diff --git a/0001-patch-9.2.0357-security-command-injection-via-backti.patch b/0001-patch-9.2.0357-security-command-injection-via-backti.patch new file mode 100644 index 00000000..a08225ab --- /dev/null +++ b/0001-patch-9.2.0357-security-command-injection-via-backti.patch @@ -0,0 +1,71 @@ +From 7bad6e5ca6a40e80509a223cd6977ae949da15fc Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Wed, 15 Apr 2026 20:17:17 +0000 +Subject: [PATCH] patch 9.2.0357: [security]: command injection via backticks + in tag files + +Problem: [security]: command injection via backticks in tag files + (Srinivas Piskala Ganesh Babu, Andy Ngo) +Solution: Disallow backticks before attempting to expand filenames. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8 + +Supported by AI + +Signed-off-by: Christian Brabandt +--- + src/tag.c | 4 +++- + src/testdir/test_tagjump.vim | 22 ++++++++++++++++++++++ + 2 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/src/tag.c b/src/tag.c +index f191fc5..7500616 100644 +--- a/src/tag.c ++++ b/src/tag.c +@@ -4092,8 +4092,10 @@ expand_tag_fname(char_u *fname, char_u *tag_fname, int expand) + + /* + * Expand file name (for environment variables) when needed. ++ * Disallow backticks, they could execute arbitrary shell ++ * commands. This is not needed for tag filenames. + */ +- if (expand && mch_has_wildcard(fname)) ++ if (expand && mch_has_wildcard(fname) && vim_strchr(fname, '`') == NULL) + { + ExpandInit(&xpc); + xpc.xp_context = EXPAND_FILES; +diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim +index 8b85bd6..fce4f14 100644 +--- a/src/testdir/test_tagjump.vim ++++ b/src/testdir/test_tagjump.vim +@@ -1545,4 +1545,26 @@ func Test_tagbsearch() + set tags& tagbsearch& + endfunc + ++" Test that backtick expressions in tag filenames are not expanded. ++" This prevents command injection via malicious tags files. ++func Test_tag_backtick_filename_not_expanded() ++ let pwned_file = 'Xtags_pwnd' ++ call assert_false(filereadable(pwned_file)) ++ ++ let tagline = "main\t`touch " .. pwned_file .. "`\t/^int main/;\"\tf" ++ call writefile([tagline], 'Xbt_tags', 'D') ++ call writefile(['int main(int argc, char **argv) {', '}'], 'Xbt_main.c', 'D') ++ ++ set tags=Xbt_tags ++ sp Xbt_main.c ++ ++ " The :tag command should fail to find the file, but must NOT execute ++ " the backtick shell command. ++ call assert_fails('tag main', 'E429:') ++ call assert_false(filereadable(pwned_file)) ++ ++ set tags& ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.54.0 + diff --git a/vim.spec b/vim.spec index bea6ddec..6d1edfe1 100644 --- a/vim.spec +++ b/vim.spec @@ -51,7 +51,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 11%{?dist} +Release: 12%{?dist} Epoch: 2 # swift.vim contains Apache 2.0 with runtime library exception: # which is taken as Apache-2.0 WITH Swift-exception - reported to legal as https://gitlab.com/fedora/legal/fedora-license-data/-/issues/188 @@ -141,6 +141,10 @@ Patch3016: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch Patch3017: 0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch Patch3018: 0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch Patch3019: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch +# RHEL-171482 CVE-2026-41411 vim: Command injection via backticks in tag files +# https://redhat.atlassian.net/browse/RHEL-171482 +# https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb +Patch3020: 0001-patch-9.2.0357-security-command-injection-via-backti.patch # uses autoconf in spec file @@ -478,6 +482,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch -P 3017 -p1 -b .zip-path-traversal %patch -P 3018 -p1 -b .zip-abs-write %patch -P 3019 -p1 -b .zip-abs-extract +%patch -P 3020 -p1 -b .tag-backtick-inject %build cd src @@ -1108,6 +1113,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %changelog +* Thu May 21 2026 Zdenek Dohnal - 2:9.1.083-12 +- RHEL-171482 CVE-2026-41411 vim: Command injection via backticks in tag files + * Wed May 20 2026 Zdenek Dohnal - 2:9.1.083-11 - RHEL-170124 CVE-2026-35177 vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass