diff --git a/0001-patch-9.2.0496-security-Code-Injection-in-cucumber-f.patch b/0001-patch-9.2.0496-security-Code-Injection-in-cucumber-f.patch new file mode 100644 index 00000000..7624c0a7 --- /dev/null +++ b/0001-patch-9.2.0496-security-Code-Injection-in-cucumber-f.patch @@ -0,0 +1,77 @@ +From ea20c181c76ef339b5cf1ae02ce3f7593c57d14d Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 17 May 2026 19:39:24 +0000 +Subject: [PATCH] patch 9.2.0496: [security]: Code Injection in cucumber + filetype plugin + +Problem: [security]: Code Injection in cucumber filetype plugin + (Christopher Lusk) +Solution: Use rubys Regexp.new() with the untrusted pattern + +Github Security Advisory: +https://github.com/vim/vim/security/advisories/GHSA-4473-94jm-w5x9 + +Signed-off-by: Christian Brabandt +--- + runtime/ftplugin/cucumber.vim | 3 ++- + src/testdir/test_filetype.vim | 33 +++++++++++++++++++++++++++++++++ + 2 files changed, 35 insertions(+), 1 deletion(-) + +diff --git a/runtime/ftplugin/cucumber.vim b/runtime/ftplugin/cucumber.vim +index f4848d1..3361f1d 100644 +--- a/runtime/ftplugin/cucumber.vim ++++ b/runtime/ftplugin/cucumber.vim +@@ -96,7 +96,8 @@ function! s:stepmatch(receiver,target) + catch + endtry + if has("ruby") && pattern !~ '\\\@ s:steps -> s:stepmatch on every discovered step, ++ " including the malicious one. Suppress preview and error messages. ++ silent! normal [d ++ call assert_false(filereadable(marker), 'Ruby injection executed') ++ bwipe! ++ call delete('Xcucu', 'rf') ++ filetype plugin off ++endfunc ++ +-- +2.52.0 + diff --git a/vim.spec b/vim.spec index bc93740d..5c0e519e 100644 --- a/vim.spec +++ b/vim.spec @@ -24,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 25%{?dist} +Release: 26%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -165,12 +165,21 @@ Patch3057: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch # https://redhat.atlassian.net/browse/RHEL-171485 # https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb Patch3058: 0001-patch-9.2.0357-security-command-injection-via-backti.patch - # RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via shellescape # https://redhat.atlassian.net/browse/RHEL-178234 # https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 # Omitted src/version.c hunk and test file (Vim9 script not available in vim 8.0) Patch3059: 0001-patch-9.2.0479-security-runtime-tar-command-injecti.patch +# RHEL-185863 CVE-2026-47167 vim: Code Injection in cucumber filetype plugin +# https://redhat.atlassian.net/browse/RHEL-185863 +# https://github.com/vim/vim/commit/a65a52d684bc58535ad28a4ae824d22e76399934 +# Changes from upstream: +# - stripped src/version.c patchlevel hunk +# - stripped 'Last Changes' header comments from cucumber.vim +# - adapted test: replaced CheckFeature with has() guard, used mkdir 'p' flag +# with manual cleanup instead of 'pR' (not available in vim 8.0) +Patch3060: 0001-patch-9.2.0496-security-Code-Injection-in-cucumber-f.patch + # gcc is no longer in buildroot by default BuildRequires: gcc @@ -411,6 +420,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch -P 3057 -p1 -b .zip-abs-extract %patch -P 3058 -p1 -b .tag-backtick-inject %patch -P 3059 -p1 -b .tar-shellescape-fix +%patch -P 3060 -p1 -b .cucumber-code-injection + %build %if 0%{?rhel} > 7 @@ -929,7 +940,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog -* Wed Jun 03 2026 RHEL Packaging Agent - 2:8.0.1763-24.1 +* Tue Jun 30 2026 RHEL Packaging Agent - 2:8.0.1763-26 +- CVE-2026-47167 vim: Code Injection in cucumber filetype plugin + +* Wed Jun 03 2026 RHEL Packaging Agent - 2:8.0.1763-25 - RHEL-178234 CVE-2026-46483 vim: command injection in tar plugin via shellescape