2 mandates, a valid hostname starts with letters or digits
+-    " so reject everyhing else
+-    return a:hostname =~? '^[a-z0-9]'
++  " Username:
++  let user_pat = '\%([a-zA-Z0-9._-]\+@\)\?'
++  " Hostname: 1-64 chars, alphanumeric/dots/hyphens.
++  " No underscores. No leading/trailing dots/hyphens.
++  let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]{,62}[a-zA-Z0-9]\)\?$'
++
++  " IPv4: 1-3 digits separated by dots
++  let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}$'
++
++  " IPv6: Hex, colons, and optional brackets
++  let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?$'
++
++  return a:hostname =~? '^'.user_pat.host_pat ||
++       \ a:hostname =~? '^'.user_pat.ipv4_pat ||
++       \ a:hostname =~? '^'.user_pat.ipv6_pat
+ endfun
+ 
+ " ---------------------------------------------------------------------
+@@ -11880,15 +11893,15 @@ endfun
+ "               a correct command for use with a system() call
+ fun! s:MakeSshCmd(sshcmd)
+ "  call Dfunc("s:MakeSshCmd(sshcmd<".a:sshcmd.">) user<".s:user."> machine<".s:machine.">")
+-  if s:user == ""
+-   let sshcmd = substitute(a:sshcmd,'\<HOSTNAME\>',s:machine,'')
+-  else
+-   let sshcmd = substitute(a:sshcmd,'\<HOSTNAME\>',s:user."@".s:machine,'')
++  let machine = shellescape(s:machine, 1)
++  if s:user != ''
++      let machine    = shellescape(s:user, 1).'@'.machine
+   endif
++  let sshcmd = substitute(a:sshcmd,'\<HOSTNAME\>',machine,'')
+   if exists("g:netrw_port") && g:netrw_port != ""
+-   let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.g:netrw_port,'')
++   let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.shellescape(g:netrw_port,1),'')
+   elseif exists("s:port") && s:port != ""
+-   let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.s:port,'')
++   let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.shellescape(s:port,1),'')
+   else
+    let sshcmd= substitute(sshcmd,"USEPORT ",'','')
+   endif

0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch

@@ -0,0 +1,509 @@
+diff --git a/src/memline.c b/src/memline.c
+index cf2dc8c..0fb7a8b 100644
+--- a/src/memline.c
++++ b/src/memline.c
+@@ -1597,8 +1597,12 @@ ml_recover(int checkext)
+ 			if (!cannot_open)
+ 			{
+ 			    line_count = pp->pb_pointer[idx].pe_line_count;
+-			    if (readfile(curbuf->b_ffname, NULL, lnum,
+-					pp->pb_pointer[idx].pe_old_lnum - 1,
++			    linenr_T pe_old_lnum = pp->pb_pointer[idx].pe_old_lnum;
++			    // Validate pe_line_count and pe_old_lnum from the
++			    // untrusted swap file before passing to readfile().
++			    if (line_count <= 0 || pe_old_lnum < 1 ||
++				    readfile(curbuf->b_ffname, NULL, lnum,
++					pe_old_lnum - 1,
+ 					line_count, NULL, 0) != OK)
+ 				cannot_open = TRUE;
+ 			    else
+@@ -1629,6 +1633,27 @@ ml_recover(int checkext)
+ 		    bnum = pp->pb_pointer[idx].pe_bnum;
+ 		    line_count = pp->pb_pointer[idx].pe_line_count;
+ 		    page_count = pp->pb_pointer[idx].pe_page_count;
++		    // Validate pe_bnum and pe_page_count from the untrusted
++		    // swap file before passing to mf_get(), which uses
++		    // page_count to calculate allocation size.  A bogus value
++		    // (e.g. 0x40000000) would cause a multi-GB allocation.
++		    // pe_page_count must be >= 1 and bnum + page_count must
++		    // not exceed the number of pages in the swap file.
++		    if (page_count < 1
++			    || bnum + page_count > mfp->mf_blocknr_max + 1)
++		    {
++			++error;
++			ml_append(lnum++,
++				(char_u *)_("???ILLEGAL BLOCK NUMBER"),
++				(colnr_T)0, TRUE);
++			// Skip this entry and pop back up the stack to keep
++			// recovering whatever else we can.
++			idx = ip->ip_index + 1;
++			bnum = ip->ip_bnum;
++			page_count = 1;
++			--buf->b_ml.ml_stack_top;
++			continue;
++		    }
+ 		    idx = 0;
+ 		    continue;
+ 		}
+diff --git a/src/po/af.po b/src/po/af.po
+index 5ad9f47..d6497ea 100644
+--- a/src/po/af.po
++++ b/src/po/af.po
+@@ -4430,3 +4430,6 @@ msgstr "geen sodanige venster nie"
+ 
+ msgid "attempt to refer to deleted buffer"
+ msgstr "poging om na 'n geskrapte buffer te verwys"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/ca.po b/src/po/ca.po
+index caf02a9..b231cbc 100644
+--- a/src/po/ca.po
++++ b/src/po/ca.po
+@@ -10275,3 +10275,6 @@ msgstr "nom de la biblioteca din
+ 
+ msgid "name of the MzScheme GC dynamic library"
+ msgstr "nom de la biblioteca dinàmica MzScheme GC"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/cs.cp1250.po b/src/po/cs.cp1250.po
+index bed2595..70bbf5a 100644
+--- a/src/po/cs.cp1250.po
++++ b/src/po/cs.cp1250.po
+@@ -4665,3 +4665,6 @@ msgstr "Nulov
+ 
+ msgid "E81: Using <SID> not in a script context"
+ msgstr "E81: Použití <SID> mimo kontext skriptu"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/cs.po b/src/po/cs.po
+index b6dcdb7..2491787 100644
+--- a/src/po/cs.po
++++ b/src/po/cs.po
+@@ -4665,3 +4665,6 @@ msgstr "Nulov
+ 
+ msgid "E81: Using <SID> not in a script context"
+ msgstr "E81: Pou¾ití <SID> mimo kontext skriptu"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/da.po b/src/po/da.po
+index 80cc6fe..307e310 100644
+--- a/src/po/da.po
++++ b/src/po/da.po
+@@ -7200,3 +7200,6 @@ msgstr ""
+ "C-kildekode (*.c, *.h)\t*.c;*.h\n"
+ "C++-kildekode (*.cpp, *.hpp)\t*.cpp;*.hpp\n"
+ "Vim-filer (*.vim, _vimrc, _gvimrc)\t*.vim;_vimrc;_gvimrc\n"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/de.po b/src/po/de.po
+index f0f00d7..6998579 100644
+--- a/src/po/de.po
++++ b/src/po/de.po
+@@ -10823,3 +10823,6 @@ msgstr "Name der dynamischen MzScheme GC Bibliothek"
+ msgid "You discovered the command-line window! You can close it with \":q\"."
+ msgstr ""
+ "Sie haben das Befehlszeilenfenster entdeckt! Schließen Sie es mit \":q\"."
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/en_GB.po b/src/po/en_GB.po
+index c037661..ed58a2e 100644
+--- a/src/po/en_GB.po
++++ b/src/po/en_GB.po
+@@ -459,3 +459,6 @@ msgstr "when to edit the command line right-to-left"
+ 
+ msgid "what happens with a buffer when it's no longer in a window"
+ msgstr "what happens with a buffer when it is no longer in a window"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/eo.po b/src/po/eo.po
+index a9aaefa..c4f4435 100644
+--- a/src/po/eo.po
++++ b/src/po/eo.po
+@@ -8597,3 +8597,6 @@ msgstr "la permutodosiero .swp"
+ 
+ msgid "command line editing"
+ msgstr "redakto de komanda linio"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/es.po b/src/po/es.po
+index f4a02fa..ed3a32d 100644
+--- a/src/po/es.po
++++ b/src/po/es.po
+@@ -10219,3 +10219,6 @@ msgstr "nombre de la biblioteca dinámica MzScheme"
+ msgid "name of the MzScheme GC dynamic library"
+ msgstr "nombre de la biblioteca dinámica MzScheme GC"
+ 
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/fi.po b/src/po/fi.po
+index d2fd336..2b5fa86 100644
+--- a/src/po/fi.po
++++ b/src/po/fi.po
+@@ -9854,3 +9854,6 @@ msgstr "MzSchemen dynaamisen kirjaston nimi"
+ 
+ msgid "name of the MzScheme GC dynamic library"
+ msgstr "MzSchemen GC:n dynaamisen kirjaston nimi"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/fr.po b/src/po/fr.po
+index 27f11eb..53535f8 100644
+--- a/src/po/fr.po
++++ b/src/po/fr.po
+@@ -8353,3 +8353,6 @@ msgstr "nom de la biblioth
+ 
+ msgid "name of the MzScheme dynamic library"
+ msgstr "nom de la bibliothèque dynamique MzScheme"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/ga.po b/src/po/ga.po
+index e81ef69..8b1c9cc 100644
+--- a/src/po/ga.po
++++ b/src/po/ga.po
+@@ -10655,3 +10655,6 @@ msgstr "l
+ msgid "You discovered the command-line window! You can close it with \":q\"."
+ msgstr ""
+ "D'aimsigh tú fuinneog líne na n-orduithe! Is féidir í a dhúnadh le \":q\"."
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/hu.po b/src/po/hu.po
+index 0a11847..cad1686 100644
+--- a/src/po/hu.po
++++ b/src/po/hu.po
+@@ -6154,3 +6154,6 @@ msgstr "találat a TETEJÉN, folytatás az ALJÃ<4A>N"
+ 
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "találat az ALJÃ<4A>N, folytatás a TETEJÉN"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/it.po b/src/po/it.po
+index 66a3bfa..c05e6ec 100644
+--- a/src/po/it.po
++++ b/src/po/it.po
+@@ -10026,3 +10026,6 @@ msgstr "nome della libreria dinamica MzScheme GC"
+ msgid "You discovered the command-line window! You can close it with \":q\"."
+ msgstr ""
+ "Questa è la finestra della riga-di-comando! Si può chiudere con \":q\"."
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/ja.euc-jp.po b/src/po/ja.euc-jp.po
+index 362be9e..e84e54d 100644
+--- a/src/po/ja.euc-jp.po
++++ b/src/po/ja.euc-jp.po
+@@ -10478,3 +10478,6 @@ msgstr "MzScheme GC ưŪ
+ 
+ msgid "You discovered the command-line window! You can close it with \":q\"."
+ msgstr "¥³¥Þ¥ó¥É¥é¥¤¥ó¥¦¥£¥ó¥É¥¦¤ò¸«¤Ä¤±¤Þ¤·¤¿¤Í! \":q\" ¤Ç¥¯¥í¡¼¥º¤Ç¤­¤Þ¤¹¡£"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/ja.po b/src/po/ja.po
+index 5464bcc..f8d1729 100644
+--- a/src/po/ja.po
++++ b/src/po/ja.po
+@@ -10478,3 +10478,6 @@ msgstr "MzScheme GC 動的ライブラリã<C2AA>®å<C2AE><C3A5>å‰<C3A5>"
+ 
+ msgid "You discovered the command-line window! You can close it with \":q\"."
+ msgstr "コマンドラインウィンドウを見ã<E280B9>¤ã<C2A4>‘ã<E28098>¾ã<C2BE>—ã<E28094>Ÿã<C5B8>­! \":q\" ã<>§ã‚¯ãƒ­ãƒ¼ã‚ºã<C2BA>§ã<C2A7><C3A3>ã<EFBFBD>¾ã<C2BE>™ã€‚"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/ja.sjis.po b/src/po/ja.sjis.po
+index 589fd5a..57fb248 100644
+--- a/src/po/ja.sjis.po
++++ b/src/po/ja.sjis.po
+@@ -10478,3 +10478,6 @@ msgstr "MzScheme GC 
+ 
+ msgid "You discovered the command-line window! You can close it with \":q\"."
+ msgstr "ƒRƒ}ƒ“ƒhƒ‰ƒCƒ“ƒEƒBƒ“ƒhƒE‚ðŒ©‚Â‚¯‚Ü‚µ‚½‚Ë! \":q\" ‚ŃNƒ<4E><C692>[ƒY‚Å‚«‚Ü‚·<E2809A>B"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/ko.UTF-8.po b/src/po/ko.UTF-8.po
+index a9ee0ca..141e899 100644
+--- a/src/po/ko.UTF-8.po
++++ b/src/po/ko.UTF-8.po
+@@ -7105,3 +7105,6 @@ msgstr ""
+ "C 소스 (*.c, *.h)\t*.c;*.h\n"
+ "C++ 소스 (*.cpp, *.hpp)\t*.cpp;*.hpp\n"
+ "Vim 파ì<C592>¼ (*.vim, _vimrc, _gvimrc)\t*.vim;_vimrc;_gvimrc\n"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/ko.po b/src/po/ko.po
+index 00fb486..c749582 100644
+--- a/src/po/ko.po
++++ b/src/po/ko.po
+@@ -7105,3 +7105,6 @@ msgstr ""
+ "C ¼Ò½º (*.c, *.h)\t*.c;*.h\n"
+ "C++ ¼Ò½º (*.cpp, *.hpp)\t*.cpp;*.hpp\n"
+ "Vim ÆÄÀÏ (*.vim, _vimrc, _gvimrc)\t*.vim;_vimrc;_gvimrc\n"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/lv.po b/src/po/lv.po
+index e61042d..90a4733 100644
+--- a/src/po/lv.po
++++ b/src/po/lv.po
+@@ -284,3 +284,6 @@ msgstr "E442: Nevar sadalīt kreiso augšu un labo apakšu vienlaicīgi"
+ #, c-format
+ msgid "E447: Can't find file \"%s\" in path"
+ msgstr "E447: Failu \"%s\" ceļÄ<C2BC> nevar atrast"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/nb.po b/src/po/nb.po
+index d9f527b..67daa5f 100644
+--- a/src/po/nb.po
++++ b/src/po/nb.po
+@@ -6210,3 +6210,6 @@ msgstr "S
+ 
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "Søket traff BUNNEN, fortsetter fra TOPPEN"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/nl.po b/src/po/nl.po
+index 09f281b..5502dae 100644
+--- a/src/po/nl.po
++++ b/src/po/nl.po
+@@ -5896,3 +5896,6 @@ msgstr "\" Druk op <Enter> op een index regel om daarheen te springen."
+ 
+ msgid "\" Hit <Space> on a \"set\" line to refresh it."
+ msgstr "\" Druk op <Spatie> op een \"set\" regel om te verversen."
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/no.po b/src/po/no.po
+index d9f527b..67daa5f 100644
+--- a/src/po/no.po
++++ b/src/po/no.po
+@@ -6210,3 +6210,6 @@ msgstr "S
+ 
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "Søket traff BUNNEN, fortsetter fra TOPPEN"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/pl.UTF-8.po b/src/po/pl.UTF-8.po
+index c9036a3..b7c46d3 100644
+--- a/src/po/pl.UTF-8.po
++++ b/src/po/pl.UTF-8.po
+@@ -6960,3 +6960,6 @@ msgstr ""
+ 
+ #~ msgid "E569: maximum number of cscope connections reached"
+ #~ msgstr "E569: wyczerpano maksymalną liczbę połączeń cscope"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/pl.cp1250.po b/src/po/pl.cp1250.po
+index 9280d2f..ac515df 100644
+--- a/src/po/pl.cp1250.po
++++ b/src/po/pl.cp1250.po
+@@ -6960,3 +6960,6 @@ msgstr ""
+ 
+ #~ msgid "E569: maximum number of cscope connections reached"
+ #~ msgstr "E569: wyczerpano maksymaln¹ liczbê po³¹czeñ cscope"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/pl.po b/src/po/pl.po
+index f10897d..dcda25f 100644
+--- a/src/po/pl.po
++++ b/src/po/pl.po
+@@ -6960,3 +6960,6 @@ msgstr ""
+ 
+ #~ msgid "E569: maximum number of cscope connections reached"
+ #~ msgstr "E569: wyczerpano maksymaln± liczbê po³±czeñ cscope"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/pt_BR.po b/src/po/pt_BR.po
+index 3a8844a..ed96dd4 100644
+--- a/src/po/pt_BR.po
++++ b/src/po/pt_BR.po
+@@ -7115,3 +7115,6 @@ msgid ""
+ msgstr ""
+ "Falha ao definir path: sys.path não é uma lista\n"
+ "Você deve adicionar vim.VIM_SPECIAL_PATH ao sys.path"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/ru.cp1251.po b/src/po/ru.cp1251.po
+index 2dd453a..860f87d 100644
+--- a/src/po/ru.cp1251.po
++++ b/src/po/ru.cp1251.po
+@@ -14854,3 +14854,6 @@ msgstr "
+ msgid "You discovered the command-line window! You can close it with \":q\"."
+ msgstr ""
+ "Àêòèâèðîâàíî îêíî êîìàíäíîé ñòðîêè. ×òîáû åãî çàêðûòü, ââåäèòå êîìàíäó  :q"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/ru.po b/src/po/ru.po
+index d4b7d6b..af42f90 100644
+--- a/src/po/ru.po
++++ b/src/po/ru.po
+@@ -14757,3 +14757,6 @@ msgstr "подключаемый файл динамичеÑ<C2B5>кой библио
+ msgid "You discovered the command-line window! You can close it with \":q\"."
+ msgstr ""
+ "Ð<>ктивировано окно командной Ñ<>троки. Чтобы его закрыть, введите команду  :q"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/sk.cp1250.po b/src/po/sk.cp1250.po
+index 36fd347..702bdde 100644
+--- a/src/po/sk.cp1250.po
++++ b/src/po/sk.cp1250.po
+@@ -5838,3 +5838,6 @@ msgstr "h
+ 
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "h¾adanie dosiahlo koniec, pokraèovanie od zaèiatku"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/sk.po b/src/po/sk.po
+index 935b0c2..6d3bdb0 100644
+--- a/src/po/sk.po
++++ b/src/po/sk.po
+@@ -5838,3 +5838,6 @@ msgstr "h
+ 
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "hµadanie dosiahlo koniec, pokraèovanie od zaèiatku"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/sr.po b/src/po/sr.po
+index 88e910c..4553e97 100644
+--- a/src/po/sr.po
++++ b/src/po/sr.po
+@@ -10640,3 +10640,6 @@ msgstr "име MzScheme GC динамичке библиотеке"
+ 
+ msgid "You discovered the command-line window! You can close it with \":q\"."
+ msgstr "Открили Ñ<>те прозор командне линије! Можете да га затворите Ñ<>а „:qâ€<C3A2>."
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/sv.po b/src/po/sv.po
+index 629a22c..5e4dd9b 100644
+--- a/src/po/sv.po
++++ b/src/po/sv.po
+@@ -6193,3 +6193,6 @@ msgstr "s
+ 
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "sökning nådde BOTTEN, forsätter vid TOPPEN"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/tr.po b/src/po/tr.po
+index 4cff7b3..0bbb557 100644
+--- a/src/po/tr.po
++++ b/src/po/tr.po
+@@ -10517,3 +10517,6 @@ msgstr "MzScheme GC devingen kitaplığının adı"
+ 
+ msgid "You discovered the command-line window! You can close it with \":q\"."
+ msgstr "Komut satırı penceresini keşfettiniz! Kapatmak için \":q\" kullanın."
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/uk.cp1251.po b/src/po/uk.cp1251.po
+index 40d87f5..6d6ddff 100644
+--- a/src/po/uk.cp1251.po
++++ b/src/po/uk.cp1251.po
+@@ -10839,3 +10839,6 @@ msgstr "
+ 
+ msgid "You discovered the command-line window! You can close it with \":q\"."
+ msgstr "Âè âèÿâèëè â³êíî êîìàíäíîãî ðÿäêà! Éîãî ìîæíà çàêðèòè êîìàíäîþ «:q»."
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/uk.po b/src/po/uk.po
+index 273f833..41f8704 100644
+--- a/src/po/uk.po
++++ b/src/po/uk.po
+@@ -10839,3 +10839,6 @@ msgstr "назва динамічної бібліотеки MzScheme GC"
+ 
+ msgid "You discovered the command-line window! You can close it with \":q\"."
+ msgstr "Ви виÑ<C2B8>вили вікно командного Ñ€Ñ<E282AC>дка! Його можна закрити командою «:q»."
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/vi.po b/src/po/vi.po
+index 4e7c1ec..d199c43 100644
+--- a/src/po/vi.po
++++ b/src/po/vi.po
+@@ -5230,3 +5230,6 @@ msgstr "E449: Nhận được một biểu thức không cho phép"
+ 
+ msgid "E463: Region is guarded, cannot modify"
+ msgstr "E463: Không thể thay đổi vùng đã được bảo vệ"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/zh_CN.UTF-8.po b/src/po/zh_CN.UTF-8.po
+index e604188..f3c0063 100644
+--- a/src/po/zh_CN.UTF-8.po
++++ b/src/po/zh_CN.UTF-8.po
+@@ -9823,3 +9823,6 @@ msgstr "MzScheme 动æ€<C3A6>库的å<E2809E><C3A5>å­—"
+ 
+ msgid "name of the MzScheme GC dynamic library"
+ msgstr "MzScheme GC 动æ€<C3A6>库的å<E2809E><C3A5>å­—"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/zh_CN.cp936.po b/src/po/zh_CN.cp936.po
+index ef3dfa8..2dd40fb 100644
+--- a/src/po/zh_CN.cp936.po
++++ b/src/po/zh_CN.cp936.po
+@@ -9823,3 +9823,6 @@ msgstr "MzScheme 
+ 
+ msgid "name of the MzScheme GC dynamic library"
+ msgstr "MzScheme GC ¶¯Ì¬¿âµÄÃû×Ö"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/zh_CN.po b/src/po/zh_CN.po
+index 4e34616..d73a4bd 100644
+--- a/src/po/zh_CN.po
++++ b/src/po/zh_CN.po
+@@ -9823,3 +9823,6 @@ msgstr "MzScheme 
+ 
+ msgid "name of the MzScheme GC dynamic library"
+ msgstr "MzScheme GC ¶¯Ì¬¿âµÄÃû×Ö"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/zh_TW.UTF-8.po b/src/po/zh_TW.UTF-8.po
+index 4582cd9..6eb305e 100644
+--- a/src/po/zh_TW.UTF-8.po
++++ b/src/po/zh_TW.UTF-8.po
+@@ -5307,3 +5307,6 @@ msgstr "E463: å<>€åŸŸè¢«ä¿<C3A4>護，無法修改"
+ 
+ #~ msgid "Retrieve next symbol"
+ #~ msgstr "讀å<E282AC>–: 從下個 symbol"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff --git a/src/po/zh_TW.po b/src/po/zh_TW.po
+index 2cedfd4..131cd20 100644
+--- a/src/po/zh_TW.po
++++ b/src/po/zh_TW.po
+@@ -5307,3 +5307,6 @@ msgstr "E463: 
+ 
+ #~ msgid "Retrieve next symbol"
+ #~ msgstr "Ū¨ú: ±q¤U­Ó symbol"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""

0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch

@@ -0,0 +1,39 @@
+diff -up vim91/runtime/autoload/netrw.vim.validateportnum vim91/runtime/autoload/netrw.vim
+--- vim91/runtime/autoload/netrw.vim.validateportnum	2026-03-17 19:35:34.062575124 +0100
++++ vim91/runtime/autoload/netrw.vim	2026-03-17 19:39:39.005999509 +0100
+@@ -3376,7 +3376,8 @@ endif
+ 
+ " s:NetrwValidateHostname:  Validate that the hostname is valid {{{2
+ " Input:
+-"   hostname, may include an optional username, e.g. user@hostname
++"   hostname, may include an optional username and port number, e.g.
++"       user@hostname:port
+ "   allow a alphanumeric hostname or an IPv(4/6) address
+ " Output:
+ "  true if g:netrw_machine is valid according to RFC1123 #Section 2
+@@ -3385,17 +3386,19 @@ fun! s:NetrwValidateHostname(hostname)
+   let user_pat = '\%([a-zA-Z0-9._-]\+@\)\?'
+   " Hostname: 1-64 chars, alphanumeric/dots/hyphens.
+   " No underscores. No leading/trailing dots/hyphens.
+-  let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]{,62}[a-zA-Z0-9]\)\?$'
++  let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]\{0,62}[a-zA-Z0-9]\)\?'
++  " Port: 16 bit unsigned integer
++  let port_pat = '\%(:\d\{1,5\}\)\?$'
+ 
+   " IPv4: 1-3 digits separated by dots
+-  let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}$'
++  let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}'
+ 
+   " IPv6: Hex, colons, and optional brackets
+-  let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?$'
++  let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?'
+ 
+-  return a:hostname =~? '^'.user_pat.host_pat ||
+-       \ a:hostname =~? '^'.user_pat.ipv4_pat ||
+-       \ a:hostname =~? '^'.user_pat.ipv6_pat
++  return a:hostname =~? '^'.user_pat.host_pat.port_pat ||
++       \ a:hostname =~? '^'.user_pat.ipv4_pat.port_pat ||
++       \ a:hostname =~? '^'.user_pat.ipv6_pat.port_pat
+ endfun
+ 
+ " ---------------------------------------------------------------------

0001-patch-9.2.0202-security-command-injection-via-newlin.patch

@@ -0,0 +1,40 @@
+From 645ed6597d1ea896c712cd7ddbb6edee79577e9a Mon Sep 17 00:00:00 2001
+From: pyllyukko <pyllyukko@maimed.org>
+Date: Thu, 19 Mar 2026 19:58:05 +0000
+Subject: [PATCH] patch 9.2.0202: [security]: command injection via newline in
+ glob()
+
+Problem:  The glob() function on Unix-like systems does not escape
+          newline characters when expanding wildcards. A maliciously
+          crafted string containing '\n' can be used as a command
+          separator to execute arbitrary shell commands via
+          mch_expand_wildcards(). This depends on the user's 'shell'
+          setting.
+Solution: Add the newline character ('\n') to the SHELL_SPECIAL
+          definition to ensure it is properly escaped before being
+          passed to the shell (pyllyukko).
+
+closes: #19746
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
+
+Signed-off-by: pyllyukko <pyllyukko@maimed.org>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/os_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/os_unix.c b/src/os_unix.c
+index 03f7649090c96..91bfd63d0dcb2 100644
+--- a/src/os_unix.c
++++ b/src/os_unix.c
+@@ -6772,7 +6772,7 @@ mch_expand_wildcards(
+ # define SEEK_END 2
+ #endif
+
+-#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|"
++#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|\n"
+
+     int
+ mch_expand_wildcards(

0001-runtime-netrw-upstream-snapshot-of-v179.patch

@@ -0,0 +1,65 @@
+diff -up vim91/runtime/autoload/netrw.vim.validatehostname vim91/runtime/autoload/netrw.vim
+--- vim91/runtime/autoload/netrw.vim.validatehostname	2024-02-09 06:33:54.000000000 +0100
++++ vim91/runtime/autoload/netrw.vim	2026-03-17 19:16:22.210561235 +0100
+@@ -1453,6 +1453,10 @@ fun! netrw#Obtain(islocal,fname,...)
+     call s:SetupNetrwStatusLine('%f %h%m%r%=%9*Obtaining '.a:fname)
+    endif
+    call s:NetrwMethod(b:netrw_curdir)
++   if !s:NetrwValidateHostname(g:netrw_machine)
++       call netrw#ErrorMsg(s:ERROR,"Rejecting invalid hostname: <" .. g:netrw_machine .. ">",107)
++       return
++   endif
+ 
+    if b:netrw_method == 4
+     " obtain file using scp
+@@ -2143,6 +2147,10 @@ fun! netrw#NetRead(mode,...)
+ "    call Dret("netrw#NetRead : unsupported method")
+     return
+    endif
++   if !s:NetrwValidateHostname(g:netrw_machine)
++       call netrw#ErrorMsg(s:ERROR,"Rejecting invalid hostname: <" .. g:netrw_machine .. ">",107)
++       return
++   endif
+    let tmpfile= s:GetTempfile(b:netrw_fname) " apply correct suffix
+ 
+    " Check whether or not NetrwBrowse() should be handling this request
+@@ -2565,6 +2573,10 @@ fun! netrw#NetWrite(...) range
+ "    call Dfunc("netrw#NetWrite : unsupported method")
+     return
+    endif
++   if !s:NetrwValidateHostname(g:netrw_machine)
++       call netrw#ErrorMsg(s:ERROR,"Rejecting invalid hostname: <" .. g:netrw_machine .. ">",107)
++       return
++   endif
+ 
+    " =============
+    " NetWrite: Perform Protocol-Based Write {{{3
+@@ -3362,6 +3374,17 @@ if has("win95") && exists("g:netrw_win95
+  endfun
+ endif
+ 
++" s:NetrwValidateHostname:  Validate that the hostname is valid {{{2
++" Input:
++"   hostname
++" Output:
++"  true if g:netrw_machine is valid according to RFC1123 #Section 2
++fun! s:NetrwValidateHostname(hostname)
++    " RFC1123#section-2 mandates, a valid hostname starts with letters or digits
++    " so reject everyhing else
++    return a:hostname =~? '^[a-z0-9]'
++endfun
++
+ " ---------------------------------------------------------------------
+ " NetUserPass: set username and password for subsequent ftp transfer {{{2
+ "   Usage:  :call NetUserPass()		               -- will prompt for userid and password
+@@ -8842,6 +8865,10 @@ fun! s:NetrwUpload(fname,tgt,...)
+ 
+    elseif a:tgt =~ '^ftp:'
+     call s:NetrwMethod(a:tgt)
++    if !s:NetrwValidateHostname(g:netrw_machine)
++        call netrw#ErrorMsg(s:ERROR,"Rejecting invalid hostname: <" .. g:netrw_machine .. ">",107)
++        return
++    endif
+ 
+     if b:netrw_method == 2
+      " handle uploading a list of files via ftp+.netrc

vim.spec

@@ -51,7 +51,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 6%{?dist}.1
+Release: 6%{?dist}.3
 Epoch: 2
 # swift.vim contains Apache 2.0 with runtime library exception:
 # which is taken as Apache-2.0 WITH Swift-exception - reported to legal as https://gitlab.com/fedora/legal/fedora-license-data/-/issues/188
@@ -115,6 +115,19 @@ Patch3009: 0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch
 # 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
 Patch3010: 0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
 Patch3011: 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
+# CVE-2026-28417 vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin
+# 3 patches:
+# 0001-runtime-netrw-upstream-snapshot-of-v179.patch - introduces NetrwValidateHostname
+# 0001-patch-9.2.0073-security-possible-command-injection-u.patch - CVE patch which sanitizes hostnames
+# and reports invalid characters in SSH commands
+# 0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch - include portnumber in hostname checking
+Patch3012: 0001-runtime-netrw-upstream-snapshot-of-v179.patch
+Patch3013: 0001-patch-9.2.0073-security-possible-command-injection-u.patch
+Patch3014: 0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch
+# CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file
+Patch3015: 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
+# RHEL-159615 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function
+Patch3016: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch
 
 
 # uses autoconf in spec file
@@ -444,6 +457,11 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3009 -p1 -b .tar-cve
 %patch -P 3010 -p1 -b .tag-overflow
 %patch -P 3011 -p1 -b .tag-overflow2
+%patch -P 3012 -p1 -b .validatehostname
+%patch -P 3013 -p1 -b .CVE-2026-28417
+%patch -P 3014 -p1 -b .validateportnum
+%patch -P 3015 -p1 -b .CVE-2026-28421
+%patch -P 3016 -p1 -b .CVE-2026-33412
 
 %build
 cd src
@@ -1079,6 +1097,15 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 
 
 %changelog
+* Wed Mar 27 2026 Petr Dancak <pdancak@redhat.com> - 2:9.1.083-6.3
+- RHEL-159615 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function
+
+* Wed Mar 25 2026 Petr Dancak <pdancak@redhat.com> - 2:9.1.083-6.2
+- RHEL-155409 CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file
+
+* Wed Mar 25 2026 Petr Dancak <pdancak@redhat.com> - 2:9.1.083-6.2
+- RHEL-155425 CVE-2026-28417 vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin
+
 * Wed Feb 25 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-6.1
 - RHEL-147922 CVE-2026-25749 vim: Heap Overflow in Vim