RHEL-147941 CVE-2026-25749 vim: Heap Overflow in Vim

Resolves: RHEL-147941
2026-02-10 18:15:24 +01:00 · 2026-02-10 18:15:24 +01:00 · 134732a8be
commit 134732a8be
parent a87691e37b
3 changed files with 105 additions and 1 deletions
--- a/0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
+++ b/0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
@ -0,0 +1,42 @@
+diff --git a/src/structs.h b/src/structs.h
+index 75ad127..d6763ab 100644
+--- a/src/structs.h
+++ b/src/structs.h
+@@ -4422,3 +4422,6 @@ typedef struct {
+     char    wt_variable;    // "variable" when TRUE, "argument" otherwise
+ } where_T;
+ 
+// Return the length of a string literal
+#define STRLEN_LITERAL(s) (sizeof(s) - 1)
+
+diff --git a/src/tag.c b/src/tag.c
+index 37ed66c..c305f25 100644
+--- a/src/tag.c
+++ b/src/tag.c
+@@ -2912,7 +2912,7 @@ get_tagfname(
+ 	    if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
+ 		return FAIL;
+ 	    ++tnp->tn_hf_idx;
+-	    STRCPY(buf, p_hf);
+	    vim_strncpy(buf, p_hf, MAXPATHL - 1);
+ 	    STRCPY(gettail(buf), "tags");
+ #ifdef BACKSLASH_IN_FILENAME
+ 	    slash_adjust(buf);
+diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
+index c8ff5b8..6a45194 100644
+--- a/src/testdir/test_help.vim
+++ b/src/testdir/test_help.vim
+@@ -131,5 +131,13 @@ func Test_help_long_argument()
+   endtry
+ endfunc
+ 
+" This caused a buffer overflow
+func Test_helpfile_overflow()
+  let _helpfile = &helpfile
+  let &helpfile = repeat('A', 5000)
+  help
+  helpclose
+  let &helpfile = _helpfile
+endfunc
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
--- a/0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
+++ b/0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
@ -0,0 +1,52 @@
+From 21d591fb12b08b52d92253bf9ac4b866475d62d6 Mon Sep 17 00:00:00 2001
+From: zeertzjq <zeertzjq@outlook.com>
+Date: Fri, 6 Feb 2026 09:37:58 +0000
+Subject: [PATCH] patch 9.1.2133: Another case of buffer overflow with
+ 'helpfile'
+
+Problem:  Another case of buffer overflow with 'helpfile'.
+Solution: Leave room for "tags" in the buffer (zeertzjq).
+
+closes: #19340
+
+Signed-off-by: zeertzjq <zeertzjq@outlook.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/doc/version9.txt  | 6 +++++-
+ src/tag.c                 | 2 +-
+ src/testdir/test_help.vim | 5 +++++
+ src/version.c             | 2 ++
+ 4 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/tag.c b/src/tag.c
+index 78e7c80a1..6968aac27 100644
+--- a/src/tag.c
+++ b/src/tag.c
+@@ -3347,7 +3347,7 @@ get_tagfname(
+ 	    if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
+ 		return FAIL;
+ 	    ++tnp->tn_hf_idx;
+-	    vim_strncpy(buf, p_hf, MAXPATHL - 1);
+	    vim_strncpy(buf, p_hf, MAXPATHL - STRLEN_LITERAL("tags") - 1);
+ 	    STRCPY(gettail(buf), "tags");
+ #ifdef BACKSLASH_IN_FILENAME
+ 	    slash_adjust(buf);
+diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
+index d30ef17b0..1a52998f9 100644
+--- a/src/testdir/test_help.vim
+++ b/src/testdir/test_help.vim
+@@ -281,6 +281,11 @@ func Test_helpfile_overflow()
+   let &helpfile = repeat('A', 5000)
+   help
+   helpclose
+  for i in range(4089, 4096)
+    let &helpfile = repeat('A', i) .. '/A'
+    help
+    helpclose
+  endfor
+   let &helpfile = _helpfile
+ endfunc
+ 
+-- 
+2.53.0
+
--- a/vim.spec
+++ b/vim.spec
@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 24%{?dist}
+Release: 25%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@ -150,6 +150,11 @@ Patch3055: vim-CVE-2023-4752.patch
 Patch3056: 0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch
 # RHEL-112009 CVE-2025-53906 vim: Vim path traversal
 Patch3057: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch
+# RHEL-147941 CVE-2026-25749 vim: Heap Overflow in Vim
+# 0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
+# 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
+Patch3058: 0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
+Patch3059: 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch


 # gcc is no longer in buildroot by default
@ -395,6 +400,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3055 -p1 -b .CVE-2023-4752
 %patch -P 3056 -p1 -b .CVE-2025-53905
 %patch -P 3057 -p1 -b .CVE-2025-53906
+%patch -P 3058 -p1 -b .tag-overflow
+%patch -P 3059 -p1 -b .tag-overflow2

 %build
 cd src
@ -947,6 +954,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif

 %changelog
+* Tue Feb 10 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-25
+- RHEL-147941 CVE-2026-25749 vim: Heap Overflow in Vim
+
 * Mon Feb 02 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-24
 - RHEL-143726 sudo not able to spawn "vi" command when NOEXEC is used to prevent escaping to shell