Fix CVE-2026-46483: command injection in vim tar plugin
Backport upstream commit 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1
to fix a command injection vulnerability (CVE-2026-46483) in
the vim tar plugin. The fix changes shellescape(tartail) to
shellescape(tartail, 1) in two places in the tar#Vimuntar()
function in runtime/autoload/tar.vim, ensuring proper shell
escaping when executing external commands via :! commands.
The patch was manually adapted for vim 8.0, omitting the
src/version.c hunk and the Vim9-based test file which are not
compatible with this version.
CVE: CVE-2026-46483
Upstream patches:
- 3fb5e58fbc.patch
Resolves: RHEL-178234
This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Ymir
This commit is contained in:
parent
ca75fea6d3
commit
158f6c1c71
@ -0,0 +1,37 @@
|
||||
From 448ae03067c85a48c9c73517fb9f7046be3ed200 Mon Sep 17 00:00:00 2001
|
||||
From: RHEL Packaging Agent <redhat-ymir-agent@redhat.com>
|
||||
Date: Wed, 3 Jun 2026 10:56:51 +0000
|
||||
Subject: [PATCH] patch 9.2.0479: [security]: runtime(tar): command injection
|
||||
in tar plugin
|
||||
|
||||
Problem: [security]: runtime(tar): command injection in tar plugin
|
||||
(Christopher Lusk)
|
||||
Solution: Use the correct shellescape(args, 1) form for a :! command
|
||||
|
||||
Github Advisory:
|
||||
https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
|
||||
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
---
|
||||
runtime/autoload/tar.vim | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
|
||||
index e320b9a..b60e94a 100644
|
||||
--- a/runtime/autoload/tar.vim
|
||||
+++ b/runtime/autoload/tar.vim
|
||||
@@ -588,9 +588,9 @@ fun! tar#Vimuntar(...)
|
||||
" if necessary, decompress the tarball; then, extract it
|
||||
if tartail =~ '\.tgz'
|
||||
if executable("gunzip")
|
||||
- silent exe "!gunzip ".shellescape(tartail)
|
||||
+ silent exe "!gunzip ".shellescape(tartail, 1)
|
||||
elseif executable("gzip")
|
||||
- silent exe "!gzip -d ".shellescape(tartail)
|
||||
+ silent exe "!gzip -d ".shellescape(tartail, 1)
|
||||
else
|
||||
echoerr "unable to decompress<".tartail."> on this sytem"
|
||||
if simplify(curdir) != simplify(tarhome)
|
||||
--
|
||||
2.52.0
|
||||
|
||||
13
vim.spec
13
vim.spec
@ -24,7 +24,7 @@ Summary: The VIM editor
|
||||
URL: http://www.vim.org/
|
||||
Name: vim
|
||||
Version: %{baseversion}.%{patchlevel}
|
||||
Release: 24%{?dist}
|
||||
Release: 25%{?dist}
|
||||
License: Vim and MIT
|
||||
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
|
||||
Source1: vim.sh
|
||||
@ -166,6 +166,12 @@ Patch3057: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch
|
||||
# https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb
|
||||
Patch3058: 0001-patch-9.2.0357-security-command-injection-via-backti.patch
|
||||
|
||||
# RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via shellescape
|
||||
# https://redhat.atlassian.net/browse/RHEL-178234
|
||||
# https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1
|
||||
# Omitted src/version.c hunk and test file (Vim9 script not available in vim 8.0)
|
||||
Patch3059: 0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch
|
||||
|
||||
# gcc is no longer in buildroot by default
|
||||
BuildRequires: gcc
|
||||
|
||||
@ -404,6 +410,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
||||
%patch -P 3056 -p1 -b .zip-abs-write
|
||||
%patch -P 3057 -p1 -b .zip-abs-extract
|
||||
%patch -P 3058 -p1 -b .tag-backtick-inject
|
||||
%patch -P 3059 -p1 -b .tar-shellescape-fix
|
||||
|
||||
%build
|
||||
%if 0%{?rhel} > 7
|
||||
@ -922,6 +929,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
||||
%{_datadir}/icons/locolor/*/apps/*
|
||||
|
||||
%changelog
|
||||
* Wed Jun 03 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 2:8.0.1763-24.1
|
||||
- RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via
|
||||
shellescape
|
||||
|
||||
* Thu May 21 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-24
|
||||
- CVE-2026-41411 vim: Command injection via backticks in tag files
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user