From 9254b79bcd682cb98fcaadb80513b2818a9efaa2 Mon Sep 17 00:00:00 2001 From: pdancak Date: Tue, 31 Mar 2026 14:10:48 +0200 Subject: [PATCH] RHEL-159620 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function Resolves: RHEL-159620 rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED --- ...ecurity-command-injection-via-newlin.patch | 40 +++++++++++++++++++ vim.spec | 9 ++++- 2 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 0001-patch-9.2.0202-security-command-injection-via-newlin.patch diff --git a/0001-patch-9.2.0202-security-command-injection-via-newlin.patch b/0001-patch-9.2.0202-security-command-injection-via-newlin.patch new file mode 100644 index 00000000..b9900642 --- /dev/null +++ b/0001-patch-9.2.0202-security-command-injection-via-newlin.patch @@ -0,0 +1,40 @@ +From 645ed6597d1ea896c712cd7ddbb6edee79577e9a Mon Sep 17 00:00:00 2001 +From: pyllyukko +Date: Thu, 19 Mar 2026 19:58:05 +0000 +Subject: [PATCH] patch 9.2.0202: [security]: command injection via newline in + glob() + +Problem: The glob() function on Unix-like systems does not escape + newline characters when expanding wildcards. A maliciously + crafted string containing '\n' can be used as a command + separator to execute arbitrary shell commands via + mch_expand_wildcards(). This depends on the user's 'shell' + setting. +Solution: Add the newline character ('\n') to the SHELL_SPECIAL + definition to ensure it is properly escaped before being + passed to the shell (pyllyukko). + +closes: #19746 + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c + +Signed-off-by: pyllyukko +Signed-off-by: Christian Brabandt +--- + src/os_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/os_unix.c b/src/os_unix.c +index 03f7649090c96..91bfd63d0dcb2 100644 +--- a/src/os_unix.c ++++ b/src/os_unix.c +@@ -6772,7 +6772,7 @@ mch_expand_wildcards( + # define SEEK_END 2 + #endif + +-#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|" ++#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|\n" + + int + mch_expand_wildcards( diff --git a/vim.spec b/vim.spec index 17cb8c67..9c6cc3de 100644 --- a/vim.spec +++ b/vim.spec @@ -24,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 22%{?dist} +Release: 22%{?dist}.1 License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -118,7 +118,8 @@ Patch3042: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch # 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch Patch3043: 0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch Patch3044: 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch - +# RHEL-159620 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function +Patch3045: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -344,6 +345,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch -P 3042 -p1 -b .CVE-2025-53906 %patch -P 3043 -p1 -b .tag-overflow %patch -P 3044 -p1 -b .tag-overflow2 +%patch -P 3045 -p1 -b .CVE-2026-33412 %build %if 0%{?rhel} > 7 @@ -862,6 +864,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog +* Tue Mar 31 2026 Petr Dancak - 2:8.0.1763-22.1 +- RHEL-159620 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function + * Fri Feb 27 2026 Zdenek Dohnal - 2:8.0.1763-22 - RHEL-147935 CVE-2026-25749 vim: Heap Overflow in Vim