Commit Graph

1 Commits

Author SHA1 Message Date
RHEL Packaging Agent
4e3ff3d4fe Fix CVE-2026-52858: possible code execution with python3complete
Backport fix for CVE-2026-52858 to vim on c8s. Two upstream
patches are applied:

- Patch 3059 (upstream 9.2.0561): Disables execution of
  import/from statements in python3complete.vim and
  pythoncomplete.vim unless g:pythoncomplete_allow_import
  is explicitly set by the user.
- Patch 3060 (upstream 9.2.0568): Follow-up fix adding
  missing 'import vim' in evalsource() so the opt-in
  variable is actually honored.

Both patches had src/version.c hunks stripped per
maintainer rules. Minor conflicts in filetype.txt and
test_popup.vim were resolved manually due to differences
between vim 8.0 and upstream.

CVE: CVE-2026-52858
Upstream patches:
 - 4b850457e1.patch
 - 868ad62cb8.patch
Resolves: RHEL-186648

This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.

Assisted-by: Ymir
2026-07-01 16:18:53 +02:00