From 158f6c1c7173ae02c82b0f388085ad6f9e8bf5e1 Mon Sep 17 00:00:00 2001 From: RHEL Packaging Agent Date: Wed, 3 Jun 2026 11:05:34 +0000 Subject: [PATCH] Fix CVE-2026-46483: command injection in vim tar plugin Backport upstream commit 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 to fix a command injection vulnerability (CVE-2026-46483) in the vim tar plugin. The fix changes shellescape(tartail) to shellescape(tartail, 1) in two places in the tar#Vimuntar() function in runtime/autoload/tar.vim, ensuring proper shell escaping when executing external commands via :! commands. The patch was manually adapted for vim 8.0, omitting the src/version.c hunk and the Vim9-based test file which are not compatible with this version. CVE: CVE-2026-46483 Upstream patches: - https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1.patch Resolves: RHEL-178234 This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent. Assisted-by: Ymir --- ...security-runtime-tar-command-injecti.patch | 37 +++++++++++++++++++ vim.spec | 13 ++++++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch diff --git a/0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch b/0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch new file mode 100644 index 00000000..1cf1117b --- /dev/null +++ b/0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch @@ -0,0 +1,37 @@ +From 448ae03067c85a48c9c73517fb9f7046be3ed200 Mon Sep 17 00:00:00 2001 +From: RHEL Packaging Agent +Date: Wed, 3 Jun 2026 10:56:51 +0000 +Subject: [PATCH] patch 9.2.0479: [security]: runtime(tar): command injection + in tar plugin + +Problem: [security]: runtime(tar): command injection in tar plugin + (Christopher Lusk) +Solution: Use the correct shellescape(args, 1) form for a :! command + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w + +Signed-off-by: Christian Brabandt +--- + runtime/autoload/tar.vim | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim +index e320b9a..b60e94a 100644 +--- a/runtime/autoload/tar.vim ++++ b/runtime/autoload/tar.vim +@@ -588,9 +588,9 @@ fun! tar#Vimuntar(...) + " if necessary, decompress the tarball; then, extract it + if tartail =~ '\.tgz' + if executable("gunzip") +- silent exe "!gunzip ".shellescape(tartail) ++ silent exe "!gunzip ".shellescape(tartail, 1) + elseif executable("gzip") +- silent exe "!gzip -d ".shellescape(tartail) ++ silent exe "!gzip -d ".shellescape(tartail, 1) + else + echoerr "unable to decompress<".tartail."> on this sytem" + if simplify(curdir) != simplify(tarhome) +-- +2.52.0 + diff --git a/vim.spec b/vim.spec index 28566adb..bc93740d 100644 --- a/vim.spec +++ b/vim.spec @@ -24,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 24%{?dist} +Release: 25%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -166,6 +166,12 @@ Patch3057: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch # https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb Patch3058: 0001-patch-9.2.0357-security-command-injection-via-backti.patch +# RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via shellescape +# https://redhat.atlassian.net/browse/RHEL-178234 +# https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 +# Omitted src/version.c hunk and test file (Vim9 script not available in vim 8.0) +Patch3059: 0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch + # gcc is no longer in buildroot by default BuildRequires: gcc @@ -404,6 +410,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch -P 3056 -p1 -b .zip-abs-write %patch -P 3057 -p1 -b .zip-abs-extract %patch -P 3058 -p1 -b .tag-backtick-inject +%patch -P 3059 -p1 -b .tar-shellescape-fix %build %if 0%{?rhel} > 7 @@ -922,6 +929,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog +* Wed Jun 03 2026 RHEL Packaging Agent - 2:8.0.1763-24.1 +- RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via + shellescape + * Thu May 21 2026 Zdenek Dohnal - 2:8.0.1763-24 - CVE-2026-41411 vim: Command injection via backticks in tag files