import UBI vim-9.1.083-6.el10_1.4

2026-04-28 18:09:39 -04:00 · 2026-04-28 18:09:39 -04:00 · 5ec3bb03f9
commit 5ec3bb03f9
parent 0dc292e761
3 changed files with 195 additions and 2 deletions
--- a/0001-patch-9.2.0276-security-modeline-security-bypass.patch
+++ b/0001-patch-9.2.0276-security-modeline-security-bypass.patch
@ -0,0 +1,103 @@
+From 75661a66a1db1e1f3f1245c615f13a7de44c0587 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 31 Mar 2026 18:29:00 +0000
+Subject: [PATCH] patch 9.2.0276: [security]: modeline security bypass
+
+Problem:  [security]: modeline security bypass
+Solution: disallow mapset() from secure mode, set the P_MLE flag for the
+          'complete', 'guitabtooltip' and 'printheader' options.
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+Backported for vim 9.1.083
+---
+ src/map.c                     |  3 +++
+ src/optiondefs.h              |  6 +++---
+ src/testdir/test_modeline.vim | 25 +++++++++++++++++++++++++
+ 3 files changed, 31 insertions(+), 3 deletions(-)
+
+diff --git a/src/map.c b/src/map.c
+index 0a909fb93b2e4..5f07ef4a81433 100644
+--- a/src/map.c
+++ b/src/map.c
+@@ -2708,6 +2708,9 @@ f_mapset(typval_T *argvars, typval_T *rettv UNUSED)
+     char_u	*arg;
+     int		dict_only;
+
+    if (check_secure())
+	return;
+
+     // If first arg is a dict, then that's the only arg permitted.
+     dict_only = argvars[0].v_type == VAR_DICT;
+     if (in_vim9script()
+diff --git a/src/optiondefs.h b/src/optiondefs.h
+index ca2795a364b66..a6f8383084285 100644
+--- a/src/optiondefs.h
+++ b/src/optiondefs.h
+@@ -639,7 +639,7 @@ static struct vimoption options[] =
+     {"compatible",  "cp",   P_BOOL|P_RALL,
+ 			    (char_u *)&p_cp, PV_NONE, did_set_compatible, NULL,
+ 			    {(char_u *)TRUE, (char_u *)FALSE} SCTX_INIT},
+-    {"complete",    "cpt",  P_STRING|P_ALLOCED|P_VI_DEF|P_ONECOMMA|P_NODUP,
+    {"complete",    "cpt",  P_STRING|P_ALLOCED|P_VI_DEF|P_ONECOMMA|P_NODUP|P_MLE,
+ 			    (char_u *)&p_cpt, PV_CPT, did_set_complete, expand_set_complete,
+ 			    {(char_u *)".,w,b,u,t,i", (char_u *)0L}
+ 			    SCTX_INIT},
+@@ -1251,7 +1251,7 @@ static struct vimoption options[] =
+ 			    {(char_u *)NULL, (char_u *)0L}
+ #endif
+ 			    SCTX_INIT},
+-    {"guitabtooltip",  "gtt", P_STRING|P_VI_DEF|P_RWIN,
+    {"guitabtooltip",  "gtt", P_STRING|P_VI_DEF|P_RWIN|P_MLE,
+ #if defined(FEAT_GUI_TABLINE)
+ 			    (char_u *)&p_gtt, PV_NONE, NULL, NULL,
+ 			    {(char_u *)"", (char_u *)0L}
+@@ -1950,7 +1950,7 @@ static struct vimoption options[] =
+ 			    {(char_u *)NULL, (char_u *)0L}
+ #endif
+ 			    SCTX_INIT},
+-    {"printheader", "pheader",  P_STRING|P_VI_DEF|P_GETTEXT,
+    {"printheader", "pheader",  P_STRING|P_VI_DEF|P_GETTEXT|P_MLE,
+ #ifdef FEAT_PRINTER
+ 			    (char_u *)&p_header, PV_NONE, NULL, NULL,
+ 			    // untranslated to avoid problems when 'encoding'
+diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim
+index 4cc091b9ca586..25ca6fb437003 100644
+--- a/src/testdir/test_modeline.vim
+++ b/src/testdir/test_modeline.vim
+@@ -469,4 +469,29 @@ func Test_modeline_disable()
+   call assert_equal(2, &sw)
+ endfunc
+
+func Test_modeline_forbidden()
+  let tempfile = tempname()
+  let lines =<< trim END
+    some test text for completion
+    vim: set complete=F{->system('touch_should_not_run')} :
+  END
+  call writefile(lines, tempfile, 'D')
+  call assert_fails($'new {tempfile}', 'E992:')
+  bw!
+  let lines =<< trim END
+    some text
+    vim: set guitabtooltip=%{%mapset()%}:
+  END
+  call writefile(lines, tempfile)
+  call assert_fails($'new {tempfile}', 'E992:')
+  bw!
+  let lines =<< trim END
+    some text
+    vim: set printheader=%{mapset('n',0,{})%)%}:
+  END
+  call writefile(lines, tempfile, 'D')
+  call assert_fails($'new {tempfile}', 'E992:')
+  bw!
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+--
+2.53.0
+
--- a/0001-patch-9.2.0277-tests-test_modeline.vim-fails.patch
+++ b/0001-patch-9.2.0277-tests-test_modeline.vim-fails.patch
@ -0,0 +1,79 @@
+diff -up vim91/runtime/doc/options.txt.modeline-tests vim91/runtime/doc/options.txt
+--- vim91/runtime/doc/options.txt.modeline-tests	2024-02-09 06:33:54.000000000 +0100
+++ vim91/runtime/doc/options.txt	2026-04-08 15:14:10.424275654 +0200
+@@ -2070,6 +2070,8 @@ A jump table for the options with a shor
+ 	based expansion (e.g., dictionary |i_CTRL-X_CTRL-K|, included patterns
+ 	|i_CTRL-X_CTRL-I|, tags |i_CTRL-X_CTRL-]| and normal expansions).
+ 
+	This option cannot be set in a modeline when 'modelineexpr' is off.
+
+ 						*'completefunc'* *'cfu'*
+ 'completefunc' 'cfu'	string	(default: empty)
+ 			local to buffer
+@@ -4177,6 +4179,7 @@ A jump table for the options with a shor
+ 	You can include a line break.  Simplest method is to use |:let|: >
+ 		:let &guitabtooltip = "line one\nline two"
+ <
+	This option cannot be set in a modeline when 'modelineexpr' is off.
+ 
+ 						*'helpfile'* *'hf'*
+ 'helpfile' 'hf'		string	(default (MS-Windows) "$VIMRUNTIME\doc\help.txt"
+@@ -6238,6 +6241,8 @@ A jump table for the options with a shor
+ 	The format of the header produced in |:hardcopy| output.
+ 	See |pheader-option|.
+ 
+	This option cannot be set in a modeline when 'modelineexpr' is off.
+
+ 						*'printmbcharset'* *'pmbcs'*
+ 'printmbcharset' 'pmbcs'  string (default "")
+ 			global
+diff -up vim91/src/testdir/test_modeline.vim.modeline-tests vim91/src/testdir/test_modeline.vim
+--- vim91/src/testdir/test_modeline.vim.modeline-tests	2026-04-08 15:12:08.284334428 +0200
+++ vim91/src/testdir/test_modeline.vim	2026-04-08 15:14:50.248503197 +0200
+@@ -262,13 +262,16 @@ endfunc
+ 
+ func Test_modeline_fails_modelineexpr()
+   call s:modeline_fails('balloonexpr', 'balloonexpr=Something()', 'E992:')
+  call s:modeline_fails('complete', "complete=FSomething", 'E992:')
+   call s:modeline_fails('foldexpr', 'foldexpr=Something()', 'E992:')
+   call s:modeline_fails('foldtext', 'foldtext=Something()', 'E992:')
+   call s:modeline_fails('formatexpr', 'formatexpr=Something()', 'E992:')
+   call s:modeline_fails('guitablabel', 'guitablabel=Something()', 'E992:')
+  call s:modeline_fails('guitabtooltip', 'guitabtooltip=Something()', 'E992:')
+   call s:modeline_fails('iconstring', 'iconstring=Something()', 'E992:')
+   call s:modeline_fails('includeexpr', 'includeexpr=Something()', 'E992:')
+   call s:modeline_fails('indentexpr', 'indentexpr=Something()', 'E992:')
+  call s:modeline_fails('printheader', 'printheader=Something()', 'E992:')
+   call s:modeline_fails('rulerformat', 'rulerformat=Something()', 'E992:')
+   call s:modeline_fails('statusline', 'statusline=Something()', 'E992:')
+   call s:modeline_fails('tabline', 'tabline=Something()', 'E992:')
+@@ -362,29 +365,4 @@ func Test_modeline_disable()
+   call assert_equal(2, &sw)
+ endfunc
+ 
+-func Test_modeline_forbidden()
+-  let tempfile = tempname()
+-  let lines =<< trim END
+-    some test text for completion
+-    vim: set complete=F{->system('touch_should_not_run')} :
+-  END
+-  call writefile(lines, tempfile, 'D')
+-  call assert_fails($'new {tempfile}', 'E992:')
+-  bw!
+-  let lines =<< trim END
+-    some text
+-    vim: set guitabtooltip=%{%mapset()%}:
+-  END
+-  call writefile(lines, tempfile)
+-  call assert_fails($'new {tempfile}', 'E992:')
+-  bw!
+-  let lines =<< trim END
+-    some text
+-    vim: set printheader=%{mapset('n',0,{})%)%}:
+-  END
+-  call writefile(lines, tempfile, 'D')
+-  call assert_fails($'new {tempfile}', 'E992:')
+-  bw!
+-endfunc
+-
+ " vim: shiftwidth=2 sts=2 expandtab
--- a/vim.spec
+++ b/vim.spec
@ -51,7 +51,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 6%{?dist}.3
+Release: 6%{?dist}.4
 Epoch: 2
 # swift.vim contains Apache 2.0 with runtime library exception:
 # which is taken as Apache-2.0 WITH Swift-exception - reported to legal as https://gitlab.com/fedora/legal/fedora-license-data/-/issues/188
@ -128,6 +128,12 @@ Patch3014: 0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch
 Patch3015: 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
 # RHEL-159615 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function
 Patch3016: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch
+# RHEL-164951 CVE-2026-34982 vim: arbitrary command execution via modeline sandbox bypass
+# https://redhat.atlassian.net/browse/RHEL-164951
+# https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615f13a7de44c0587
+# https://github.com/vim/vim/commit/8c8772c6b321d4955c8f09926e3eda2b4cd83680
+Patch3017: 0001-patch-9.2.0276-security-modeline-security-bypass.patch
+Patch3018: 0001-patch-9.2.0277-tests-test_modeline.vim-fails.patch


 # uses autoconf in spec file
@ -462,6 +468,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3014 -p1 -b .validateportnum
 %patch -P 3015 -p1 -b .CVE-2026-28421
 %patch -P 3016 -p1 -b .CVE-2026-33412
+%patch -P 3017 -p1 -b .CVE-2026-34982
+%patch -P 3018 -p1 -b .modeline-tests

 %build
 cd src
@ -1097,7 +1105,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags


 %changelog
-* Wed Mar 27 2026 Petr Dancak <pdancak@redhat.com> - 2:9.1.083-6.3
+* Wed Apr 08 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-6.4
+- Resolves: RHEL-164951 vim: arbitrary command execution via modeline sandbox bypass
+
+* Fri Mar 27 2026 Petr Dancak <pdancak@redhat.com> - 2:9.1.083-6.3
 - RHEL-159615 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function

 * Wed Mar 25 2026 Petr Dancak <pdancak@redhat.com> - 2:9.1.083-6.2