Backport upstream fix (commit a65a52d6) for CVE-2026-47167 to
vim 8.0.1763 on c8s. The patch replaces the unsafe
Kernel.eval('/'+pattern+'/') call in cucumber.vim with
Regexp.new(pattern), preventing Ruby code injection through
malicious step definition patterns.
Added Patch3059 with adaptations for vim 8.0: replaced
CheckFeature with has() guard and adjusted mkdir/cleanup
calls for compatibility.
CVE: CVE-2026-47167
Upstream patches:
- a65a52d684.patch
Resolves: RHEL-185863
This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Ymir
Backport upstream commit 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1
to fix a command injection vulnerability (CVE-2026-46483) in
the vim tar plugin. The fix changes shellescape(tartail) to
shellescape(tartail, 1) in two places in the tar#Vimuntar()
function in runtime/autoload/tar.vim, ensuring proper shell
escaping when executing external commands via :! commands.
The patch was manually adapted for vim 8.0, omitting the
src/version.c hunk and the Vim9-based test file which are not
compatible with this version.
CVE: CVE-2026-46483
Upstream patches:
- 3fb5e58fbc.patch
Resolves: RHEL-178234
This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Ymir