CVE-2026-41411 vim: Command injection via backticks in tag files
Resolves: RHEL-171485
This commit is contained in:
Zdenek Dohnal
parent
71ad3c53aa
commit
ca75fea6d3
@ -0,0 +1,74 @@
|
||||
From c78194e41d5a0b05b0ddf383b6679b1503f977fb Mon Sep 17 00:00:00 2001
|
||||
From: Christian Brabandt <cb@256bit.org>
|
||||
Date: Wed, 15 Apr 2026 20:17:17 +0000
|
||||
Subject: [PATCH] patch 9.2.0357: [security]: command injection via backticks
|
||||
in tag files
|
||||
|
||||
Problem: [security]: command injection via backticks in tag files
|
||||
(Srinivas Piskala Ganesh Babu, Andy Ngo)
|
||||
Solution: Disallow backticks before attempting to expand filenames.
|
||||
|
||||
Github Advisory:
|
||||
https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8
|
||||
|
||||
Supported by AI
|
||||
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
---
|
||||
src/tag.c | 4 +++-
|
||||
src/testdir/test_tagjump.vim | 24 ++++++++++++++++++++++++
|
||||
src/version.c | 2 ++
|
||||
3 files changed, 29 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tag.c b/src/tag.c
|
||||
index d3e27e602..0f12e384b 100644
|
||||
--- a/src/tag.c
|
||||
+++ b/src/tag.c
|
||||
@@ -4137,8 +4137,10 @@ expand_tag_fname(char_u *fname, char_u *tag_fname, int expand)
|
||||
|
||||
/*
|
||||
* Expand file name (for environment variables) when needed.
|
||||
+ * Disallow backticks, they could execute arbitrary shell
|
||||
+ * commands. This is not needed for tag filenames.
|
||||
*/
|
||||
- if (expand && mch_has_wildcard(fname))
|
||||
+ if (expand && mch_has_wildcard(fname) && vim_strchr(fname, '`') == NULL)
|
||||
{
|
||||
ExpandInit(&xpc);
|
||||
xpc.xp_context = EXPAND_FILES;
|
||||
diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
|
||||
index bbab3c70e..c0fa7b02e 100644
|
||||
--- a/src/testdir/test_tagjump.vim
|
||||
+++ b/src/testdir/test_tagjump.vim
|
||||
@@ -258,4 +258,28 @@
|
||||
bwipe!
|
||||
endfunc
|
||||
|
||||
+" Test that backtick expressions in tag filenames are not expanded.
|
||||
+" This prevents command injection via malicious tags files.
|
||||
+func Test_tag_backtick_filename_not_expanded()
|
||||
+ let pwned_file = 'Xtags_pwnd'
|
||||
+ call assert_false(filereadable(pwned_file))
|
||||
+
|
||||
+ let tagline = "main\t`touch " . pwned_file . "`\t/^int main/;\"\tf"
|
||||
+ call writefile([tagline], 'Xbt_tags')
|
||||
+ call writefile(['int main(int argc, char **argv) {', '}'], 'Xbt_main.c')
|
||||
+
|
||||
+ set tags=Xbt_tags
|
||||
+ sp Xbt_main.c
|
||||
+
|
||||
+ " The :tag command should fail to find the file, but must NOT execute
|
||||
+ " the backtick shell command.
|
||||
+ call assert_fails('tag main', 'E429:')
|
||||
+ call assert_false(filereadable(pwned_file))
|
||||
+
|
||||
+ set tags&
|
||||
+ call delete('Xbt_tags')
|
||||
+ call delete('Xbt_main.c')
|
||||
+ bwipe!
|
||||
+endfunc
|
||||
+
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
||||
--
|
||||
2.54.0
|
||||
|
||||
10
vim.spec
10
vim.spec
@ -24,7 +24,7 @@ Summary: The VIM editor
|
||||
URL: http://www.vim.org/
|
||||
Name: vim
|
||||
Version: %{baseversion}.%{patchlevel}
|
||||
Release: 23%{?dist}
|
||||
Release: 24%{?dist}
|
||||
License: Vim and MIT
|
||||
Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
|
||||
Source1: vim.sh
|
||||
@ -161,6 +161,10 @@ Patch3054: 0001-patch-9.2.0277-tests-test_modeline.vim-fails.patch
|
||||
Patch3055: 0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch
|
||||
Patch3056: 0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch
|
||||
Patch3057: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch
|
||||
# RHEL-171485 CVE-2026-41411 vim: Command injection via backticks in tag files
|
||||
# https://redhat.atlassian.net/browse/RHEL-171485
|
||||
# https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb
|
||||
Patch3058: 0001-patch-9.2.0357-security-command-injection-via-backti.patch
|
||||
|
||||
# gcc is no longer in buildroot by default
|
||||
BuildRequires: gcc
|
||||
@ -399,6 +403,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
|
||||
%patch -P 3055 -p1 -b .zip-path-traversal
|
||||
%patch -P 3056 -p1 -b .zip-abs-write
|
||||
%patch -P 3057 -p1 -b .zip-abs-extract
|
||||
%patch -P 3058 -p1 -b .tag-backtick-inject
|
||||
|
||||
%build
|
||||
%if 0%{?rhel} > 7
|
||||
@ -917,6 +922,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
|
||||
%{_datadir}/icons/locolor/*/apps/*
|
||||
|
||||
%changelog
|
||||
* Thu May 21 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-24
|
||||
- CVE-2026-41411 vim: Command injection via backticks in tag files
|
||||
|
||||
* Wed May 20 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-23
|
||||
- RHEL-170126 CVE-2026-35177 vim: Vim zip.vim plugin: Arbitrary file overwrite
|
||||
via path traversal bypass
|
||||
|
||||
Loading…
Reference in New Issue
Block a user