diff --git a/0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch b/0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch new file mode 100644 index 00000000..1cf1117b --- /dev/null +++ b/0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch @@ -0,0 +1,37 @@ +From 448ae03067c85a48c9c73517fb9f7046be3ed200 Mon Sep 17 00:00:00 2001 +From: RHEL Packaging Agent +Date: Wed, 3 Jun 2026 10:56:51 +0000 +Subject: [PATCH] patch 9.2.0479: [security]: runtime(tar): command injection + in tar plugin + +Problem: [security]: runtime(tar): command injection in tar plugin + (Christopher Lusk) +Solution: Use the correct shellescape(args, 1) form for a :! command + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w + +Signed-off-by: Christian Brabandt +--- + runtime/autoload/tar.vim | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim +index e320b9a..b60e94a 100644 +--- a/runtime/autoload/tar.vim ++++ b/runtime/autoload/tar.vim +@@ -588,9 +588,9 @@ fun! tar#Vimuntar(...) + " if necessary, decompress the tarball; then, extract it + if tartail =~ '\.tgz' + if executable("gunzip") +- silent exe "!gunzip ".shellescape(tartail) ++ silent exe "!gunzip ".shellescape(tartail, 1) + elseif executable("gzip") +- silent exe "!gzip -d ".shellescape(tartail) ++ silent exe "!gzip -d ".shellescape(tartail, 1) + else + echoerr "unable to decompress<".tartail."> on this sytem" + if simplify(curdir) != simplify(tarhome) +-- +2.52.0 + diff --git a/vim.spec b/vim.spec index 28566adb..bc93740d 100644 --- a/vim.spec +++ b/vim.spec @@ -24,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 24%{?dist} +Release: 25%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -166,6 +166,12 @@ Patch3057: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch # https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb Patch3058: 0001-patch-9.2.0357-security-command-injection-via-backti.patch +# RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via shellescape +# https://redhat.atlassian.net/browse/RHEL-178234 +# https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 +# Omitted src/version.c hunk and test file (Vim9 script not available in vim 8.0) +Patch3059: 0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch + # gcc is no longer in buildroot by default BuildRequires: gcc @@ -404,6 +410,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch -P 3056 -p1 -b .zip-abs-write %patch -P 3057 -p1 -b .zip-abs-extract %patch -P 3058 -p1 -b .tag-backtick-inject +%patch -P 3059 -p1 -b .tar-shellescape-fix %build %if 0%{?rhel} > 7 @@ -922,6 +929,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog +* Wed Jun 03 2026 RHEL Packaging Agent - 2:8.0.1763-24.1 +- RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via + shellescape + * Thu May 21 2026 Zdenek Dohnal - 2:8.0.1763-24 - CVE-2026-41411 vim: Command injection via backticks in tag files