Commit Graph

1 Commits

Author SHA1 Message Date
Zdenek Dohnal
6a0060b814 Fix CVE-2026-47167: Code Injection in cucumber filetype plugin
Backport upstream fix (commit a65a52d6) for CVE-2026-47167 to
vim 8.0.1763 on c8s. The patch replaces the unsafe
Kernel.eval('/'+pattern+'/') call in cucumber.vim with
Regexp.new(pattern), preventing Ruby code injection through
malicious step definition patterns.

Added Patch3059 with adaptations for vim 8.0: replaced
CheckFeature with has() guard and adjusted mkdir/cleanup
calls for compatibility.

CVE: CVE-2026-47167
Upstream patches:
 - a65a52d684.patch
Resolves: RHEL-185863

This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.

Assisted-by: Ymir
2026-07-01 10:46:23 +02:00