From ba368ddd2db38a4ae61eeae9134dd6fd6137ce93 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Wed, 29 Apr 2026 04:37:10 -0400 Subject: [PATCH] import UBI vim-8.2.2637-23.el9_7.3 --- ...76-security-modeline-security-bypass.patch | 103 ++++++++++++++++++ ...2.0277-tests-test_modeline.vim-fails.patch | 79 ++++++++++++++ SPECS/vim.spec | 13 ++- 3 files changed, 194 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-patch-9.2.0276-security-modeline-security-bypass.patch create mode 100644 SOURCES/0001-patch-9.2.0277-tests-test_modeline.vim-fails.patch diff --git a/SOURCES/0001-patch-9.2.0276-security-modeline-security-bypass.patch b/SOURCES/0001-patch-9.2.0276-security-modeline-security-bypass.patch new file mode 100644 index 00000000..36140765 --- /dev/null +++ b/SOURCES/0001-patch-9.2.0276-security-modeline-security-bypass.patch @@ -0,0 +1,103 @@ +From 75661a66a1db1e1f3f1245c615f13a7de44c0587 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Tue, 31 Mar 2026 18:29:00 +0000 +Subject: [PATCH] patch 9.2.0276: [security]: modeline security bypass + +Problem: [security]: modeline security bypass +Solution: disallow mapset() from secure mode, set the P_MLE flag for the + 'complete', 'guitabtooltip' and 'printheader' options. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9 + +Signed-off-by: Christian Brabandt + +Backported for vim 8.2.2637 +--- + src/map.c | 3 +++ + src/optiondefs.h | 6 +++--- + src/testdir/test_modeline.vim | 25 +++++++++++++++++++++++++ + 3 files changed, 31 insertions(+), 3 deletions(-) + +diff --git a/src/map.c b/src/map.c +index 0a909fb93b2e4..5f07ef4a81433 100644 +--- a/src/map.c ++++ b/src/map.c +@@ -2303,6 +2303,9 @@ f_mapset(typval_T *argvars, typval_T *rettv UNUSED) + int nowait; + char_u *arg; + ++ if (check_secure()) ++ return; ++ + which = tv_get_string_buf_chk(&argvars[0], buf); + if (which == NULL) + return; +diff --git a/src/optiondefs.h b/src/optiondefs.h +index ca2795a364b66..a6f8383084285 100644 +--- a/src/optiondefs.h ++++ b/src/optiondefs.h +@@ -653,7 +653,7 @@ static struct vimoption options[] = + {"compatible", "cp", P_BOOL|P_RALL, + (char_u *)&p_cp, PV_NONE, + {(char_u *)TRUE, (char_u *)FALSE} SCTX_INIT}, +- {"complete", "cpt", P_STRING|P_ALLOCED|P_VI_DEF|P_ONECOMMA|P_NODUP, ++ {"complete", "cpt", P_STRING|P_ALLOCED|P_VI_DEF|P_ONECOMMA|P_NODUP|P_MLE, + (char_u *)&p_cpt, PV_CPT, + {(char_u *)".,w,b,u,t,i", (char_u *)0L} + SCTX_INIT}, +@@ -1234,7 +1234,7 @@ static struct vimoption options[] = + {(char_u *)NULL, (char_u *)0L} + #endif + SCTX_INIT}, +- {"guitabtooltip", "gtt", P_STRING|P_VI_DEF|P_RWIN, ++ {"guitabtooltip", "gtt", P_STRING|P_VI_DEF|P_RWIN|P_MLE, + #if defined(FEAT_GUI_TABLINE) + (char_u *)&p_gtt, PV_NONE, + {(char_u *)"", (char_u *)0L} +@@ -1949,7 +1949,7 @@ static struct vimoption options[] = + {(char_u *)NULL, (char_u *)0L} + #endif + SCTX_INIT}, +- {"printheader", "pheader", P_STRING|P_VI_DEF|P_GETTEXT, ++ {"printheader", "pheader", P_STRING|P_VI_DEF|P_GETTEXT|P_MLE, + #ifdef FEAT_PRINTER + (char_u *)&p_header, PV_NONE, + // untranslated to avoid problems when 'encoding' +diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim +index 4cc091b9ca586..25ca6fb437003 100644 +--- a/src/testdir/test_modeline.vim ++++ b/src/testdir/test_modeline.vim +@@ -402,4 +402,29 @@ func Test_modeline_verbose() + call delete('Xmodeline') + endfunc + ++func Test_modeline_forbidden() ++ let tempfile = tempname() ++ let lines =<< trim END ++ some test text for completion ++ vim: set complete=F{->system('touch_should_not_run')} : ++ END ++ call writefile(lines, tempfile, 'D') ++ call assert_fails($'new {tempfile}', 'E992:') ++ bw! ++ let lines =<< trim END ++ some text ++ vim: set guitabtooltip=%{%mapset()%}: ++ END ++ call writefile(lines, tempfile) ++ call assert_fails($'new {tempfile}', 'E992:') ++ bw! ++ let lines =<< trim END ++ some text ++ vim: set printheader=%{mapset('n',0,{})%)%}: ++ END ++ call writefile(lines, tempfile, 'D') ++ call assert_fails($'new {tempfile}', 'E992:') ++ bw! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.53.0 + diff --git a/SOURCES/0001-patch-9.2.0277-tests-test_modeline.vim-fails.patch b/SOURCES/0001-patch-9.2.0277-tests-test_modeline.vim-fails.patch new file mode 100644 index 00000000..ac3abf64 --- /dev/null +++ b/SOURCES/0001-patch-9.2.0277-tests-test_modeline.vim-fails.patch @@ -0,0 +1,79 @@ +diff -up vim82/runtime/doc/options.txt.modeline-tests vim82/runtime/doc/options.txt +--- vim82/runtime/doc/options.txt.modeline-tests 2021-03-22 10:02:41.000000000 +0100 ++++ vim82/runtime/doc/options.txt 2026-04-08 15:37:50.007970018 +0200 +@@ -1879,6 +1879,8 @@ A jump table for the options with a shor + based expansion (e.g., dictionary |i_CTRL-X_CTRL-K|, included patterns + |i_CTRL-X_CTRL-I|, tags |i_CTRL-X_CTRL-]| and normal expansions). + ++ This option cannot be set in a modeline when 'modelineexpr' is off. ++ + *'completefunc'* *'cfu'* + 'completefunc' 'cfu' string (default: empty) + local to buffer +@@ -3908,6 +3910,7 @@ A jump table for the options with a shor + You can include a line break. Simplest method is to use |:let|: > + :let &guitabtooltip = "line one\nline two" + < ++ This option cannot be set in a modeline when 'modelineexpr' is off. + + *'helpfile'* *'hf'* + 'helpfile' 'hf' string (default (MS-Windows) "$VIMRUNTIME\doc\help.txt" +@@ -5812,6 +5815,8 @@ A jump table for the options with a shor + The format of the header produced in |:hardcopy| output. + See |pheader-option|. + ++ This option cannot be set in a modeline when 'modelineexpr' is off. ++ + *'printmbcharset'* *'pmbcs'* + 'printmbcharset' 'pmbcs' string (default "") + global +diff -up vim82/src/testdir/test_modeline.vim.modeline-tests vim82/src/testdir/test_modeline.vim +--- vim82/src/testdir/test_modeline.vim.modeline-tests 2026-04-08 15:38:55.992439182 +0200 ++++ vim82/src/testdir/test_modeline.vim 2026-04-08 15:40:41.319595292 +0200 +@@ -265,13 +265,16 @@ endfunc + + func Test_modeline_fails_modelineexpr() + call s:modeline_fails('balloonexpr', 'balloonexpr=Something()', 'E992:') ++ call s:modeline_fails('complete', "complete=FSomething", 'E992:') + call s:modeline_fails('foldexpr', 'foldexpr=Something()', 'E992:') + call s:modeline_fails('foldtext', 'foldtext=Something()', 'E992:') + call s:modeline_fails('formatexpr', 'formatexpr=Something()', 'E992:') + call s:modeline_fails('guitablabel', 'guitablabel=Something()', 'E992:') ++ call s:modeline_fails('guitabtooltip', 'guitabtooltip=Something()', 'E992:') + call s:modeline_fails('iconstring', 'iconstring=Something()', 'E992:') + call s:modeline_fails('includeexpr', 'includeexpr=Something()', 'E992:') + call s:modeline_fails('indentexpr', 'indentexpr=Something()', 'E992:') ++ call s:modeline_fails('printheader', 'printheader=Something()', 'E992:') + call s:modeline_fails('rulerformat', 'rulerformat=Something()', 'E992:') + call s:modeline_fails('statusline', 'statusline=Something()', 'E992:') + call s:modeline_fails('tabline', 'tabline=Something()', 'E992:') +@@ -334,29 +337,4 @@ func Test_modeline_setoption_verbose() + call delete('Xmodeline') + endfunc + +-func Test_modeline_forbidden() +- let tempfile = tempname() +- let lines =<< trim END +- some test text for completion +- vim: set complete=F{->system('touch_should_not_run')} : +- END +- call writefile(lines, tempfile, 'D') +- call assert_fails($'new {tempfile}', 'E992:') +- bw! +- let lines =<< trim END +- some text +- vim: set guitabtooltip=%{%mapset()%}: +- END +- call writefile(lines, tempfile) +- call assert_fails($'new {tempfile}', 'E992:') +- bw! +- let lines =<< trim END +- some text +- vim: set printheader=%{mapset('n',0,{})%)%}: +- END +- call writefile(lines, tempfile, 'D') +- call assert_fails($'new {tempfile}', 'E992:') +- bw! +-endfunc +- + " vim: shiftwidth=2 sts=2 expandtab diff --git a/SPECS/vim.spec b/SPECS/vim.spec index d68dc1c0..b267fe66 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -27,7 +27,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 23%{?dist}.2 +Release: 23%{?dist}.3 License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: virc @@ -174,6 +174,12 @@ Patch3063: 0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch Patch3064: 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch # RHEL-159629 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function Patch3065: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch +# RHEL-164965 CVE-2026-34982 vim: arbitrary command execution via modeline sandbox bypass +# https://redhat.atlassian.net/browse/RHEL-164965 +# https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615f13a7de44c0587 +# https://github.com/vim/vim/commit/8c8772c6b321d4955c8f09926e3eda2b4cd83680 +Patch3066: 0001-patch-9.2.0276-security-modeline-security-bypass.patch +Patch3067: 0001-patch-9.2.0277-tests-test_modeline.vim-fails.patch # gcc is no longer in buildroot by default @@ -427,6 +433,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch -P 3063 -p1 -b .check-page-count %patch -P 3064 -p1 -b .CVE-2026-28421 %patch -P 3065 -p1 -b .CVE-2026-33412 +%patch -P 3066 -p1 -b .CVE-2026-34982 +%patch -P 3067 -p1 -b .modeline-tests %build cd src @@ -984,6 +992,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Wed Apr 08 2026 Zdenek Dohnal - 2:8.2.2637-23.3 +- Resolves: RHEL-164965 vim: arbitrary command execution via modeline sandbox bypass + * Thu Mar 26 2026 Petr Dancak - 2:8.2.2637-23.2 - RHEL-155437 CVE-2026-28417 vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin - RHEL-155422 CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file