RHEL-155412 CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file

Resolves: RHEL-155412

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED

0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch

@@ -0,0 +1,109 @@
+diff -up vim80/src/globals.h.check-page-count vim80/src/globals.h
+--- vim80/src/globals.h.check-page-count	2026-03-19 17:53:51.063638067 +0100
++++ vim80/src/globals.h	2026-03-19 17:56:16.144187736 +0100
+@@ -1584,6 +1584,7 @@
+ #endif
+ EXTERN char_u e_dirnotf[]	INIT(= N_("E919: Directory not found in '%s': \"%s\""));
+ EXTERN char_u e_au_recursive[]	INIT(= N_("E952: Autocommand caused recursive behavior"));
++EXTERN char_u e_warning_pointer_block_corrupted[] INIT(= N_("E1364: Warning: Pointer block corrupted"));
+ 
+ #ifdef FEAT_GUI_MAC
+ EXTERN short disallow_gui	INIT(= FALSE);
+diff -up vim80/src/memfile.c.check-page-count vim80/src/memfile.c
+--- vim80/src/memfile.c.check-page-count	2021-03-22 10:02:42.000000000 +0100
++++ vim80/src/memfile.c	2026-03-19 18:13:11.196323045 +0100
+@@ -432,7 +432,9 @@ mf_get(memfile_T *mfp, blocknr_T nr, int
+ 	 * If not, allocate a new block.
+ 	 */
+ 	hp = mf_release(mfp, page_count);
+-	if (hp == NULL && (hp = mf_alloc_bhdr(mfp, page_count)) == NULL)
++	if (hp == NULL && page_count > 0)
++	    hp = mf_alloc_bhdr(mfp, page_count);
++	if (hp == NULL)
+ 	    return NULL;
+ 
+ 	hp->bh_bnum = nr;
+@@ -813,8 +815,10 @@ mf_release(memfile_T *mfp, int page_coun
+      */
+     if (hp->bh_page_count != page_count)
+     {
+-	vim_free(hp->bh_data);
+-	if ((hp->bh_data = alloc(mfp->mf_page_size * page_count)) == NULL)
++	VIM_CLEAR(hp->bh_data);
++	if (page_count > 0)
++	    hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count);
++	if (hp->bh_data == NULL)
+ 	{
+ 	    vim_free(hp);
+ 	    return NULL;
+@@ -872,7 +876,7 @@ mf_release_all(void)
+ }
+ 
+ /*
+- * Allocate a block header and a block of memory for it
++ * Allocate a block header and a block of memory for it.
+  */
+     static bhdr_T *
+ mf_alloc_bhdr(memfile_T *mfp, int page_count)
+@@ -892,7 +896,7 @@ mf_alloc_bhdr(memfile_T *mfp, int page_c
+ }
+ 
+ /*
+- * Free a block header and the block of memory for it
++ * Free a block header and the block of memory for it.
+  */
+     static void
+ mf_free_bhdr(bhdr_T *hp)
+@@ -902,7 +906,7 @@ mf_free_bhdr(bhdr_T *hp)
+ }
+ 
+ /*
+- * insert entry *hp in the free list
++ * Insert entry *hp in the free list.
+  */
+     static void
+ mf_ins_free(memfile_T *mfp, bhdr_T *hp)
+diff -up vim80/src/memline.c.check-page-count vim80/src/memline.c
+--- vim80/src/memline.c.check-page-count	2021-03-22 10:02:42.000000000 +0100
++++ vim80/src/memline.c	2026-03-19 18:13:59.116720443 +0100
+@@ -96,6 +96,9 @@ struct pointer_block
+ 				 * followed by empty space until end of page */
+ };
+ 
++// Value for pb_count_max.
++#define PB_COUNT_MAX(mfp) (short_u)(((mfp)->mf_page_size - offsetof(PTR_BL, pb_pointer)) / sizeof(PTR_EN))
++
+ /*
+  * A data block is a leaf in the tree.
+  *
+@@ -1505,6 +1508,20 @@ ml_recover(int checkext)
+ 	    pp = (PTR_BL *)(hp->bh_data);
+ 	    if (pp->pb_id == PTR_ID)		/* it is a pointer block */
+ 	    {
++		int ptr_block_error = FALSE;
++		if (pp->pb_count_max != PB_COUNT_MAX(mfp))
++		{
++		    ptr_block_error = TRUE;
++		    pp->pb_count_max = PB_COUNT_MAX(mfp);
++		}
++		if (pp->pb_count > pp->pb_count_max)
++		{
++		    ptr_block_error = TRUE;
++		    pp->pb_count = pp->pb_count_max;
++		}
++		if (ptr_block_error)
++		    EMSG(_(e_warning_pointer_block_corrupted));
++
+ 		/* check line count when using pointer block first time */
+ 		if (idx == 0 && line_count != 0)
+ 		{
+@@ -4040,8 +4057,7 @@ ml_new_ptr(memfile_T *mfp)
+     pp = (PTR_BL *)(hp->bh_data);
+     pp->pb_id = PTR_ID;
+     pp->pb_count = 0;
+-    pp->pb_count_max = (short_u)((mfp->mf_page_size - sizeof(PTR_BL))
+-							/ sizeof(PTR_EN) + 1);
++    pp->pb_count_max = PB_COUNT_MAX(mfp);
+ 
+     return hp;
+ }

0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch

@@ -0,0 +1,397 @@
+diff -up vim80/src/memline.c.CVE-2026-28421 vim80/src/memline.c
+--- vim80/src/memline.c.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim80/src/memline.c	2026-03-19 10:42:50.113672743 +0100
+@@ -1536,8 +1536,12 @@ ml_recover(int checkext)
+ 			if (!cannot_open)
+ 			{
+ 			    line_count = pp->pb_pointer[idx].pe_line_count;
+-			    if (readfile(curbuf->b_ffname, NULL, lnum,
+-					pp->pb_pointer[idx].pe_old_lnum - 1,
++			    linenr_T pe_old_lnum = pp->pb_pointer[idx].pe_old_lnum;
++			    // Validate pe_line_count and pe_old_lnum from the
++			    // untrusted swap file before passing to readfile().
++			    if (line_count <= 0 || pe_old_lnum < 1 ||
++				    readfile(curbuf->b_ffname, NULL, lnum,
++					pe_old_lnum - 1,
+ 					line_count, NULL, 0) != OK)
+ 				cannot_open = TRUE;
+ 			    else
+@@ -1568,6 +1572,27 @@ ml_recover(int checkext)
+ 		    bnum = pp->pb_pointer[idx].pe_bnum;
+ 		    line_count = pp->pb_pointer[idx].pe_line_count;
+ 		    page_count = pp->pb_pointer[idx].pe_page_count;
++		    // Validate pe_bnum and pe_page_count from the untrusted
++		    // swap file before passing to mf_get(), which uses
++		    // page_count to calculate allocation size.  A bogus value
++		    // (e.g. 0x40000000) would cause a multi-GB allocation.
++		    // pe_page_count must be >= 1 and bnum + page_count must
++		    // not exceed the number of pages in the swap file.
++		    if (page_count < 1
++			    || bnum + page_count > mfp->mf_blocknr_max + 1)
++		    {
++			++error;
++			ml_append(lnum++,
++				(char_u *)_("???ILLEGAL BLOCK NUMBER"),
++				(colnr_T)0, TRUE);
++			// Skip this entry and pop back up the stack to keep
++			// recovering whatever else we can.
++			idx = ip->ip_index + 1;
++			bnum = ip->ip_bnum;
++			page_count = 1;
++			--buf->b_ml.ml_stack_top;
++			continue;
++		    }
+ 		    idx = 0;
+ 		    continue;
+ 		}
+--- vim80/src/po/af.po.CVE-2026-28421	2026-04-01 09:23:53.971493324 -0400
++++ vim80/src/po/af.po	2026-04-01 09:23:53.971493324 -0400
+@@ -5391,3 +5391,6 @@ msgstr "E463: Omgewing is onder bewaking
+ 
+ #~ msgid "WARNING: tag command changed a buffer!!!"
+ #~ msgstr "WAARSKUWING: etiketbevel het buffer verander!!!"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/ca.po.CVE-2026-28421	2026-04-01 09:23:53.976493324 -0400
++++ vim80/src/po/ca.po	2026-04-01 09:23:53.976493324 -0400
+@@ -6937,3 +6937,6 @@ msgid ""
+ msgstr ""
+ "Error en establir el path: sys.path no és una llista\n"
+ "Hauríeu d'afegir vim.VIM_SPECIAL_PATH a sys.path"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/cs.cp1250.po.CVE-2026-28421	2026-04-01 09:23:53.981493324 -0400
++++ vim80/src/po/cs.cp1250.po	2026-04-01 09:23:53.981493324 -0400
+@@ -4658,3 +4658,6 @@ msgstr "Nulový poèet"
+ 
+ msgid "E81: Using <SID> not in a script context"
+ msgstr "E81: Použití <SID> mimo kontext skriptu"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/cs.po.CVE-2026-28421	2026-04-01 09:23:53.986493324 -0400
++++ vim80/src/po/cs.po	2026-04-01 09:23:53.987493324 -0400
+@@ -4658,3 +4658,6 @@ msgstr "Nulový poèet"
+ 
+ msgid "E81: Using <SID> not in a script context"
+ msgstr "E81: Pou¾ití <SID> mimo kontext skriptu"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/de.po.CVE-2026-28421	2026-04-01 09:23:53.992493324 -0400
++++ vim80/src/po/de.po	2026-04-01 09:23:53.992493324 -0400
+@@ -7101,3 +7101,6 @@ msgid ""
+ msgstr ""
+ "Fehler beim setzen des Pfades: sys.path ist keine Liste\n"
+ "Fügen Sie vim.VIM_SPECIAL_PATH zu sys.path hinzu"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/en_GB.po.CVE-2026-28421	2026-04-01 09:23:53.998493324 -0400
++++ vim80/src/po/en_GB.po	2026-04-01 09:23:53.999493324 -0400
+@@ -765,3 +765,6 @@ msgid "can't delete OutputObject attribu
+ msgstr "cannot delete OutputObject attributes"
+ 
+ 
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/eo.po.CVE-2026-28421	2026-04-01 09:23:54.005493324 -0400
++++ vim80/src/po/eo.po	2026-04-01 09:23:54.005493324 -0400
+@@ -7024,3 +7024,6 @@ msgid ""
+ msgstr ""
+ "Agordo de serĉvojo malsukcesis: sys.path ne estas listo\n"
+ "Vi nun devas aldoni vim.VIM_SPECIAL_PATH al sys.path"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/es.po.CVE-2026-28421	2026-04-01 09:23:54.010493324 -0400
++++ vim80/src/po/es.po	2026-04-01 09:23:54.011493324 -0400
+@@ -8275,3 +8275,6 @@ msgstr "La búsqueda ha llegado al FINAL
+ 
+ #~ msgid "-V[N]\t\tVerbose level"
+ #~ msgstr "-V[N]\t\tNivel de verbosidad (traza de ejecución)"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/fi.po.CVE-2026-28421	2026-04-01 09:23:54.016493324 -0400
++++ vim80/src/po/fi.po	2026-04-01 09:23:54.016493324 -0400
+@@ -6991,3 +6991,6 @@ msgid ""
+ msgstr ""
+ "Ei onnistuttu asettaman polkua: sys.path ei ole list\n"
+ "Lisää vim.VIM_SPECIAL_PATH muuttujaan sys.path"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/fr.po.CVE-2026-28421	2026-04-01 09:23:54.021493324 -0400
++++ vim80/src/po/fr.po	2026-04-01 09:23:54.021493324 -0400
+@@ -7306,3 +7306,6 @@ msgid ""
+ msgstr ""
+ "Impossible d'initialiser le chemin : sys.math n'est pas une liste\n"
+ "Vous devez maintenant ajouter vim.VIM_SPECIAL_PATH à sys.path"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/ga.po.CVE-2026-28421	2026-04-01 09:23:54.026493324 -0400
++++ vim80/src/po/ga.po	2026-04-01 09:23:54.026493324 -0400
+@@ -7509,3 +7509,6 @@ msgstr ""
+ 
+ #~ msgid "E363: pattern caused out-of-stack error"
+ #~ msgstr "E363: ghin an patrún earráid as-an-chruach"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/it.po.CVE-2026-28421	2026-04-01 09:23:54.031493324 -0400
++++ vim80/src/po/it.po	2026-04-01 09:23:54.031493324 -0400
+@@ -7015,3 +7015,6 @@ msgstr ""
+ "Dovresti aggiungere vim.VIM_SPECIAL_PATH a sys.path"
+ 
+ 
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/ja.euc-jp.po.CVE-2026-28421	2026-04-01 09:23:54.036493324 -0400
++++ vim80/src/po/ja.euc-jp.po	2026-04-01 09:23:54.036493324 -0400
+@@ -7031,3 +7031,6 @@ msgid ""
+ msgstr ""
+ "¥Ñ¥¹¤ÎÀßÄê¤Ë¼ºÇÔ¤·¤Þ¤·¤¿: sys.path ¤¬¥ê¥¹¥È¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó\n"
+ "¤¹¤°¤Ë vim.VIM_SPECIAL_PATH ¤ò sys.path ¤ËÄɲ䷤Ƥ¯¤À¤µ¤¤"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/ja.po.CVE-2026-28421	2026-04-01 09:23:54.041493324 -0400
++++ vim80/src/po/ja.po	2026-04-01 09:23:54.041493324 -0400
+@@ -7031,3 +7031,6 @@ msgid ""
+ msgstr ""
+ "パスã<C2B9>®è¨­å®šã<C5A1>«å¤±æ•—ã<E28094>—ã<E28094>¾ã<C2BE>—ã<E28094>Ÿ: sys.path ã<>Œãƒªã‚¹ãƒˆã<CB86>§ã<C2A7>¯ã<C2AF>‚ã‚Šã<C5A0>¾ã<C2BE>›ã‚“\n"
+ "ã<>™ã<E284A2><C3A3>ã<EFBFBD>« vim.VIM_SPECIAL_PATH ã‚’ sys.path ã<>«è¿½åŠ ã<C2A0>—ã<E28094>¦ã<C2A6><C3A3>ã<EFBFBD> ã<C2A0>•ã<E280A2>„"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/ja.sjis.po.CVE-2026-28421	2026-04-01 09:23:54.046493324 -0400
++++ vim80/src/po/ja.sjis.po	2026-04-01 09:23:54.046493324 -0400
+@@ -7031,3 +7031,6 @@ msgid ""
+ msgstr ""
+ "ƒpƒX‚Ì<E2809A>Ý’è‚ÉŽ¸”s‚µ‚Ü‚µ‚½: sys.path ‚ªƒŠƒXƒg‚Å‚Í‚ ‚è‚Ü‚¹‚ñ\n"
+ "‚·‚®‚É vim.VIM_SPECIAL_PATH ‚ð sys.path ‚ɒljÁ‚µ‚Ä‚­‚¾‚³‚¢"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/ko.po.CVE-2026-28421	2026-04-01 09:23:54.051493324 -0400
++++ vim80/src/po/ko.po	2026-04-01 09:23:54.051493324 -0400
+@@ -6951,3 +6951,6 @@ msgstr "%sÀ»(¸¦) vim list·Î º¯°æÇÒ ¼ö ¾ø
+ #~ "Failed to set path: sys.path is not a list\n"
+ #~ "You should now append vim.VIM_SPECIAL_PATH to sys.path"
+ #~ msgstr ""
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/ko.UTF-8.po.CVE-2026-28421	2026-04-01 09:23:54.056493324 -0400
++++ vim80/src/po/ko.UTF-8.po	2026-04-01 09:23:54.056493324 -0400
+@@ -6951,3 +6951,6 @@ msgstr "%sì<73>„(를) vim listë¡œ 변경할
+ #~ "Failed to set path: sys.path is not a list\n"
+ #~ "You should now append vim.VIM_SPECIAL_PATH to sys.path"
+ #~ msgstr ""
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/lv.po.CVE-2026-28421	2026-04-01 09:23:54.061493324 -0400
++++ vim80/src/po/lv.po	2026-04-01 09:23:54.061493324 -0400
+@@ -280,3 +280,6 @@ msgstr "E442: Nevar sadalÄ«t kreiso augÅ
+ #, c-format
+ msgid "E447: Can't find file \"%s\" in path"
+ msgstr "E447: Failu \"%s\" ceļÄ<C2BC> nevar atrast"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/nb.po.CVE-2026-28421	2026-04-01 09:23:54.066493324 -0400
++++ vim80/src/po/nb.po	2026-04-01 09:23:54.066493324 -0400
+@@ -6164,3 +6164,6 @@ msgstr "Søket traff TOPPEN, fortsetter f
+ 
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "Søket traff BUNNEN, fortsetter fra TOPPEN"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/nl.po.CVE-2026-28421	2026-04-01 09:23:54.071493324 -0400
++++ vim80/src/po/nl.po	2026-04-01 09:23:54.071493324 -0400
+@@ -5850,3 +5850,6 @@ msgstr "zoeken bereikte TOP, verder vana
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "zoeken bereikte BODEM, verder vanaf TOP"
+ 
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/no.po.CVE-2026-28421	2026-04-01 09:23:54.076493324 -0400
++++ vim80/src/po/no.po	2026-04-01 09:23:54.076493324 -0400
+@@ -6164,3 +6164,6 @@ msgstr "Søket traff TOPPEN, fortsetter f
+ 
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "Søket traff BUNNEN, fortsetter fra TOPPEN"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/pl.cp1250.po.CVE-2026-28421	2026-04-01 09:23:54.081493324 -0400
++++ vim80/src/po/pl.cp1250.po	2026-04-01 09:23:54.081493324 -0400
+@@ -6903,3 +6903,6 @@ msgstr ""
+ 
+ #~ msgid "E569: maximum number of cscope connections reached"
+ #~ msgstr "E569: wyczerpano maksymaln¹ liczbê po³¹czeñ cscope"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/pl.po.CVE-2026-28421	2026-04-01 09:23:54.086493324 -0400
++++ vim80/src/po/pl.po	2026-04-01 09:23:54.086493324 -0400
+@@ -6903,3 +6903,6 @@ msgstr ""
+ 
+ #~ msgid "E569: maximum number of cscope connections reached"
+ #~ msgstr "E569: wyczerpano maksymaln± liczbê po³±czeñ cscope"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/pl.UTF-8.po.CVE-2026-28421	2026-04-01 09:23:54.091493324 -0400
++++ vim80/src/po/pl.UTF-8.po	2026-04-01 09:23:54.091493324 -0400
+@@ -6903,3 +6903,6 @@ msgstr ""
+ 
+ #~ msgid "E569: maximum number of cscope connections reached"
+ #~ msgstr "E569: wyczerpano maksymalną liczbę połączeń cscope"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/pt_BR.po.CVE-2026-28421	2026-04-01 09:23:54.096493324 -0400
++++ vim80/src/po/pt_BR.po	2026-04-01 09:23:54.096493324 -0400
+@@ -7013,3 +7013,6 @@ msgid ""
+ msgstr ""
+ "Falha ao definir path: sys.path não é uma lista\n"
+ "Você deve adicionar vim.VIM_SPECIAL_PATH ao sys.path"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/ru.cp1251.po.CVE-2026-28421	2026-04-01 09:23:54.101493324 -0400
++++ vim80/src/po/ru.cp1251.po	2026-04-01 09:23:54.101493324 -0400
+@@ -6932,3 +6932,6 @@ msgstr ""
+ "Îøèáêà ïðè óñòàíîâêå ïóòè: sys.path íå ÿâëÿåòñÿ ñïèñêîì\n"
+ "Ñëåäóåò äîáàâèòü vim.VIM_SPECIAL_PATH â sys.path"
+ 
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/ru.po.CVE-2026-28421	2026-04-01 09:23:54.106493324 -0400
++++ vim80/src/po/ru.po	2026-04-01 09:23:54.106493324 -0400
+@@ -6932,3 +6932,6 @@ msgstr ""
+ "Ошибка при уÑ<C692>тановке пути: sys.path не Ñ<>влÑ<C2BB>етÑ<E2809A>Ñ<EFBFBD> Ñ<>пиÑ<C2B8>ком\n"
+ "Следует добавить vim.VIM_SPECIAL_PATH в sys.path"
+ 
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/sk.cp1250.po.CVE-2026-28421	2026-04-01 09:23:54.111493324 -0400
++++ vim80/src/po/sk.cp1250.po	2026-04-01 09:23:54.111493324 -0400
+@@ -5820,3 +5820,6 @@ msgstr "h¾adanie dosiahlo zaèiatok, pokr
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "h¾adanie dosiahlo koniec, pokraèovanie od zaèiatku"
+ 
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/sk.po.CVE-2026-28421	2026-04-01 09:23:54.116493324 -0400
++++ vim80/src/po/sk.po	2026-04-01 09:23:54.116493324 -0400
+@@ -5820,3 +5820,6 @@ msgstr "hµadanie dosiahlo zaèiatok, pokr
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "hµadanie dosiahlo koniec, pokraèovanie od zaèiatku"
+ 
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/sr.po.CVE-2026-28421	2026-04-01 09:23:54.121493324 -0400
++++ vim80/src/po/sr.po	2026-04-01 09:23:54.122493324 -0400
+@@ -6916,3 +6916,6 @@ msgid ""
+ msgstr ""
+ "Путања није могла да Ñ<>е поÑ<C2BE>тави: sys.path није у лиÑ<C2B8>ти\n"
+ "Сада би требало да додате vim.VIM_SPECIAL_PATH на крај sys.path"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/sv.po.CVE-2026-28421	2026-04-01 09:23:54.127493324 -0400
++++ vim80/src/po/sv.po	2026-04-01 09:23:54.127493324 -0400
+@@ -6146,3 +6146,6 @@ msgstr "sökning nådde TOPPEN, fortsätter
+ 
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "sökning nådde BOTTEN, forsätter vid TOPPEN"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/uk.cp1251.po.CVE-2026-28421	2026-04-01 09:23:54.132493324 -0400
++++ vim80/src/po/uk.cp1251.po	2026-04-01 09:23:54.132493324 -0400
+@@ -7272,3 +7272,6 @@ msgid ""
+ msgstr ""
+ "Íå âäàëîñÿ âñòàíîâèòè øëÿõ: sys.path íå ñïèñîê\n"
+ "Âàñ ñë³ä äîäàòè vim.VIM_SPECIAL_PATH äî sys.path"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/uk.po.CVE-2026-28421	2026-04-01 09:23:54.137493324 -0400
++++ vim80/src/po/uk.po	2026-04-01 09:23:54.137493324 -0400
+@@ -7272,3 +7272,6 @@ msgid ""
+ msgstr ""
+ "Ð<>е вдалоÑ<C2BE>Ñ<EFBFBD> вÑ<C2B2>тановити шлÑ<C2BB>Ñ…: sys.path не Ñ<>пиÑ<C2B8>ок\n"
+ "ВаÑ<C2B0> Ñ<>лід додати vim.VIM_SPECIAL_PATH до sys.path"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/vi.po.CVE-2026-28421	2026-04-01 09:23:54.142493324 -0400
++++ vim80/src/po/vi.po	2026-04-01 09:23:54.142493324 -0400
+@@ -5194,3 +5194,6 @@ msgstr "E449: Nhận được má»™t biá»
+ 
+ msgid "E463: Region is guarded, cannot modify"
+ msgstr "E463: Không thể thay đổi vùng đã được bảo vệ"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/zh_CN.cp936.po.CVE-2026-28421	2026-04-01 09:23:54.147493324 -0400
++++ vim80/src/po/zh_CN.cp936.po	2026-04-01 09:23:54.147493324 -0400
+@@ -6138,3 +6138,6 @@ msgstr "ÒѲéÕÒµ½Îļþ½á⣬ÔÙ´Ó¿ªÍ·¼ÌÐø²é
+ 
+ #~ msgid "with BeOS GUI."
+ #~ msgstr "ʹÓà BeOS ͼÐνçÃæ¡£"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/zh_CN.po.CVE-2026-28421	2026-04-01 09:23:54.152493324 -0400
++++ vim80/src/po/zh_CN.po	2026-04-01 09:23:54.152493324 -0400
+@@ -6138,3 +6138,6 @@ msgstr "ÒѲéÕÒµ½Îļþ½á⣬ÔÙ´Ó¿ªÍ·¼ÌÐø²é
+ 
+ #~ msgid "with BeOS GUI."
+ #~ msgstr "ʹÓà BeOS ͼÐνçÃæ¡£"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/zh_CN.UTF-8.po.CVE-2026-28421	2026-04-01 09:23:54.157493324 -0400
++++ vim80/src/po/zh_CN.UTF-8.po	2026-04-01 09:23:54.157493324 -0400
+@@ -6138,3 +6138,6 @@ msgstr "已查找到文件结尾，å†<C3A5>ä»
+ 
+ #~ msgid "with BeOS GUI."
+ #~ msgstr "使用 BeOS 图形界é<C592>¢ã€‚"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/zh_TW.po.CVE-2026-28421	2026-04-01 09:23:54.163493324 -0400
++++ vim80/src/po/zh_TW.po	2026-04-01 09:23:54.164493324 -0400
+@@ -5273,3 +5273,6 @@ msgstr "E463: °Ï°ì³Q«OÅ@¡AµLªk­×§ï"
+ 
+ #~ msgid "E277: Unrecognized sniff request [%s]"
+ #~ msgstr "E277: µLªk¿ëÃÑ sniff ©R¥O [%s]"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+--- vim80/src/po/zh_TW.UTF-8.po.CVE-2026-28421	2026-04-01 09:23:54.170493324 -0400
++++ vim80/src/po/zh_TW.UTF-8.po	2026-04-01 09:23:54.171493324 -0400
+@@ -5280,3 +5280,6 @@ msgstr "E463: å<>€åŸŸè¢«ä¿<C3A4>護，無法ä¿
+ 
+ #~ msgid "E277: Unrecognized sniff request [%s]"
+ #~ msgstr "E277: 無法辨識 sniff 命令 [%s]"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""

vim.spec

@@ -129,6 +129,13 @@ Patch3045: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch
 Patch3046: 0001-runtime-netrw-upstream-snapshot-of-v179.patch
 Patch3047: 0001-patch-9.2.0073-security-possible-command-injection-u.patch
 Patch3048: 0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch
+# RHEL-155412 CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file
+# 0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch - adds check for max page count, which fixes
+# crash which happens after applying 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
+# 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch - validates line count and page count from
+# untrusted swap file before passing it to read and allocation functions
+Patch3049: 0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch
+Patch3050: 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -358,6 +365,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3046 -p1 -b .validatehostname
 %patch -P 3047 -p1 -b .CVE-2026-28417
 %patch -P 3048 -p1 -b .validateportnum
+%patch -P 3049 -p1 -b .check-page-count
+%patch -P 3050 -p1 -b .CVE-2026-28421
 
 %build
 %if 0%{?rhel} > 7
@@ -879,6 +888,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 * Tue Mar 31 2026 Petr Dancak   <pdancak@redhat.com> - 2:8.0.1763-22.1
 - RHEL-159620 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function
 - RHEL-155428 CVE-2026-28417 vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin
+- RHEL-155412 CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file
 
 * Fri Feb 27 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-22
 - RHEL-147935 CVE-2026-25749 vim: Heap Overflow in Vim