Resolves: RHEL-159617 vim: Vim: Arbitrary code execution via command injection in glob() function

0001-patch-9.2.0202-security-command-injection-via-newlin.patch

@@ -0,0 +1,40 @@
+From 645ed6597d1ea896c712cd7ddbb6edee79577e9a Mon Sep 17 00:00:00 2001
+From: pyllyukko <pyllyukko@maimed.org>
+Date: Thu, 19 Mar 2026 19:58:05 +0000
+Subject: [PATCH] patch 9.2.0202: [security]: command injection via newline in
+ glob()
+
+Problem:  The glob() function on Unix-like systems does not escape
+          newline characters when expanding wildcards. A maliciously
+          crafted string containing '\n' can be used as a command
+          separator to execute arbitrary shell commands via
+          mch_expand_wildcards(). This depends on the user's 'shell'
+          setting.
+Solution: Add the newline character ('\n') to the SHELL_SPECIAL
+          definition to ensure it is properly escaped before being
+          passed to the shell (pyllyukko).
+
+closes: #19746
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
+
+Signed-off-by: pyllyukko <pyllyukko@maimed.org>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/os_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/os_unix.c b/src/os_unix.c
+index 03f7649090c96..91bfd63d0dcb2 100644
+--- a/src/os_unix.c
++++ b/src/os_unix.c
+@@ -6772,7 +6772,7 @@ mch_expand_wildcards(
+ # define SEEK_END 2
+ #endif
+
+-#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|"
++#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|\n"
+
+     int
+ mch_expand_wildcards(

vim.spec

@@ -51,7 +51,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 9%{?dist}
+Release: 10%{?dist}
 Epoch: 2
 # swift.vim contains Apache 2.0 with runtime library exception:
 # which is taken as Apache-2.0 WITH Swift-exception - reported to legal as https://gitlab.com/fedora/legal/fedora-license-data/-/issues/188
@@ -125,6 +125,10 @@ Patch3013: 0001-patch-9.2.0073-security-possible-command-injection-u.patch
 Patch3014: 0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch
 # CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file
 Patch3015: 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
+# CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function
+# RHEL: https://redhat.atlassian.net/browse/RHEL-159617
+# Upstream: https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a
+Patch3016: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch
 
 
 # uses autoconf in spec file
@@ -458,6 +462,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3013 -p1 -b .CVE-2026-28417
 %patch -P 3014 -p1 -b .validateportnum
 %patch -P 3015 -p1 -b .CVE-2026-28421
+%patch -P 3016 -p1 -b .CVE-2026-33412
 
 %build
 cd src
@@ -1088,6 +1093,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 
 
 %changelog
+* Mon Apr 13 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-10
+- Resolves: RHEL-159617 vim: Vim: Arbitrary code execution via command injection
+  in glob() function
+
 * Wed Mar 18 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-9
 - RHEL-155410 CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file