Backport upstream fix for CVE-2026-47162 which addresses a code
injection vulnerability in the netrw plugin's
NetrwBookHistSave() function. The fix uses string() to properly
quote directory names written to the netrw history file,
preventing malicious directory names from executing arbitrary
Vim commands when the history is sourced.
The patch was adapted from upstream commit f08ab2f4d7d2 for
vim 8.0: adjusted file path to runtime/autoload/netrw.vim,
adapted the setline() call to the downstream loop pattern,
and created a minimal test file for the injection scenario.
CVE: CVE-2026-47162
Upstream patches:
- f08ab2f4d7.patch
Resolves: RHEL-186656
This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Ymir