Resolves: RHEL-159631 vim: Vim: Arbitrary code execution via command injection in glob() function

0001-patch-9.2.0202-security-command-injection-via-newlin.patch

@@ -0,0 +1,40 @@
+From 645ed6597d1ea896c712cd7ddbb6edee79577e9a Mon Sep 17 00:00:00 2001
+From: pyllyukko <pyllyukko@maimed.org>
+Date: Thu, 19 Mar 2026 19:58:05 +0000
+Subject: [PATCH] patch 9.2.0202: [security]: command injection via newline in
+ glob()
+
+Problem:  The glob() function on Unix-like systems does not escape
+          newline characters when expanding wildcards. A maliciously
+          crafted string containing '\n' can be used as a command
+          separator to execute arbitrary shell commands via
+          mch_expand_wildcards(). This depends on the user's 'shell'
+          setting.
+Solution: Add the newline character ('\n') to the SHELL_SPECIAL
+          definition to ensure it is properly escaped before being
+          passed to the shell (pyllyukko).
+
+closes: #19746
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
+
+Signed-off-by: pyllyukko <pyllyukko@maimed.org>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/os_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/os_unix.c b/src/os_unix.c
+index 03f7649090c96..91bfd63d0dcb2 100644
+--- a/src/os_unix.c
++++ b/src/os_unix.c
+@@ -6772,7 +6772,7 @@ mch_expand_wildcards(
+ # define SEEK_END 2
+ #endif
+
+-#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|"
++#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|\n"
+
+     int
+ mch_expand_wildcards(

vim.spec

@@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 27%{?dist}
+Release: 28%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@@ -171,6 +171,10 @@ Patch3062: 0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch
 # untrusted swap file before passing it to read and allocation functions
 Patch3063: 0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch
 Patch3064: 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
+# CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function
+# RHEL: https://redhat.atlassian.net/browse/RHEL-159631
+# Upstream: https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a
+Patch3065: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch
 
 
 # gcc is no longer in buildroot by default
@@ -423,6 +427,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3062 -p1 -b .validateportnum
 %patch -P 3063 -p1 -b .check-page-count
 %patch -P 3064 -p1 -b .CVE-2026-28421
+%patch -P 3065 -p1 -b .CVE-2026-33412
 
 %build
 cd src
@@ -975,6 +980,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 
 %changelog
+* Mon Apr 13 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-28
+- Resolves: RHEL-159631 vim: Vim: Arbitrary code execution via command injection
+  in glob() function
+
 * Fri Mar 27 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-27
 - remove -O0 from FLAGS