Fix CVE-2026-47167: Code Injection in cucumber filetype plugin
Backport upstream fix (commit a65a52d6) for CVE-2026-47167 to
vim 8.0.1763 on c8s. The patch replaces the unsafe
Kernel.eval('/'+pattern+'/') call in cucumber.vim with
Regexp.new(pattern), preventing Ruby code injection through
malicious step definition patterns.
Added Patch3059 with adaptations for vim 8.0: replaced
CheckFeature with has() guard and adjusted mkdir/cleanup
calls for compatibility.
CVE: CVE-2026-47167
Upstream patches:
- a65a52d684.patch
Resolves: RHEL-185863
This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Ymir
This commit is contained in:
parent
158f6c1c71
commit
6a0060b814
@ -0,0 +1,77 @@
|
||||
From ea20c181c76ef339b5cf1ae02ce3f7593c57d14d Mon Sep 17 00:00:00 2001
|
||||
From: Christian Brabandt <cb@256bit.org>
|
||||
Date: Sun, 17 May 2026 19:39:24 +0000
|
||||
Subject: [PATCH] patch 9.2.0496: [security]: Code Injection in cucumber
|
||||
filetype plugin
|
||||
|
||||
Problem: [security]: Code Injection in cucumber filetype plugin
|
||||
(Christopher Lusk)
|
||||
Solution: Use rubys Regexp.new() with the untrusted pattern
|
||||
|
||||
Github Security Advisory:
|
||||
https://github.com/vim/vim/security/advisories/GHSA-4473-94jm-w5x9
|
||||
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
---
|
||||
runtime/ftplugin/cucumber.vim | 3 ++-
|
||||
src/testdir/test_filetype.vim | 33 +++++++++++++++++++++++++++++++++
|
||||
2 files changed, 35 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/runtime/ftplugin/cucumber.vim b/runtime/ftplugin/cucumber.vim
|
||||
index f4848d1..3361f1d 100644
|
||||
--- a/runtime/ftplugin/cucumber.vim
|
||||
+++ b/runtime/ftplugin/cucumber.vim
|
||||
@@ -96,7 +96,8 @@ function! s:stepmatch(receiver,target)
|
||||
catch
|
||||
endtry
|
||||
if has("ruby") && pattern !~ '\\\@<!#{'
|
||||
- ruby VIM.command("return #{if (begin; Kernel.eval('/'+VIM.evaluate('pattern')+'/'); rescue SyntaxError; end) === VIM.evaluate('a:target') then 1 else 0 end}")
|
||||
+ " Use Regexp.new, so the pattern stays untrusted data and cannot inject Ruby
|
||||
+ ruby VIM.command("return #{if (begin; Regexp.new(VIM.evaluate('pattern')); rescue RegexpError; end) === VIM.evaluate('a:target') then 1 else 0 end}")
|
||||
else
|
||||
return 0
|
||||
endif
|
||||
diff --git a/src/testdir/test_filetype.vim b/src/testdir/test_filetype.vim
|
||||
index 62dbc74..e484d2f 100644
|
||||
--- a/src/testdir/test_filetype.vim
|
||||
+++ b/src/testdir/test_filetype.vim
|
||||
@@ -595,3 +595,36 @@ func Test_script_detection()
|
||||
filetype off
|
||||
endfunc
|
||||
|
||||
+func Test_cucumber_code_injection()
|
||||
+ if !has('ruby')
|
||||
+ return
|
||||
+ endif
|
||||
+ filetype plugin on
|
||||
+
|
||||
+ call mkdir('Xcucu/features/step_definitions', 'p')
|
||||
+ call writefile([
|
||||
+ \ 'Feature: demo',
|
||||
+ \ ' Scenario: trigger',
|
||||
+ \ ' Given xyzzy',
|
||||
+ \ ], 'Xcucu/features/test.feature')
|
||||
+ let marker = getcwd() . '/Xcucu/MARKER'
|
||||
+ " Malicious step: terminates the regex literal, injects Ruby system(),
|
||||
+ " comments the trailing slash. With the fix, the pattern is passed to
|
||||
+ " Regexp.new() instead of Kernel.eval() and the payload is inert.
|
||||
+ call writefile([
|
||||
+ \ 'Given /xyzzy/; system("touch ' . marker . '"); #/ do',
|
||||
+ \ 'end',
|
||||
+ \ ], 'Xcucu/features/step_definitions/poc.rb')
|
||||
+
|
||||
+ new Xcucu/features/test.feature
|
||||
+ call assert_equal('cucumber', &filetype)
|
||||
+ call cursor(3, 1)
|
||||
+ " Triggers s:jump -> s:steps -> s:stepmatch on every discovered step,
|
||||
+ " including the malicious one. Suppress preview and error messages.
|
||||
+ silent! normal [d
|
||||
+ call assert_false(filereadable(marker), 'Ruby injection executed')
|
||||
+ bwipe!
|
||||
+ call delete('Xcucu', 'rf')
|
||||
+ filetype plugin off
|
||||
+endfunc
|
||||
+
|
||||
--
|
||||
2.52.0
|
||||
|
||||
20
vim.spec
20
vim.spec
@ -24,7 +24,7 @@ Summary: The VIM editor
|
||||
URL: http://www.vim.org/
|
||||
Name: vim
|
||||
Version: %{baseversion}.%{patchlevel}
|
||||
Release: 25%{?dist}
|
||||
Release: 26%{?dist}
|
||||
License: Vim and MIT
|
||||
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
|
||||
Source1: vim.sh
|
||||
@ -165,12 +165,21 @@ Patch3057: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch
|
||||
# https://redhat.atlassian.net/browse/RHEL-171485
|
||||
# https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb
|
||||
Patch3058: 0001-patch-9.2.0357-security-command-injection-via-backti.patch
|
||||
|
||||
# RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via shellescape
|
||||
# https://redhat.atlassian.net/browse/RHEL-178234
|
||||
# https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1
|
||||
# Omitted src/version.c hunk and test file (Vim9 script not available in vim 8.0)
|
||||
Patch3059: 0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch
|
||||
# RHEL-185863 CVE-2026-47167 vim: Code Injection in cucumber filetype plugin
|
||||
# https://redhat.atlassian.net/browse/RHEL-185863
|
||||
# https://github.com/vim/vim/commit/a65a52d684bc58535ad28a4ae824d22e76399934
|
||||
# Changes from upstream:
|
||||
# - stripped src/version.c patchlevel hunk
|
||||
# - stripped 'Last Changes' header comments from cucumber.vim
|
||||
# - adapted test: replaced CheckFeature with has() guard, used mkdir 'p' flag
|
||||
# with manual cleanup instead of 'pR' (not available in vim 8.0)
|
||||
Patch3060: 0001-patch-9.2.0496-security-Code-Injection-in-cucumber-f.patch
|
||||
|
||||
|
||||
# gcc is no longer in buildroot by default
|
||||
BuildRequires: gcc
|
||||
@ -411,6 +420,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
||||
%patch -P 3057 -p1 -b .zip-abs-extract
|
||||
%patch -P 3058 -p1 -b .tag-backtick-inject
|
||||
%patch -P 3059 -p1 -b .tar-shellescape-fix
|
||||
%patch -P 3060 -p1 -b .cucumber-code-injection
|
||||
|
||||
|
||||
%build
|
||||
%if 0%{?rhel} > 7
|
||||
@ -929,7 +940,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
||||
%{_datadir}/icons/locolor/*/apps/*
|
||||
|
||||
%changelog
|
||||
* Wed Jun 03 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 2:8.0.1763-24.1
|
||||
* Tue Jun 30 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 2:8.0.1763-26
|
||||
- CVE-2026-47167 vim: Code Injection in cucumber filetype plugin
|
||||
|
||||
* Wed Jun 03 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 2:8.0.1763-25
|
||||
- RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via
|
||||
shellescape
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user