RHEL-159620 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function

Resolves: RHEL-159620 rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
2026-03-31 14:10:48 +02:00 · 2026-03-31 14:10:48 +02:00 · 9254b79bcd
commit 9254b79bcd
parent 07cd9103e4
2 changed files with 47 additions and 2 deletions
--- a/0001-patch-9.2.0202-security-command-injection-via-newlin.patch
+++ b/0001-patch-9.2.0202-security-command-injection-via-newlin.patch
@ -0,0 +1,40 @@
+From 645ed6597d1ea896c712cd7ddbb6edee79577e9a Mon Sep 17 00:00:00 2001
+From: pyllyukko <pyllyukko@maimed.org>
+Date: Thu, 19 Mar 2026 19:58:05 +0000
+Subject: [PATCH] patch 9.2.0202: [security]: command injection via newline in
+ glob()
+
+Problem:  The glob() function on Unix-like systems does not escape
+          newline characters when expanding wildcards. A maliciously
+          crafted string containing '\n' can be used as a command
+          separator to execute arbitrary shell commands via
+          mch_expand_wildcards(). This depends on the user's 'shell'
+          setting.
+Solution: Add the newline character ('\n') to the SHELL_SPECIAL
+          definition to ensure it is properly escaped before being
+          passed to the shell (pyllyukko).
+
+closes: #19746
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
+
+Signed-off-by: pyllyukko <pyllyukko@maimed.org>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/os_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/os_unix.c b/src/os_unix.c
+index 03f7649090c96..91bfd63d0dcb2 100644
+--- a/src/os_unix.c
+++ b/src/os_unix.c
+@@ -6772,7 +6772,7 @@ mch_expand_wildcards(
+ # define SEEK_END 2
+ #endif
+
+-#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|"
+#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|\n"
+
+     int
+ mch_expand_wildcards(
--- a/vim.spec
+++ b/vim.spec
@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 22%{?dist}
+Release: 22%{?dist}.1
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@ -118,7 +118,8 @@ Patch3042: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch
 # 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
 Patch3043: 0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
 Patch3044: 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
-
+# RHEL-159620 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function
+Patch3045: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -344,6 +345,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3042 -p1 -b .CVE-2025-53906
 %patch -P 3043 -p1 -b .tag-overflow
 %patch -P 3044 -p1 -b .tag-overflow2
+%patch -P 3045 -p1 -b .CVE-2026-33412

 %build
 %if 0%{?rhel} > 7
@ -862,6 +864,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*

 %changelog
+* Tue Mar 31 2026 Petr Dancak   <pdancak@redhat.com> - 2:8.0.1763-22.1
+- RHEL-159620 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function
+
 * Fri Feb 27 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-22
 - RHEL-147935 CVE-2026-25749 vim: Heap Overflow in Vim