Commit Graph

1 Commits

Author SHA1 Message Date
RHEL Packaging Agent
9aca0db7e7 Fix CVE-2026-47162: netrw code injection via NetrwBookHistSave()
Backport upstream fix for CVE-2026-47162 which addresses a code
injection vulnerability in the netrw plugin's
NetrwBookHistSave() function. The fix uses string() to properly
quote directory names written to the netrw history file,
preventing malicious directory names from executing arbitrary
Vim commands when the history is sourced.

The patch was adapted from upstream commit f08ab2f4d7d2 for
vim 8.0: adjusted file path to runtime/autoload/netrw.vim,
adapted the setline() call to the downstream loop pattern,
and created a minimal test file for the injection scenario.

CVE: CVE-2026-47162
Upstream patches:
 - f08ab2f4d7.patch
Resolves: RHEL-186656

This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.

Assisted-by: Ymir
2026-07-01 16:14:58 +02:00