From 11866d958ec7868598ee8adaaf2527449abfd33b Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Mon, 13 Apr 2026 18:27:43 +0200 Subject: [PATCH] Resolves: RHEL-159631 vim: Vim: Arbitrary code execution via command injection in glob() function --- ...ecurity-command-injection-via-newlin.patch | 40 +++++++++++++++++++ vim.spec | 11 ++++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 0001-patch-9.2.0202-security-command-injection-via-newlin.patch diff --git a/0001-patch-9.2.0202-security-command-injection-via-newlin.patch b/0001-patch-9.2.0202-security-command-injection-via-newlin.patch new file mode 100644 index 00000000..b9900642 --- /dev/null +++ b/0001-patch-9.2.0202-security-command-injection-via-newlin.patch @@ -0,0 +1,40 @@ +From 645ed6597d1ea896c712cd7ddbb6edee79577e9a Mon Sep 17 00:00:00 2001 +From: pyllyukko +Date: Thu, 19 Mar 2026 19:58:05 +0000 +Subject: [PATCH] patch 9.2.0202: [security]: command injection via newline in + glob() + +Problem: The glob() function on Unix-like systems does not escape + newline characters when expanding wildcards. A maliciously + crafted string containing '\n' can be used as a command + separator to execute arbitrary shell commands via + mch_expand_wildcards(). This depends on the user's 'shell' + setting. +Solution: Add the newline character ('\n') to the SHELL_SPECIAL + definition to ensure it is properly escaped before being + passed to the shell (pyllyukko). + +closes: #19746 + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c + +Signed-off-by: pyllyukko +Signed-off-by: Christian Brabandt +--- + src/os_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/os_unix.c b/src/os_unix.c +index 03f7649090c96..91bfd63d0dcb2 100644 +--- a/src/os_unix.c ++++ b/src/os_unix.c +@@ -6772,7 +6772,7 @@ mch_expand_wildcards( + # define SEEK_END 2 + #endif + +-#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|" ++#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|\n" + + int + mch_expand_wildcards( diff --git a/vim.spec b/vim.spec index 79394fb1..7675110d 100644 --- a/vim.spec +++ b/vim.spec @@ -27,7 +27,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 27%{?dist} +Release: 28%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: virc @@ -171,6 +171,10 @@ Patch3062: 0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch # untrusted swap file before passing it to read and allocation functions Patch3063: 0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch Patch3064: 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch +# CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function +# RHEL: https://redhat.atlassian.net/browse/RHEL-159631 +# Upstream: https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a +Patch3065: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch # gcc is no longer in buildroot by default @@ -423,6 +427,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch -P 3062 -p1 -b .validateportnum %patch -P 3063 -p1 -b .check-page-count %patch -P 3064 -p1 -b .CVE-2026-28421 +%patch -P 3065 -p1 -b .CVE-2026-33412 %build cd src @@ -975,6 +980,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Mon Apr 13 2026 Zdenek Dohnal - 2:8.2.2637-28 +- Resolves: RHEL-159631 vim: Vim: Arbitrary code execution via command injection + in glob() function + * Fri Mar 27 2026 Zdenek Dohnal - 2:8.2.2637-27 - remove -O0 from FLAGS