RHEL-145868 sudo not able to spawn "vi" command when NOEXEC is used to prevent escaping to shell

Resolves: RHEL-145868

vi_wrapper

@@ -1,23 +0,0 @@
-#!/usr/bin/sh
-
-# run vim if:
-# - 'vi' command is used and 'vim' binary is available
-# - 'vim' command is used
-# NOTE: Set up a local alias if you want vim -> vi functionality. We will not
-# do it globally, because it messes up with available startup options (see 
-# ':help starting', 'vi' is not capable of '-d'). The introducing an environment
-# variable, which an user must set to get the feature, will do the same trick
-# as setting an alias (needs user input, does not work with sudo), so it is left
-# on user whether he decides to use an alias:
-#
-# alias vim=vi
-#
-# in bashrc file.
-
-if test -f /usr/bin/vim
-then
-  exec /usr/bin/vim "$@"
-fi
-
-# run vi otherwise
-exec /usr/libexec/vi "$@"

view_wrapper

@@ -7,4 +7,4 @@ then
 fi
 
 # run vi otherwise
-exec /usr/libexec/vi -R "$@"
+exec /usr/bin/vi -R "$@"

vim.spec

@@ -51,7 +51,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 6%{?dist}
+Release: 7%{?dist}
 Epoch: 2
 # swift.vim contains Apache 2.0 with runtime library exception:
 # which is taken as Apache-2.0 WITH Swift-exception - reported to legal as https://gitlab.com/fedora/legal/fedora-license-data/-/issues/188
@@ -75,7 +75,6 @@ Source9: vim-default-editor.sh
 Source10: vim-default-editor.csh
 Source11: vim-default-editor.fish
 Source12: view_wrapper
-Source13: vi_wrapper
 
 %if %{withvimspell}
 Source100: vim-spell-files.tar.bz2
@@ -611,15 +610,11 @@ cd src
 # and put the stripped files into correct dirs. Build system (koji/brew) 
 # does it for us, so there is no need to do it in Vim
 %make_install BINDIR=%{_bindir} STRIP=/bin/true
-# make install creates vim binary and view symlink, they will be wrappers
-# so remove them here
-rm -f %{buildroot}%{_bindir}/{vim,view}
+
 mkdir -p %{buildroot}%{_datadir}/icons/hicolor/{16x16,32x32,48x48,64x64}/apps
-mkdir -p %{buildroot}%{_libexecdir}
-install -m755 minimal-vim %{buildroot}%{_libexecdir}/vi
+install -m755 minimal-vim %{buildroot}%{_bindir}/vi
 install -m755 enhanced-vim %{buildroot}%{_bindir}/vim
 install -m755 %{SOURCE12} %{buildroot}%{_bindir}/view
-install -m755 %{SOURCE13} %{buildroot}%{_bindir}/vi
 
 %if %{with gui}
 make installgtutorbin  DESTDIR=%{buildroot} BINDIR=%{_bindir}
@@ -702,9 +697,9 @@ rm %{buildroot}/%{_datadir}/icons/{hicolor,locolor}/*/apps/gvim.png
 %endif
 
 ( cd %{buildroot}
-  ln -sf %{_libexecdir}/vi .%{_bindir}/rvi
-  ln -sf %{_libexecdir}/vi .%{_bindir}/rview
-  ln -sf %{_libexecdir}/vi .%{_bindir}/ex
+  ln -sf %{_bindir}/vi .%{_bindir}/rvi
+  ln -sf %{_bindir}/vi .%{_bindir}/rview
+  ln -sf %{_bindir}/vi .%{_bindir}/ex
   ln -sf vim .%{_bindir}/rvim
   ln -sf vim .%{_bindir}/vimdiff
   perl -pi -e "s,%{buildroot},," .%{_mandir}/man1/vim.1 .%{_mandir}/man1/vimtutor.1
@@ -986,7 +981,6 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_bindir}/rview
 %{_bindir}/vi
 %{_bindir}/view
-%{_libexecdir}/vi
 %{_mandir}/man1/vi.*
 %{_mandir}/man1/ex.*
 %{_mandir}/man1/rvi.*
@@ -1072,6 +1066,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 
 
 %changelog
+* Thu Feb 05 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-7
+- RHEL-145868 sudo not able to spawn "vi" command when NOEXEC is used to prevent escaping to shell
+
 * Wed Sep 10 2025 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-6
 - RHEL-113549 CVE-2025-53906 vim: Vim path traversal
 - RHEL-113543 CVE-2025-53905 vim: Vim path traversial