From d67ec5a45f61c6444a6f634ff46166986a8a6da1 Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Wed, 15 Apr 2026 04:35:57 -0400
Subject: [PATCH] import UBI vim-8.2.2637-23.el9_7.2

---
 ...rash-when-recovering-from-corrupted-.patch | 108 +++++
 ...ecurity-possible-command-injection-u.patch |  56 +++
 ...ecurity-Crash-when-recovering-a-corr.patch | 456 ++++++++++++++++++
 ...etrw-does-not-take-port-into-account.patch |  39 ++
 ...ecurity-command-injection-via-newlin.patch |  40 ++
 ...time-netrw-upstream-snapshot-of-v179.patch |  65 +++
 SPECS/vim.spec                                |  31 +-
 7 files changed, 794 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch
 create mode 100644 SOURCES/0001-patch-9.2.0073-security-possible-command-injection-u.patch
 create mode 100644 SOURCES/0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
 create mode 100644 SOURCES/0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch
 create mode 100644 SOURCES/0001-patch-9.2.0202-security-command-injection-via-newlin.patch
 create mode 100644 SOURCES/0001-runtime-netrw-upstream-snapshot-of-v179.patch

diff --git a/SOURCES/0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch b/SOURCES/0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch
new file mode 100644
index 00000000..bc0fe031
--- /dev/null
+++ b/SOURCES/0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch
@@ -0,0 +1,108 @@
+diff -up vim82/src/errors.h.check-page-count vim82/src/errors.h
+--- vim82/src/errors.h.check-page-count	2026-03-19 17:53:51.063638067 +0100
++++ vim82/src/errors.h	2026-03-19 17:56:16.144187736 +0100
+@@ -391,3 +391,5 @@ EXTERN char e_string_or_function_require
+ EXTERN char e_illegal_character_in_word[]
+ 	INIT(= N_("E1280: Illegal character in word"));
+ #endif
++EXTERN char e_warning_pointer_block_corrupted[]
++	INIT(= N_("E1364: Warning: Pointer block corrupted"));
+diff -up vim82/src/memfile.c.check-page-count vim82/src/memfile.c
+--- vim82/src/memfile.c.check-page-count	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/memfile.c	2026-03-19 18:13:11.196323045 +0100
+@@ -432,7 +432,9 @@ mf_get(memfile_T *mfp, blocknr_T nr, int
+ 	 * If not, allocate a new block.
+ 	 */
+ 	hp = mf_release(mfp, page_count);
+-	if (hp == NULL && (hp = mf_alloc_bhdr(mfp, page_count)) == NULL)
++	if (hp == NULL && page_count > 0)
++	    hp = mf_alloc_bhdr(mfp, page_count);
++	if (hp == NULL)
+ 	    return NULL;
+ 
+ 	hp->bh_bnum = nr;
+@@ -813,8 +815,10 @@ mf_release(memfile_T *mfp, int page_coun
+      */
+     if (hp->bh_page_count != page_count)
+     {
+-	vim_free(hp->bh_data);
+-	if ((hp->bh_data = alloc(mfp->mf_page_size * page_count)) == NULL)
++	VIM_CLEAR(hp->bh_data);
++	if (page_count > 0)
++	    hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count);
++	if (hp->bh_data == NULL)
+ 	{
+ 	    vim_free(hp);
+ 	    return NULL;
+@@ -872,7 +876,7 @@ mf_release_all(void)
+ }
+ 
+ /*
+- * Allocate a block header and a block of memory for it
++ * Allocate a block header and a block of memory for it.
+  */
+     static bhdr_T *
+ mf_alloc_bhdr(memfile_T *mfp, int page_count)
+@@ -892,7 +896,7 @@ mf_alloc_bhdr(memfile_T *mfp, int page_c
+ }
+ 
+ /*
+- * Free a block header and the block of memory for it
++ * Free a block header and the block of memory for it.
+  */
+     static void
+ mf_free_bhdr(bhdr_T *hp)
+@@ -902,7 +906,7 @@ mf_free_bhdr(bhdr_T *hp)
+ }
+ 
+ /*
+- * insert entry *hp in the free list
++ * Insert entry *hp in the free list.
+  */
+     static void
+ mf_ins_free(memfile_T *mfp, bhdr_T *hp)
+diff -up vim82/src/memline.c.check-page-count vim82/src/memline.c
+--- vim82/src/memline.c.check-page-count	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/memline.c	2026-03-19 18:13:59.116720443 +0100
+@@ -96,6 +96,9 @@ struct pointer_block
+ 				// followed by empty space until end of page
+ };
+ 
++// Value for pb_count_max.
++#define PB_COUNT_MAX(mfp) (short_u)(((mfp)->mf_page_size - offsetof(PTR_BL, pb_pointer)) / sizeof(PTR_EN))
++
+ /*
+  * A data block is a leaf in the tree.
+  *
+@@ -1505,6 +1508,20 @@ ml_recover(int checkext)
+ 	    pp = (PTR_BL *)(hp->bh_data);
+ 	    if (pp->pb_id == PTR_ID)		// it is a pointer block
+ 	    {
++		int ptr_block_error = FALSE;
++		if (pp->pb_count_max != PB_COUNT_MAX(mfp))
++		{
++		    ptr_block_error = TRUE;
++		    pp->pb_count_max = PB_COUNT_MAX(mfp);
++		}
++		if (pp->pb_count > pp->pb_count_max)
++		{
++		    ptr_block_error = TRUE;
++		    pp->pb_count = pp->pb_count_max;
++		}
++		if (ptr_block_error)
++		    emsg(_(e_warning_pointer_block_corrupted));
++
+ 		// check line count when using pointer block first time
+ 		if (idx == 0 && line_count != 0)
+ 		{
+@@ -4040,8 +4057,7 @@ ml_new_ptr(memfile_T *mfp)
+     pp = (PTR_BL *)(hp->bh_data);
+     pp->pb_id = PTR_ID;
+     pp->pb_count = 0;
+-    pp->pb_count_max = (short_u)((mfp->mf_page_size - sizeof(PTR_BL))
+-							/ sizeof(PTR_EN) + 1);
++    pp->pb_count_max = PB_COUNT_MAX(mfp);
+ 
+     return hp;
+ }
+diff -up vim82/src/testdir/test_recover.vim.check-page-count vim82/src/testdir/test_recover.vim
diff --git a/SOURCES/0001-patch-9.2.0073-security-possible-command-injection-u.patch b/SOURCES/0001-patch-9.2.0073-security-possible-command-injection-u.patch
new file mode 100644
index 00000000..962ee487
--- /dev/null
+++ b/SOURCES/0001-patch-9.2.0073-security-possible-command-injection-u.patch
@@ -0,0 +1,56 @@
+diff -up vim91/runtime/autoload/netrw.vim.CVE-2026-28417 vim91/runtime/autoload/netrw.vim
+--- vim91/runtime/autoload/netrw.vim.CVE-2026-28417	2026-03-17 19:22:17.101915588 +0100
++++ vim91/runtime/autoload/netrw.vim	2026-03-17 19:32:29.134514079 +0100
+@@ -3376,13 +3376,26 @@ endif
+ 
+ " s:NetrwValidateHostname:  Validate that the hostname is valid {{{2
+ " Input:
+-"   hostname
++"   hostname, may include an optional username, e.g. user@hostname
++"   allow a alphanumeric hostname or an IPv(4/6) address
+ " Output:
+ "  true if g:netrw_machine is valid according to RFC1123 #Section 2
+ fun! s:NetrwValidateHostname(hostname)
+-    " RFC1123#section-2 mandates, a valid hostname starts with letters or digits
+-    " so reject everyhing else
+-    return a:hostname =~? '^[a-z0-9]'
++  " Username:
++  let user_pat = '\%([a-zA-Z0-9._-]\+@\)\?'
++  " Hostname: 1-64 chars, alphanumeric/dots/hyphens.
++  " No underscores. No leading/trailing dots/hyphens.
++  let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]{,62}[a-zA-Z0-9]\)\?$'
++
++  " IPv4: 1-3 digits separated by dots
++  let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}$'
++
++  " IPv6: Hex, colons, and optional brackets
++  let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?$'
++
++  return a:hostname =~? '^'.user_pat.host_pat ||
++       \ a:hostname =~? '^'.user_pat.ipv4_pat ||
++       \ a:hostname =~? '^'.user_pat.ipv6_pat
+ endfun
+ 
+ " ---------------------------------------------------------------------
+@@ -11880,15 +11893,15 @@ endfun
+ "               a correct command for use with a system() call
+ fun! s:MakeSshCmd(sshcmd)
+ "  call Dfunc("s:MakeSshCmd(sshcmd<".a:sshcmd.">) user<".s:user."> machine<".s:machine.">")
+-  if s:user == ""
+-   let sshcmd = substitute(a:sshcmd,'\<HOSTNAME\>',s:machine,'')
+-  else
+-   let sshcmd = substitute(a:sshcmd,'\<HOSTNAME\>',s:user."@".s:machine,'')
++  let machine = shellescape(s:machine, 1)
++  if s:user != ''
++      let machine    = shellescape(s:user, 1).'@'.machine
+   endif
++  let sshcmd = substitute(a:sshcmd,'\<HOSTNAME\>',machine,'')
+   if exists("g:netrw_port") && g:netrw_port != ""
+-   let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.g:netrw_port,'')
++   let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.shellescape(g:netrw_port,1),'')
+   elseif exists("s:port") && s:port != ""
+-   let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.s:port,'')
++   let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.shellescape(s:port,1),'')
+   else
+    let sshcmd= substitute(sshcmd,"USEPORT ",'','')
+   endif
diff --git a/SOURCES/0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch b/SOURCES/0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
new file mode 100644
index 00000000..d7262c2a
--- /dev/null
+++ b/SOURCES/0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
@@ -0,0 +1,456 @@
+diff -up vim82/src/memline.c.CVE-2026-28421 vim82/src/memline.c
+--- vim82/src/memline.c.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/memline.c	2026-03-19 10:42:50.113672743 +0100
+@@ -1536,8 +1536,12 @@ ml_recover(int checkext)
+ 			if (!cannot_open)
+ 			{
+ 			    line_count = pp->pb_pointer[idx].pe_line_count;
+-			    if (readfile(curbuf->b_ffname, NULL, lnum,
+-					pp->pb_pointer[idx].pe_old_lnum - 1,
++			    linenr_T pe_old_lnum = pp->pb_pointer[idx].pe_old_lnum;
++			    // Validate pe_line_count and pe_old_lnum from the
++			    // untrusted swap file before passing to readfile().
++			    if (line_count <= 0 || pe_old_lnum < 1 ||
++				    readfile(curbuf->b_ffname, NULL, lnum,
++					pe_old_lnum - 1,
+ 					line_count, NULL, 0) != OK)
+ 				cannot_open = TRUE;
+ 			    else
+@@ -1568,6 +1572,27 @@ ml_recover(int checkext)
+ 		    bnum = pp->pb_pointer[idx].pe_bnum;
+ 		    line_count = pp->pb_pointer[idx].pe_line_count;
+ 		    page_count = pp->pb_pointer[idx].pe_page_count;
++		    // Validate pe_bnum and pe_page_count from the untrusted
++		    // swap file before passing to mf_get(), which uses
++		    // page_count to calculate allocation size.  A bogus value
++		    // (e.g. 0x40000000) would cause a multi-GB allocation.
++		    // pe_page_count must be >= 1 and bnum + page_count must
++		    // not exceed the number of pages in the swap file.
++		    if (page_count < 1
++			    || bnum + page_count > mfp->mf_blocknr_max + 1)
++		    {
++			++error;
++			ml_append(lnum++,
++				(char_u *)_("???ILLEGAL BLOCK NUMBER"),
++				(colnr_T)0, TRUE);
++			// Skip this entry and pop back up the stack to keep
++			// recovering whatever else we can.
++			idx = ip->ip_index + 1;
++			bnum = ip->ip_bnum;
++			page_count = 1;
++			--buf->b_ml.ml_stack_top;
++			continue;
++		    }
+ 		    idx = 0;
+ 		    continue;
+ 		}
+diff -up vim82/src/po/af.po.CVE-2026-28421 vim82/src/po/af.po
+--- vim82/src/po/af.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/af.po	2026-03-19 10:52:18.095330396 +0100
+@@ -5342,3 +5342,6 @@ msgstr "E463: Omgewing is onder bewaking
+ 
+ #~ msgid "WARNING: tag command changed a buffer!!!"
+ #~ msgstr "WAARSKUWING: etiketbevel het buffer verander!!!"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/ca.po.CVE-2026-28421 vim82/src/po/ca.po
+--- vim82/src/po/ca.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/ca.po	2026-03-19 10:52:18.095330396 +0100
+@@ -6928,3 +6928,6 @@ msgid ""
+ msgstr ""
+ "Error en establir el path: sys.path no és una llista\n"
+ "Hauríeu d'afegir vim.VIM_SPECIAL_PATH a sys.path"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/cs.cp1250.po.CVE-2026-28421 vim82/src/po/cs.cp1250.po
+--- vim82/src/po/cs.cp1250.po.CVE-2026-28421	2021-03-22 10:02:43.000000000 +0100
++++ vim82/src/po/cs.cp1250.po	2026-03-19 10:42:50.114884754 +0100
+@@ -4620,3 +4620,6 @@ msgstr "Nulový poèet"
+ 
+ msgid "E81: Using <SID> not in a script context"
+ msgstr "E81: Použití <SID> mimo kontext skriptu"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/cs.po.CVE-2026-28421 vim82/src/po/cs.po
+--- vim82/src/po/cs.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/cs.po	2026-03-19 10:42:50.115102712 +0100
+@@ -4620,3 +4620,6 @@ msgstr "Nulový poèet"
+ 
+ msgid "E81: Using <SID> not in a script context"
+ msgstr "E81: Pou¾ití <SID> mimo kontext skriptu"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/da.po.CVE-2026-28421 vim82/src/po/da.po
+--- vim82/src/po/da.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/da.po	2026-03-19 10:42:50.115354083 +0100
+@@ -7090,3 +7090,6 @@ msgstr ""
+ "C-kildekode (*.c, *.h)\t*.c;*.h\n"
+ "C++-kildekode (*.cpp, *.hpp)\t*.cpp;*.hpp\n"
+ "Vim-filer (*.vim, _vimrc, _gvimrc)\t*.vim;_vimrc;_gvimrc\n"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/de.po.CVE-2026-28421 vim82/src/po/de.po
+--- vim82/src/po/de.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/de.po	2026-03-19 10:52:18.095330396 +0100
+@@ -9491,3 +9491,6 @@ msgstr "Name der dynamischen MzScheme Bi
+ 
+ msgid "name of the MzScheme GC dynamic library"
+ msgstr "Name der dynamischen MzScheme GC Bibliothek"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/en_GB.po.CVE-2026-28421 vim82/src/po/en_GB.po
+--- vim82/src/po/en_GB.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/en_GB.po	2026-03-19 10:52:18.095330396 +0100
+@@ -763,3 +763,6 @@ msgid "can't delete OutputObject attribu
+ msgstr "cannot delete OutputObject attributes"
+ 
+ 
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/eo.po.CVE-2026-28421 vim82/src/po/eo.po
+--- vim82/src/po/eo.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/eo.po	2026-03-19 10:52:18.095330396 +0100
+@@ -7874,3 +7874,6 @@ msgstr "gvim"
+ 
+ msgid "Vim"
+ msgstr "Vim"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/es.po.CVE-2026-28421 vim82/src/po/es.po
+--- vim82/src/po/es.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/es.po	2026-03-19 10:52:18.095330396 +0100
+@@ -6347,3 +6347,6 @@ msgid "search hit BOTTOM, continuing at
+ msgstr "La bÃºsqueda ha llegado al FINAL, continuando desde el PRINCIPIO"
+ 
+ 
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/fi.po.CVE-2026-28421 vim82/src/po/fi.po
+--- vim82/src/po/fi.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/fi.po	2026-03-19 10:52:18.095330396 +0100
+@@ -6982,3 +6982,6 @@ msgid ""
+ msgstr ""
+ "Ei onnistuttu asettaman polkua: sys.path ei ole list\n"
+ "LisÃ¤Ã¤ vim.VIM_SPECIAL_PATH muuttujaan sys.path"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/fr.po.CVE-2026-28421 vim82/src/po/fr.po
+--- vim82/src/po/fr.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/fr.po	2026-03-19 10:42:50.117725505 +0100
+@@ -8227,3 +8227,6 @@ msgstr "nom de la bibliothèque dynamique
+ 
+ msgid "name of the MzScheme dynamic library"
+ msgstr "nom de la bibliothèque dynamique MzScheme"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/ga.po.CVE-2026-28421 vim82/src/po/ga.po
+--- vim82/src/po/ga.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/ga.po	2026-03-19 10:52:18.095330396 +0100
+@@ -7461,3 +7461,6 @@ msgstr ""
+ 
+ #~ msgid "E363: pattern caused out-of-stack error"
+ #~ msgstr "E363: ghin an patrún earráid as-an-chruach"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/it.po.CVE-2026-28421 vim82/src/po/it.po
+--- vim82/src/po/it.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/it.po	2026-03-19 10:52:18.095330396 +0100
+@@ -6718,3 +6718,6 @@ msgstr ""
+ "Sorgenti C (*.c, *.h)\t*.c;*.h\n"
+ "Sorgenti C++ (*.cpp, *.hpp)\t*.cpp;*.hpp\n"
+ "File di Vim (*.vim, _vimrc, _gvimrc)\t*.vim;_vimrc;_gvimrc\n"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/ja.euc-jp.po.CVE-2026-28421 vim82/src/po/ja.euc-jp.po
+--- vim82/src/po/ja.euc-jp.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/ja.euc-jp.po	2026-03-19 10:52:18.095330396 +0100
+@@ -7350,3 +7350,6 @@ msgstr "¥Æ¥­¥¹¥È;¥¨¥Ç¥£¥¿;"
+ 
+ #~ msgid "Vim"
+ #~ msgstr ""
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/ja.po.CVE-2026-28421 vim82/src/po/ja.po
+--- vim82/src/po/ja.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/ja.po	2026-03-19 10:52:18.095330396 +0100
+@@ -7350,3 +7350,6 @@ msgstr "ãƒ†ã‚­ã‚¹ãƒˆ;ã‚¨ãƒ‡ã‚£ã‚¿;"
+ 
+ #~ msgid "Vim"
+ #~ msgstr ""
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/ja.sjis.po.CVE-2026-28421 vim82/src/po/ja.sjis.po
+--- vim82/src/po/ja.sjis.po.CVE-2026-28421	2021-03-22 10:02:43.000000000 +0100
++++ vim82/src/po/ja.sjis.po	2026-03-19 10:52:18.095330396 +0100
+@@ -7350,3 +7350,6 @@ msgstr "ƒeƒLƒXƒg;ƒGƒfƒBƒ^;"
+ 
+ #~ msgid "Vim"
+ #~ msgstr ""
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/ko.po.CVE-2026-28421 vim82/src/po/ko.po
+--- vim82/src/po/ko.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/ko.po	2026-03-19 10:42:50.120590463 +0100
+@@ -7002,3 +7002,6 @@ msgstr ""
+ "C ¼Ò½º (*.c, *.h)\t*.c;*.h\n"
+ "C++ ¼Ò½º (*.cpp, *.hpp)\t*.cpp;*.hpp\n"
+ "Vim ÆÄÀÏ (*.vim, _vimrc, _gvimrc)\t*.vim;_vimrc;_gvimrc\n"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/ko.UTF-8.po.CVE-2026-28421 vim82/src/po/ko.UTF-8.po
+--- vim82/src/po/ko.UTF-8.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/ko.UTF-8.po	2026-03-19 10:42:50.120259142 +0100
+@@ -7002,3 +7002,6 @@ msgstr ""
+ "C ì†ŒìŠ¤ (*.c, *.h)\t*.c;*.h\n"
+ "C++ ì†ŒìŠ¤ (*.cpp, *.hpp)\t*.cpp;*.hpp\n"
+ "Vim íŒŒì¼ (*.vim, _vimrc, _gvimrc)\t*.vim;_vimrc;_gvimrc\n"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/lv.po.CVE-2026-28421 vim82/src/po/lv.po
+--- vim82/src/po/lv.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/lv.po	2026-03-19 10:42:50.120824441 +0100
+@@ -279,3 +279,6 @@ msgstr "E442: Nevar sadalÄ«t kreiso augÅ
+ #, c-format
+ msgid "E447: Can't find file \"%s\" in path"
+ msgstr "E447: Failu \"%s\" ceÄ¼Ä nevar atrast"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/nb.po.CVE-2026-28421 vim82/src/po/nb.po
+--- vim82/src/po/nb.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/nb.po	2026-03-19 10:42:50.120985413 +0100
+@@ -6121,3 +6121,6 @@ msgstr "Søket traff TOPPEN, fortsetter f
+ 
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "Søket traff BUNNEN, fortsetter fra TOPPEN"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/nl.po.CVE-2026-28421 vim82/src/po/nl.po
+--- vim82/src/po/nl.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/nl.po	2026-03-19 10:42:50.121281247 +0100
+@@ -5830,3 +5830,6 @@ msgstr "\" Druk op <Enter> op een index
+ 
+ msgid "\" Hit <Space> on a \"set\" line to refresh it."
+ msgstr "\" Druk op <Spatie> op een \"set\" regel om te verversen."
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/no.po.CVE-2026-28421 vim82/src/po/no.po
+--- vim82/src/po/no.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/no.po	2026-03-19 10:42:50.121569427 +0100
+@@ -6121,3 +6121,6 @@ msgstr "Søket traff TOPPEN, fortsetter f
+ 
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "Søket traff BUNNEN, fortsetter fra TOPPEN"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/pl.cp1250.po.CVE-2026-28421 vim82/src/po/pl.cp1250.po
+--- vim82/src/po/pl.cp1250.po.CVE-2026-28421	2021-03-22 10:02:43.000000000 +0100
++++ vim82/src/po/pl.cp1250.po	2026-03-19 10:42:50.122232088 +0100
+@@ -6860,3 +6860,6 @@ msgstr ""
+ 
+ #~ msgid "E569: maximum number of cscope connections reached"
+ #~ msgstr "E569: wyczerpano maksymaln¹ liczbê po³¹czeñ cscope"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/pl.po.CVE-2026-28421 vim82/src/po/pl.po
+--- vim82/src/po/pl.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/pl.po	2026-03-19 10:42:50.122584749 +0100
+@@ -6860,3 +6860,6 @@ msgstr ""
+ 
+ #~ msgid "E569: maximum number of cscope connections reached"
+ #~ msgstr "E569: wyczerpano maksymaln± liczbê po³±czeñ cscope"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/pl.UTF-8.po.CVE-2026-28421 vim82/src/po/pl.UTF-8.po
+--- vim82/src/po/pl.UTF-8.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/pl.UTF-8.po	2026-03-19 10:42:50.121888304 +0100
+@@ -6860,3 +6860,6 @@ msgstr ""
+ 
+ #~ msgid "E569: maximum number of cscope connections reached"
+ #~ msgstr "E569: wyczerpano maksymalnÄ… liczbÄ™ poÅ‚Ä…czeÅ„ cscope"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/pt_BR.po.CVE-2026-28421 vim82/src/po/pt_BR.po
+--- vim82/src/po/pt_BR.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/pt_BR.po	2026-03-19 10:42:50.122933262 +0100
+@@ -7005,3 +7005,6 @@ msgid ""
+ msgstr ""
+ "Falha ao definir path: sys.path nÃ£o Ã© uma lista\n"
+ "VocÃª deve adicionar vim.VIM_SPECIAL_PATH ao sys.path"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/ru.cp1251.po.CVE-2026-28421 vim82/src/po/ru.cp1251.po
+--- vim82/src/po/ru.cp1251.po.CVE-2026-28421	2021-03-22 10:02:43.000000000 +0100
++++ vim82/src/po/ru.cp1251.po	2026-03-19 10:52:18.095330396 +0100
+@@ -7482,3 +7482,6 @@ msgstr "gvim"
+ 
+ msgid "Vim"
+ msgstr "Vim"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/ru.po.CVE-2026-28421 vim82/src/po/ru.po
+--- vim82/src/po/ru.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/ru.po	2026-03-19 10:52:18.095330396 +0100
+@@ -7482,3 +7482,6 @@ msgstr "gvim"
+ 
+ msgid "Vim"
+ msgstr "Vim"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/sk.cp1250.po.CVE-2026-28421 vim82/src/po/sk.cp1250.po
+--- vim82/src/po/sk.cp1250.po.CVE-2026-28421	2021-03-22 10:02:43.000000000 +0100
++++ vim82/src/po/sk.cp1250.po	2026-03-19 10:52:18.095330396 +0100
+@@ -5776,3 +5776,6 @@ msgstr "h¾adanie dosiahlo zaèiatok, pokr
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "h¾adanie dosiahlo koniec, pokraèovanie od zaèiatku"
+ 
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/sk.po.CVE-2026-28421 vim82/src/po/sk.po
+--- vim82/src/po/sk.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/sk.po	2026-03-19 10:52:18.095330396 +0100
+@@ -5776,3 +5776,6 @@ msgstr "hµadanie dosiahlo zaèiatok, pokr
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "hµadanie dosiahlo koniec, pokraèovanie od zaèiatku"
+ 
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/sr.po.CVE-2026-28421 vim82/src/po/sr.po
+--- vim82/src/po/sr.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/sr.po	2026-03-19 10:52:18.095330396 +0100
+@@ -9566,3 +9566,6 @@ msgstr "Ð¸Ð¼Ðµ MzScheme Ð´Ð¸Ð½Ð°Ð¼Ð¸Ñ‡Ðº
+ 
+ msgid "name of the MzScheme GC dynamic library"
+ msgstr "Ð¸Ð¼Ðµ MzScheme GC Ð´Ð¸Ð½Ð°Ð¼Ð¸Ñ‡ÐºÐµ Ð±Ð¸Ð±Ð»Ð¸Ð¾Ñ‚ÐµÐºÐµ"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/sv.po.CVE-2026-28421 vim82/src/po/sv.po
+--- vim82/src/po/sv.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/sv.po	2026-03-19 10:42:50.125487116 +0100
+@@ -6103,3 +6103,6 @@ msgstr "sökning nådde TOPPEN, fortsätter
+ 
+ msgid "search hit BOTTOM, continuing at TOP"
+ msgstr "sökning nådde BOTTEN, forsätter vid TOPPEN"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/tr.po.CVE-2026-28421 vim82/src/po/tr.po
+--- vim82/src/po/tr.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/tr.po	2026-03-19 10:52:18.095330396 +0100
+@@ -9368,3 +9368,6 @@ msgstr "MzScheme devingen kitaplÄ±ÄŸÄ±nÄ
+ 
+ msgid "name of the MzScheme GC dynamic library"
+ msgstr "MzScheme GC devingen kitaplÄ±ÄŸÄ±nÄ±n adÄ±"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/uk.cp1251.po.CVE-2026-28421 vim82/src/po/uk.cp1251.po
+--- vim82/src/po/uk.cp1251.po.CVE-2026-28421	2021-03-22 10:02:43.000000000 +0100
++++ vim82/src/po/uk.cp1251.po	2026-03-19 10:52:18.095330396 +0100
+@@ -7324,3 +7324,6 @@ msgstr ""
+ "Ïåðøîêîä C (*.c, *.h)\t*.c;*.h\n"
+ "Ïåðøîêîä C++ (*.cpp, *.hpp)\t*.cpp;*.hpp\n"
+ "Ôàéëè Vim (*.vim, _vimrc, _gvimrc)\t*.vim;_vimrc;_gvimrc\n"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/uk.po.CVE-2026-28421 vim82/src/po/uk.po
+--- vim82/src/po/uk.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/uk.po	2026-03-19 10:52:18.095330396 +0100
+@@ -7324,3 +7324,6 @@ msgstr ""
+ "ÐŸÐµÑ€ÑˆÐ¾ÐºÐ¾Ð´ C (*.c, *.h)\t*.c;*.h\n"
+ "ÐŸÐµÑ€ÑˆÐ¾ÐºÐ¾Ð´ C++ (*.cpp, *.hpp)\t*.cpp;*.hpp\n"
+ "Ð¤Ð°Ð¹Ð»Ð¸ Vim (*.vim, _vimrc, _gvimrc)\t*.vim;_vimrc;_gvimrc\n"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/vi.po.CVE-2026-28421 vim82/src/po/vi.po
+--- vim82/src/po/vi.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/vi.po	2026-03-19 10:42:50.127177964 +0100
+@@ -5155,3 +5155,6 @@ msgstr "E449: Nháº­n Ä‘Æ°á»£c má»™t biá»
+ 
+ msgid "E463: Region is guarded, cannot modify"
+ msgstr "E463: KhÃ´ng thá»ƒ thay Ä‘á»•i vÃ¹ng Ä‘Ã£ Ä‘Æ°á»£c báº£o vá»‡"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/zh_CN.cp936.po.CVE-2026-28421 vim82/src/po/zh_CN.cp936.po
+--- vim82/src/po/zh_CN.cp936.po.CVE-2026-28421	2021-03-22 10:02:43.000000000 +0100
++++ vim82/src/po/zh_CN.cp936.po	2026-03-19 10:52:18.095330396 +0100
+@@ -6097,3 +6097,6 @@ msgstr "ÒÑ²éÕÒµ½ÎÄ¼þ½áÎ²£¬ÔÙ´Ó¿ªÍ·¼ÌÐø²é
+ 
+ #~ msgid "with BeOS GUI."
+ #~ msgstr "Ê¹ÓÃ BeOS Í¼ÐÎ½çÃæ¡£"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/zh_CN.po.CVE-2026-28421 vim82/src/po/zh_CN.po
+--- vim82/src/po/zh_CN.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/zh_CN.po	2026-03-19 10:52:18.095330396 +0100
+@@ -6097,3 +6097,6 @@ msgstr "ÒÑ²éÕÒµ½ÎÄ¼þ½áÎ²£¬ÔÙ´Ó¿ªÍ·¼ÌÐø²é
+ 
+ #~ msgid "with BeOS GUI."
+ #~ msgstr "Ê¹ÓÃ BeOS Í¼ÐÎ½çÃæ¡£"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/zh_CN.UTF-8.po.CVE-2026-28421 vim82/src/po/zh_CN.UTF-8.po
+--- vim82/src/po/zh_CN.UTF-8.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/zh_CN.UTF-8.po	2026-03-19 10:52:18.095330396 +0100
+@@ -6097,3 +6097,6 @@ msgstr "å·²æŸ¥æ‰¾åˆ°æ–‡ä»¶ç»“å°¾ï¼Œå†ä»
+ 
+ #~ msgid "with BeOS GUI."
+ #~ msgstr "ä½¿ç”¨ BeOS å›¾å½¢ç•Œé¢ã€‚"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/zh_TW.po.CVE-2026-28421 vim82/src/po/zh_TW.po
+--- vim82/src/po/zh_TW.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/zh_TW.po	2026-03-19 10:42:50.128612401 +0100
+@@ -5223,3 +5223,6 @@ msgstr "E463: °Ï°ì³Q«OÅ@¡AµLªk­×§ï"
+ 
+ #~ msgid "Retrieve next symbol"
+ #~ msgstr "Åª¨ú: ±q¤U­Ó symbol"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
+diff -up vim82/src/po/zh_TW.UTF-8.po.CVE-2026-28421 vim82/src/po/zh_TW.UTF-8.po
+--- vim82/src/po/zh_TW.UTF-8.po.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/po/zh_TW.UTF-8.po	2026-03-19 10:42:50.128380597 +0100
+@@ -5230,3 +5230,6 @@ msgstr "E463: å€åŸŸè¢«ä¿è­·ï¼Œç„¡æ³•ä¿
+ 
+ #~ msgid "Retrieve next symbol"
+ #~ msgstr "è®€å–: å¾žä¸‹å€‹ symbol"
++
++msgid "???ILLEGAL BLOCK NUMBER"
++msgstr ""
diff --git a/SOURCES/0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch b/SOURCES/0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch
new file mode 100644
index 00000000..15abf6ce
--- /dev/null
+++ b/SOURCES/0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch
@@ -0,0 +1,39 @@
+diff -up vim91/runtime/autoload/netrw.vim.validateportnum vim91/runtime/autoload/netrw.vim
+--- vim91/runtime/autoload/netrw.vim.validateportnum	2026-03-17 19:35:34.062575124 +0100
++++ vim91/runtime/autoload/netrw.vim	2026-03-17 19:39:39.005999509 +0100
+@@ -3376,7 +3376,8 @@ endif
+ 
+ " s:NetrwValidateHostname:  Validate that the hostname is valid {{{2
+ " Input:
+-"   hostname, may include an optional username, e.g. user@hostname
++"   hostname, may include an optional username and port number, e.g.
++"       user@hostname:port
+ "   allow a alphanumeric hostname or an IPv(4/6) address
+ " Output:
+ "  true if g:netrw_machine is valid according to RFC1123 #Section 2
+@@ -3385,17 +3386,19 @@ fun! s:NetrwValidateHostname(hostname)
+   let user_pat = '\%([a-zA-Z0-9._-]\+@\)\?'
+   " Hostname: 1-64 chars, alphanumeric/dots/hyphens.
+   " No underscores. No leading/trailing dots/hyphens.
+-  let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]{,62}[a-zA-Z0-9]\)\?$'
++  let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]\{0,62}[a-zA-Z0-9]\)\?'
++  " Port: 16 bit unsigned integer
++  let port_pat = '\%(:\d\{1,5\}\)\?$'
+ 
+   " IPv4: 1-3 digits separated by dots
+-  let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}$'
++  let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}'
+ 
+   " IPv6: Hex, colons, and optional brackets
+-  let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?$'
++  let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?'
+ 
+-  return a:hostname =~? '^'.user_pat.host_pat ||
+-       \ a:hostname =~? '^'.user_pat.ipv4_pat ||
+-       \ a:hostname =~? '^'.user_pat.ipv6_pat
++  return a:hostname =~? '^'.user_pat.host_pat.port_pat ||
++       \ a:hostname =~? '^'.user_pat.ipv4_pat.port_pat ||
++       \ a:hostname =~? '^'.user_pat.ipv6_pat.port_pat
+ endfun
+ 
+ " ---------------------------------------------------------------------
diff --git a/SOURCES/0001-patch-9.2.0202-security-command-injection-via-newlin.patch b/SOURCES/0001-patch-9.2.0202-security-command-injection-via-newlin.patch
new file mode 100644
index 00000000..b9900642
--- /dev/null
+++ b/SOURCES/0001-patch-9.2.0202-security-command-injection-via-newlin.patch
@@ -0,0 +1,40 @@
+From 645ed6597d1ea896c712cd7ddbb6edee79577e9a Mon Sep 17 00:00:00 2001
+From: pyllyukko <pyllyukko@maimed.org>
+Date: Thu, 19 Mar 2026 19:58:05 +0000
+Subject: [PATCH] patch 9.2.0202: [security]: command injection via newline in
+ glob()
+
+Problem:  The glob() function on Unix-like systems does not escape
+          newline characters when expanding wildcards. A maliciously
+          crafted string containing '\n' can be used as a command
+          separator to execute arbitrary shell commands via
+          mch_expand_wildcards(). This depends on the user's 'shell'
+          setting.
+Solution: Add the newline character ('\n') to the SHELL_SPECIAL
+          definition to ensure it is properly escaped before being
+          passed to the shell (pyllyukko).
+
+closes: #19746
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
+
+Signed-off-by: pyllyukko <pyllyukko@maimed.org>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/os_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/os_unix.c b/src/os_unix.c
+index 03f7649090c96..91bfd63d0dcb2 100644
+--- a/src/os_unix.c
++++ b/src/os_unix.c
+@@ -6772,7 +6772,7 @@ mch_expand_wildcards(
+ # define SEEK_END 2
+ #endif
+
+-#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|"
++#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|\n"
+
+     int
+ mch_expand_wildcards(
diff --git a/SOURCES/0001-runtime-netrw-upstream-snapshot-of-v179.patch b/SOURCES/0001-runtime-netrw-upstream-snapshot-of-v179.patch
new file mode 100644
index 00000000..f62fb1ac
--- /dev/null
+++ b/SOURCES/0001-runtime-netrw-upstream-snapshot-of-v179.patch
@@ -0,0 +1,65 @@
+diff -up vim91/runtime/autoload/netrw.vim.validatehostname vim91/runtime/autoload/netrw.vim
+--- vim91/runtime/autoload/netrw.vim.validatehostname	2024-02-09 06:33:54.000000000 +0100
++++ vim91/runtime/autoload/netrw.vim	2026-03-17 19:16:22.210561235 +0100
+@@ -1453,6 +1453,10 @@ fun! netrw#Obtain(islocal,fname,...)
+     call s:SetupNetrwStatusLine('%f %h%m%r%=%9*Obtaining '.a:fname)
+    endif
+    call s:NetrwMethod(b:netrw_curdir)
++   if !s:NetrwValidateHostname(g:netrw_machine)
++       call netrw#ErrorMsg(s:ERROR,"Rejecting invalid hostname: <" .. g:netrw_machine .. ">",107)
++       return
++   endif
+ 
+    if b:netrw_method == 4
+     " obtain file using scp
+@@ -2143,6 +2147,10 @@ fun! netrw#NetRead(mode,...)
+ "    call Dret("netrw#NetRead : unsupported method")
+     return
+    endif
++   if !s:NetrwValidateHostname(g:netrw_machine)
++       call netrw#ErrorMsg(s:ERROR,"Rejecting invalid hostname: <" .. g:netrw_machine .. ">",107)
++       return
++   endif
+    let tmpfile= s:GetTempfile(b:netrw_fname) " apply correct suffix
+ 
+    " Check whether or not NetrwBrowse() should be handling this request
+@@ -2565,6 +2573,10 @@ fun! netrw#NetWrite(...) range
+ "    call Dfunc("netrw#NetWrite : unsupported method")
+     return
+    endif
++   if !s:NetrwValidateHostname(g:netrw_machine)
++       call netrw#ErrorMsg(s:ERROR,"Rejecting invalid hostname: <" .. g:netrw_machine .. ">",107)
++       return
++   endif
+ 
+    " =============
+    " NetWrite: Perform Protocol-Based Write {{{3
+@@ -3362,6 +3374,17 @@ if has("win95") && exists("g:netrw_win95
+  endfun
+ endif
+ 
++" s:NetrwValidateHostname:  Validate that the hostname is valid {{{2
++" Input:
++"   hostname
++" Output:
++"  true if g:netrw_machine is valid according to RFC1123 #Section 2
++fun! s:NetrwValidateHostname(hostname)
++    " RFC1123#section-2 mandates, a valid hostname starts with letters or digits
++    " so reject everyhing else
++    return a:hostname =~? '^[a-z0-9]'
++endfun
++
+ " ---------------------------------------------------------------------
+ " NetUserPass: set username and password for subsequent ftp transfer {{{2
+ "   Usage:  :call NetUserPass()		               -- will prompt for userid and password
+@@ -8842,6 +8865,10 @@ fun! s:NetrwUpload(fname,tgt,...)
+ 
+    elseif a:tgt =~ '^ftp:'
+     call s:NetrwMethod(a:tgt)
++    if !s:NetrwValidateHostname(g:netrw_machine)
++        call netrw#ErrorMsg(s:ERROR,"Rejecting invalid hostname: <" .. g:netrw_machine .. ">",107)
++        return
++    endif
+ 
+     if b:netrw_method == 2
+      " handle uploading a list of files via ftp+.netrc
diff --git a/SPECS/vim.spec b/SPECS/vim.spec
index a88e364a..d68dc1c0 100644
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 23%{?dist}.1
+Release: 23%{?dist}.2
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@@ -156,6 +156,24 @@ Patch3057: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch
 # 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
 Patch3058: 0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
 Patch3059: 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
+# RHEL-155437 CVE-2026-28417 vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin
+# 3 patches:
+# 0001-runtime-netrw-upstream-snapshot-of-v179.patch - introduces NetrwValidateHostname
+# 0001-patch-9.2.0073-security-possible-command-injection-u.patch - CVE patch which sanitizes hostnames
+# and reports invalid characters in SSH commands
+# 0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch - include portnumber in hostname checking
+Patch3060: 0001-runtime-netrw-upstream-snapshot-of-v179.patch
+Patch3061: 0001-patch-9.2.0073-security-possible-command-injection-u.patch
+Patch3062: 0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch
+# RHEL-155422 CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file
+# 0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch - adds check for max page count, which fixes
+# crash which happens after applying 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
+# 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch - validates line count and page count from
+# untrusted swap file before passing it to read and allocation functions
+Patch3063: 0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch
+Patch3064: 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
+# RHEL-159629 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function
+Patch3065: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch
 
 
 # gcc is no longer in buildroot by default
@@ -403,6 +421,12 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3057 -p1 -b .CVE-2025-53906
 %patch -P 3058 -p1 -b .tag-overflow
 %patch -P 3059 -p1 -b .tag-overflow2
+%patch -P 3060 -p1 -b .validatehostname
+%patch -P 3061 -p1 -b .CVE-2026-28417
+%patch -P 3062 -p1 -b .validateportnum
+%patch -P 3063 -p1 -b .check-page-count
+%patch -P 3064 -p1 -b .CVE-2026-28421
+%patch -P 3065 -p1 -b .CVE-2026-33412
 
 %build
 cd src
@@ -960,6 +984,11 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 
 %changelog
+* Thu Mar 26 2026 Petr Dancak <pdancak@redhat.com> - 2:8.2.2637-23.2
+- RHEL-155437 CVE-2026-28417 vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin
+- RHEL-155422 CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file
+- RHEL-159629 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function
+
 * Wed Feb 25 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-23.1
 - RHEL-147940 CVE-2026-25749 vim: Heap Overflow in Vim