import CS git vim-8.0.1763-22.el8_10.1

2026-04-07 19:02:55 -04:00
7 changed files with 736 additions and 2 deletions
--- a/SOURCES/0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch
+++ b/SOURCES/0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch
@ -0,0 +1,109 @@
 diff -up vim80/src/globals.h.check-page-count vim80/src/globals.h
 --- vim80/src/globals.h.check-page-count	2026-03-19 17:53:51.063638067 +0100
 +++ vim80/src/globals.h	2026-03-19 17:56:16.144187736 +0100
@@ -1584,6 +1584,7 @@
 #endif
 EXTERN char_u e_dirnotf[]	INIT(= N_("E919: Directory not found in '%s': \"%s\""));
 EXTERN char_u e_au_recursive[]	INIT(= N_("E952: Autocommand caused recursive behavior"));
 +EXTERN char_u e_warning_pointer_block_corrupted[] INIT(= N_("E1364: Warning: Pointer block corrupted"));
 #ifdef FEAT_GUI_MAC
 EXTERN short disallow_gui	INIT(= FALSE);
 diff -up vim80/src/memfile.c.check-page-count vim80/src/memfile.c
 --- vim80/src/memfile.c.check-page-count	2021-03-22 10:02:42.000000000 +0100
 +++ vim80/src/memfile.c	2026-03-19 18:13:11.196323045 +0100
@@ -432,7 +432,9 @@ mf_get(memfile_T *mfp, blocknr_T nr, int
 	 * If not, allocate a new block.
 	 */
 	hp = mf_release(mfp, page_count);
 -	if (hp == NULL && (hp = mf_alloc_bhdr(mfp, page_count)) == NULL)
 +	if (hp == NULL && page_count > 0)
 +	    hp = mf_alloc_bhdr(mfp, page_count);
 +	if (hp == NULL)
 	    return NULL;
 	hp->bh_bnum = nr;
@@ -813,8 +815,10 @@ mf_release(memfile_T *mfp, int page_coun
      */
     if (hp->bh_page_count != page_count)
     {
 -	vim_free(hp->bh_data);
 -	if ((hp->bh_data = alloc(mfp->mf_page_size * page_count)) == NULL)
 +	VIM_CLEAR(hp->bh_data);
 +	if (page_count > 0)
 +	    hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count);
 +	if (hp->bh_data == NULL)
 	{
 	    vim_free(hp);
 	    return NULL;
@@ -872,7 +876,7 @@ mf_release_all(void)
 }
 /*
 - * Allocate a block header and a block of memory for it
 + * Allocate a block header and a block of memory for it.
  */
     static bhdr_T *
 mf_alloc_bhdr(memfile_T *mfp, int page_count)
@@ -892,7 +896,7 @@ mf_alloc_bhdr(memfile_T *mfp, int page_c
 }
 /*
 - * Free a block header and the block of memory for it
 + * Free a block header and the block of memory for it.
  */
     static void
 mf_free_bhdr(bhdr_T *hp)
@@ -902,7 +906,7 @@ mf_free_bhdr(bhdr_T *hp)
 }
 /*
 - * insert entry *hp in the free list
 + * Insert entry *hp in the free list.
  */
     static void
 mf_ins_free(memfile_T *mfp, bhdr_T *hp)
 diff -up vim80/src/memline.c.check-page-count vim80/src/memline.c
 --- vim80/src/memline.c.check-page-count	2021-03-22 10:02:42.000000000 +0100
 +++ vim80/src/memline.c	2026-03-19 18:13:59.116720443 +0100
@@ -96,6 +96,9 @@ struct pointer_block
 				 * followed by empty space until end of page */
 };
 +// Value for pb_count_max.
 +#define PB_COUNT_MAX(mfp) (short_u)(((mfp)->mf_page_size - offsetof(PTR_BL, pb_pointer)) / sizeof(PTR_EN))
 +
 /*
  * A data block is a leaf in the tree.
  *
@@ -1505,6 +1508,20 @@ ml_recover(int checkext)
 	    pp = (PTR_BL *)(hp->bh_data);
 	    if (pp->pb_id == PTR_ID)		/* it is a pointer block */
 	    {
 +		int ptr_block_error = FALSE;
 +		if (pp->pb_count_max != PB_COUNT_MAX(mfp))
 +		{
 +		    ptr_block_error = TRUE;
 +		    pp->pb_count_max = PB_COUNT_MAX(mfp);
 +		}
 +		if (pp->pb_count > pp->pb_count_max)
 +		{
 +		    ptr_block_error = TRUE;
 +		    pp->pb_count = pp->pb_count_max;
 +		}
 +		if (ptr_block_error)
 +		    EMSG(_(e_warning_pointer_block_corrupted));
 +
 		/* check line count when using pointer block first time */
 		if (idx == 0 && line_count != 0)
 		{
@@ -4040,8 +4057,7 @@ ml_new_ptr(memfile_T *mfp)
     pp = (PTR_BL *)(hp->bh_data);
     pp->pb_id = PTR_ID;
     pp->pb_count = 0;
 -    pp->pb_count_max = (short_u)((mfp->mf_page_size - sizeof(PTR_BL))
 -							/ sizeof(PTR_EN) + 1);
 +    pp->pb_count_max = PB_COUNT_MAX(mfp);
     return hp;
 }
--- a/SOURCES/0001-patch-9.2.0073-security-possible-command-injection-u.patch
+++ b/SOURCES/0001-patch-9.2.0073-security-possible-command-injection-u.patch
@ -0,0 +1,56 @@
 diff -up vim91/runtime/autoload/netrw.vim.CVE-2026-28417 vim91/runtime/autoload/netrw.vim
 --- vim91/runtime/autoload/netrw.vim.CVE-2026-28417	2026-03-17 19:22:17.101915588 +0100
 +++ vim91/runtime/autoload/netrw.vim	2026-03-17 19:32:29.134514079 +0100
@@ -3376,13 +3376,26 @@ endif
 " s:NetrwValidateHostname:  Validate that the hostname is valid {{{2
 " Input:
 -"   hostname
 +"   hostname, may include an optional username, e.g. user@hostname
 +"   allow a alphanumeric hostname or an IPv(4/6) address
 " Output:
 "  true if g:netrw_machine is valid according to RFC1123 #Section 2
 fun! s:NetrwValidateHostname(hostname)
 -    " RFC1123#section-2 mandates, a valid hostname starts with letters or digits
 -    " so reject everyhing else
 -    return a:hostname =~? '^[a-z0-9]'
 +  " Username:
 +  let user_pat = '\%([a-zA-Z0-9._-]\+@\)\?'
 +  " Hostname: 1-64 chars, alphanumeric/dots/hyphens.
 +  " No underscores. No leading/trailing dots/hyphens.
 +  let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]{,62}[a-zA-Z0-9]\)\?$'
 +
 +  " IPv4: 1-3 digits separated by dots
 +  let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}$'
 +
 +  " IPv6: Hex, colons, and optional brackets
 +  let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?$'
 +
 +  return a:hostname =~? '^'.user_pat.host_pat ||
 +       \ a:hostname =~? '^'.user_pat.ipv4_pat ||
 +       \ a:hostname =~? '^'.user_pat.ipv6_pat
 endfun
 " ---------------------------------------------------------------------
@@ -11880,15 +11893,15 @@ endfun
 "               a correct command for use with a system() call
 fun! s:MakeSshCmd(sshcmd)
 "  call Dfunc("s:MakeSshCmd(sshcmd<".a:sshcmd.">) user<".s:user."> machine<".s:machine.">")
 -  if s:user == ""
 -   let sshcmd = substitute(a:sshcmd,'\<HOSTNAME\>',s:machine,'')
 -  else
 -   let sshcmd = substitute(a:sshcmd,'\<HOSTNAME\>',s:user."@".s:machine,'')
 +  let machine = shellescape(s:machine, 1)
 +  if s:user != ''
 +      let machine    = shellescape(s:user, 1).'@'.machine
   endif
 +  let sshcmd = substitute(a:sshcmd,'\<HOSTNAME\>',machine,'')
   if exists("g:netrw_port") && g:netrw_port != ""
 -   let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.g:netrw_port,'')
 +   let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.shellescape(g:netrw_port,1),'')
   elseif exists("s:port") && s:port != ""
 -   let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.s:port,'')
 +   let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' '.shellescape(s:port,1),'')
   else
    let sshcmd= substitute(sshcmd,"USEPORT ",'','')
   endif
--- a/SOURCES/0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
+++ b/SOURCES/0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
@ -0,0 +1,397 @@
 diff -up vim80/src/memline.c.CVE-2026-28421 vim80/src/memline.c
 --- vim80/src/memline.c.CVE-2026-28421	2021-03-22 10:02:42.000000000 +0100
 +++ vim80/src/memline.c	2026-03-19 10:42:50.113672743 +0100
@@ -1536,8 +1536,12 @@ ml_recover(int checkext)
 			if (!cannot_open)
 			{
 			    line_count = pp->pb_pointer[idx].pe_line_count;
 -			    if (readfile(curbuf->b_ffname, NULL, lnum,
 -					pp->pb_pointer[idx].pe_old_lnum - 1,
 +			    linenr_T pe_old_lnum = pp->pb_pointer[idx].pe_old_lnum;
 +			    // Validate pe_line_count and pe_old_lnum from the
 +			    // untrusted swap file before passing to readfile().
 +			    if (line_count <= 0 || pe_old_lnum < 1 ||
 +				    readfile(curbuf->b_ffname, NULL, lnum,
 +					pe_old_lnum - 1,
 					line_count, NULL, 0) != OK)
 				cannot_open = TRUE;
 			    else
@@ -1568,6 +1572,27 @@ ml_recover(int checkext)
 		    bnum = pp->pb_pointer[idx].pe_bnum;
 		    line_count = pp->pb_pointer[idx].pe_line_count;
 		    page_count = pp->pb_pointer[idx].pe_page_count;
 +		    // Validate pe_bnum and pe_page_count from the untrusted
 +		    // swap file before passing to mf_get(), which uses
 +		    // page_count to calculate allocation size.  A bogus value
 +		    // (e.g. 0x40000000) would cause a multi-GB allocation.
 +		    // pe_page_count must be >= 1 and bnum + page_count must
 +		    // not exceed the number of pages in the swap file.
 +		    if (page_count < 1
 +			    || bnum + page_count > mfp->mf_blocknr_max + 1)
 +		    {
 +			++error;
 +			ml_append(lnum++,
 +				(char_u *)_("???ILLEGAL BLOCK NUMBER"),
 +				(colnr_T)0, TRUE);
 +			// Skip this entry and pop back up the stack to keep
 +			// recovering whatever else we can.
 +			idx = ip->ip_index + 1;
 +			bnum = ip->ip_bnum;
 +			page_count = 1;
 +			--buf->b_ml.ml_stack_top;
 +			continue;
 +		    }
 		    idx = 0;
 		    continue;
 		}
 --- vim80/src/po/af.po.CVE-2026-28421	2026-04-01 09:23:53.971493324 -0400
 +++ vim80/src/po/af.po	2026-04-01 09:23:53.971493324 -0400
@@ -5391,3 +5391,6 @@ msgstr "E463: Omgewing is onder bewaking
 #~ msgid "WARNING: tag command changed a buffer!!!"
 #~ msgstr "WAARSKUWING: etiketbevel het buffer verander!!!"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/ca.po.CVE-2026-28421	2026-04-01 09:23:53.976493324 -0400
 +++ vim80/src/po/ca.po	2026-04-01 09:23:53.976493324 -0400
@@ -6937,3 +6937,6 @@ msgid ""
 msgstr ""
 "Error en establir el path: sys.path no és una llista\n"
 "Hauríeu d'afegir vim.VIM_SPECIAL_PATH a sys.path"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/cs.cp1250.po.CVE-2026-28421	2026-04-01 09:23:53.981493324 -0400
 +++ vim80/src/po/cs.cp1250.po	2026-04-01 09:23:53.981493324 -0400
@@ -4658,3 +4658,6 @@ msgstr "Nulový poèet"
 msgid "E81: Using <SID> not in a script context"
 msgstr "E81: Použití <SID> mimo kontext skriptu"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/cs.po.CVE-2026-28421	2026-04-01 09:23:53.986493324 -0400
 +++ vim80/src/po/cs.po	2026-04-01 09:23:53.987493324 -0400
@@ -4658,3 +4658,6 @@ msgstr "Nulový poèet"
 msgid "E81: Using <SID> not in a script context"
 msgstr "E81: Pou¾ití <SID> mimo kontext skriptu"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/de.po.CVE-2026-28421	2026-04-01 09:23:53.992493324 -0400
 +++ vim80/src/po/de.po	2026-04-01 09:23:53.992493324 -0400
@@ -7101,3 +7101,6 @@ msgid ""
 msgstr ""
 "Fehler beim setzen des Pfades: sys.path ist keine Liste\n"
 "Fügen Sie vim.VIM_SPECIAL_PATH zu sys.path hinzu"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/en_GB.po.CVE-2026-28421	2026-04-01 09:23:53.998493324 -0400
 +++ vim80/src/po/en_GB.po	2026-04-01 09:23:53.999493324 -0400
@@ -765,3 +765,6 @@ msgid "can't delete OutputObject attribu
 msgstr "cannot delete OutputObject attributes"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/eo.po.CVE-2026-28421	2026-04-01 09:23:54.005493324 -0400
 +++ vim80/src/po/eo.po	2026-04-01 09:23:54.005493324 -0400
@@ -7024,3 +7024,6 @@ msgid ""
 msgstr ""
 "Agordo de serÄ‰vojo malsukcesis: sys.path ne estas listo\n"
 "Vi nun devas aldoni vim.VIM_SPECIAL_PATH al sys.path"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/es.po.CVE-2026-28421	2026-04-01 09:23:54.010493324 -0400
 +++ vim80/src/po/es.po	2026-04-01 09:23:54.011493324 -0400
@@ -8275,3 +8275,6 @@ msgstr "La bÃºsqueda ha llegado al FINAL
 #~ msgid "-V[N]\t\tVerbose level"
 #~ msgstr "-V[N]\t\tNivel de verbosidad (traza de ejecuciÃ³n)"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/fi.po.CVE-2026-28421	2026-04-01 09:23:54.016493324 -0400
 +++ vim80/src/po/fi.po	2026-04-01 09:23:54.016493324 -0400
@@ -6991,3 +6991,6 @@ msgid ""
 msgstr ""
 "Ei onnistuttu asettaman polkua: sys.path ei ole list\n"
 "LisÃ¤Ã¤ vim.VIM_SPECIAL_PATH muuttujaan sys.path"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/fr.po.CVE-2026-28421	2026-04-01 09:23:54.021493324 -0400
 +++ vim80/src/po/fr.po	2026-04-01 09:23:54.021493324 -0400
@@ -7306,3 +7306,6 @@ msgid ""
 msgstr ""
 "Impossible d'initialiser le chemin : sys.math n'est pas une liste\n"
 "Vous devez maintenant ajouter vim.VIM_SPECIAL_PATH à sys.path"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/ga.po.CVE-2026-28421	2026-04-01 09:23:54.026493324 -0400
 +++ vim80/src/po/ga.po	2026-04-01 09:23:54.026493324 -0400
@@ -7509,3 +7509,6 @@ msgstr ""
 #~ msgid "E363: pattern caused out-of-stack error"
 #~ msgstr "E363: ghin an patrún earráid as-an-chruach"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/it.po.CVE-2026-28421	2026-04-01 09:23:54.031493324 -0400
 +++ vim80/src/po/it.po	2026-04-01 09:23:54.031493324 -0400
@@ -7015,3 +7015,6 @@ msgstr ""
 "Dovresti aggiungere vim.VIM_SPECIAL_PATH a sys.path"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/ja.euc-jp.po.CVE-2026-28421	2026-04-01 09:23:54.036493324 -0400
 +++ vim80/src/po/ja.euc-jp.po	2026-04-01 09:23:54.036493324 -0400
@@ -7031,3 +7031,6 @@ msgid ""
 msgstr ""
 "¥Ñ¥¹¤ÎÀßÄê¤Ë¼ºÇÔ¤·¤Þ¤·¤¿: sys.path ¤¬¥ê¥¹¥È¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó\n"
 "¤¹¤°¤Ë vim.VIM_SPECIAL_PATH ¤ò sys.path ¤ËÄÉ²Ã¤·¤Æ¤¯¤À¤µ¤¤"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/ja.po.CVE-2026-28421	2026-04-01 09:23:54.041493324 -0400
 +++ vim80/src/po/ja.po	2026-04-01 09:23:54.041493324 -0400
@@ -7031,3 +7031,6 @@ msgid ""
 msgstr ""
 "ãƒ‘ã‚¹ã<C2B9>®è¨å®šã<C5A1>«å¤±æ•—ã<E28094>—ã<E28094>¾ã<C2BE>—ã<E28094>Ÿ: sys.path ã<>Œãƒªã‚¹ãƒˆã<CB86>§ã<C2A7>¯ã<C2AF>‚ã‚Šã<C5A0>¾ã<C2BE>›ã‚“\n"
 "ã<>™ã<E284A2><C3A3>ã<EFBFBD>« vim.VIM_SPECIAL_PATH ã‚’ sys.path ã<>«è¿½åŠ ã<C2A0>—ã<E28094>¦ã<C2A6><C3A3>ã<EFBFBD> ã<C2A0>•ã<E280A2>„"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/ja.sjis.po.CVE-2026-28421	2026-04-01 09:23:54.046493324 -0400
 +++ vim80/src/po/ja.sjis.po	2026-04-01 09:23:54.046493324 -0400
@@ -7031,3 +7031,6 @@ msgid ""
 msgstr ""
 "ƒpƒX‚Ì<E2809A>Ý’è‚ÉŽ¸”s‚µ‚Ü‚µ‚½: sys.path ‚ªƒŠƒXƒg‚Å‚Í‚ ‚è‚Ü‚¹‚ñ\n"
 "‚·‚®‚É vim.VIM_SPECIAL_PATH ‚ð sys.path ‚É’Ç‰Á‚µ‚Ä‚‚¾‚³‚¢"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/ko.po.CVE-2026-28421	2026-04-01 09:23:54.051493324 -0400
 +++ vim80/src/po/ko.po	2026-04-01 09:23:54.051493324 -0400
@@ -6951,3 +6951,6 @@ msgstr "%sÀ»(¸¦) vim list·Î º¯°æÇÒ ¼ö ¾ø
 #~ "Failed to set path: sys.path is not a list\n"
 #~ "You should now append vim.VIM_SPECIAL_PATH to sys.path"
 #~ msgstr ""
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/ko.UTF-8.po.CVE-2026-28421	2026-04-01 09:23:54.056493324 -0400
 +++ vim80/src/po/ko.UTF-8.po	2026-04-01 09:23:54.056493324 -0400
@@ -6951,3 +6951,6 @@ msgstr "%sì<73>„(ë¥¼) vim listë¡œ ë³€ê²½í• 
 #~ "Failed to set path: sys.path is not a list\n"
 #~ "You should now append vim.VIM_SPECIAL_PATH to sys.path"
 #~ msgstr ""
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/lv.po.CVE-2026-28421	2026-04-01 09:23:54.061493324 -0400
 +++ vim80/src/po/lv.po	2026-04-01 09:23:54.061493324 -0400
@@ -280,3 +280,6 @@ msgstr "E442: Nevar sadalÄ«t kreiso augÅ
 #, c-format
 msgid "E447: Can't find file \"%s\" in path"
 msgstr "E447: Failu \"%s\" ceÄ¼Ä<C2BC> nevar atrast"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/nb.po.CVE-2026-28421	2026-04-01 09:23:54.066493324 -0400
 +++ vim80/src/po/nb.po	2026-04-01 09:23:54.066493324 -0400
@@ -6164,3 +6164,6 @@ msgstr "Søket traff TOPPEN, fortsetter f
 msgid "search hit BOTTOM, continuing at TOP"
 msgstr "Søket traff BUNNEN, fortsetter fra TOPPEN"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/nl.po.CVE-2026-28421	2026-04-01 09:23:54.071493324 -0400
 +++ vim80/src/po/nl.po	2026-04-01 09:23:54.071493324 -0400
@@ -5850,3 +5850,6 @@ msgstr "zoeken bereikte TOP, verder vana
 msgid "search hit BOTTOM, continuing at TOP"
 msgstr "zoeken bereikte BODEM, verder vanaf TOP"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/no.po.CVE-2026-28421	2026-04-01 09:23:54.076493324 -0400
 +++ vim80/src/po/no.po	2026-04-01 09:23:54.076493324 -0400
@@ -6164,3 +6164,6 @@ msgstr "Søket traff TOPPEN, fortsetter f
 msgid "search hit BOTTOM, continuing at TOP"
 msgstr "Søket traff BUNNEN, fortsetter fra TOPPEN"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/pl.cp1250.po.CVE-2026-28421	2026-04-01 09:23:54.081493324 -0400
 +++ vim80/src/po/pl.cp1250.po	2026-04-01 09:23:54.081493324 -0400
@@ -6903,3 +6903,6 @@ msgstr ""
 #~ msgid "E569: maximum number of cscope connections reached"
 #~ msgstr "E569: wyczerpano maksymaln¹ liczbê po³¹czeñ cscope"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/pl.po.CVE-2026-28421	2026-04-01 09:23:54.086493324 -0400
 +++ vim80/src/po/pl.po	2026-04-01 09:23:54.086493324 -0400
@@ -6903,3 +6903,6 @@ msgstr ""
 #~ msgid "E569: maximum number of cscope connections reached"
 #~ msgstr "E569: wyczerpano maksymaln± liczbê po³±czeñ cscope"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/pl.UTF-8.po.CVE-2026-28421	2026-04-01 09:23:54.091493324 -0400
 +++ vim80/src/po/pl.UTF-8.po	2026-04-01 09:23:54.091493324 -0400
@@ -6903,3 +6903,6 @@ msgstr ""
 #~ msgid "E569: maximum number of cscope connections reached"
 #~ msgstr "E569: wyczerpano maksymalnÄ… liczbÄ™ poÅ‚Ä…czeÅ„ cscope"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/pt_BR.po.CVE-2026-28421	2026-04-01 09:23:54.096493324 -0400
 +++ vim80/src/po/pt_BR.po	2026-04-01 09:23:54.096493324 -0400
@@ -7013,3 +7013,6 @@ msgid ""
 msgstr ""
 "Falha ao definir path: sys.path nÃ£o Ã© uma lista\n"
 "VocÃª deve adicionar vim.VIM_SPECIAL_PATH ao sys.path"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/ru.cp1251.po.CVE-2026-28421	2026-04-01 09:23:54.101493324 -0400
 +++ vim80/src/po/ru.cp1251.po	2026-04-01 09:23:54.101493324 -0400
@@ -6932,3 +6932,6 @@ msgstr ""
 "Îøèáêà ïðè óñòàíîâêå ïóòè: sys.path íå ÿâëÿåòñÿ ñïèñêîì\n"
 "Ñëåäóåò äîáàâèòü vim.VIM_SPECIAL_PATH â sys.path"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/ru.po.CVE-2026-28421	2026-04-01 09:23:54.106493324 -0400
 +++ vim80/src/po/ru.po	2026-04-01 09:23:54.106493324 -0400
@@ -6932,3 +6932,6 @@ msgstr ""
 "ÐžÑˆÐ¸Ð±ÐºÐ° Ð¿Ñ€Ð¸ ÑƒÑ<C692>Ñ‚Ð°Ð½Ð¾Ð²ÐºÐµ Ð¿ÑƒÑ‚Ð¸: sys.path Ð½Ðµ Ñ<>Ð²Ð»Ñ<C2BB>ÐµÑ‚Ñ<E2809A>Ñ<EFBFBD> Ñ<>Ð¿Ð¸Ñ<C2B8>ÐºÐ¾Ð¼\n"
 "Ð¡Ð»ÐµÐ´ÑƒÐµÑ‚ Ð´Ð¾Ð±Ð°Ð²Ð¸Ñ‚ÑŒ vim.VIM_SPECIAL_PATH Ð² sys.path"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/sk.cp1250.po.CVE-2026-28421	2026-04-01 09:23:54.111493324 -0400
 +++ vim80/src/po/sk.cp1250.po	2026-04-01 09:23:54.111493324 -0400
@@ -5820,3 +5820,6 @@ msgstr "h¾adanie dosiahlo zaèiatok, pokr
 msgid "search hit BOTTOM, continuing at TOP"
 msgstr "h¾adanie dosiahlo koniec, pokraèovanie od zaèiatku"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/sk.po.CVE-2026-28421	2026-04-01 09:23:54.116493324 -0400
 +++ vim80/src/po/sk.po	2026-04-01 09:23:54.116493324 -0400
@@ -5820,3 +5820,6 @@ msgstr "hµadanie dosiahlo zaèiatok, pokr
 msgid "search hit BOTTOM, continuing at TOP"
 msgstr "hµadanie dosiahlo koniec, pokraèovanie od zaèiatku"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/sr.po.CVE-2026-28421	2026-04-01 09:23:54.121493324 -0400
 +++ vim80/src/po/sr.po	2026-04-01 09:23:54.122493324 -0400
@@ -6916,3 +6916,6 @@ msgid ""
 msgstr ""
 "ÐŸÑƒÑ‚Ð°ÑšÐ° Ð½Ð¸Ñ˜Ðµ Ð¼Ð¾Ð³Ð»Ð° Ð´Ð° Ñ<>Ðµ Ð¿Ð¾Ñ<C2BE>Ñ‚Ð°Ð²Ð¸: sys.path Ð½Ð¸Ñ˜Ðµ Ñƒ Ð»Ð¸Ñ<C2B8>Ñ‚Ð¸\n"
 "Ð¡Ð°Ð´Ð° Ð±Ð¸ Ñ‚Ñ€ÐµÐ±Ð°Ð»Ð¾ Ð´Ð° Ð´Ð¾Ð´Ð°Ñ‚Ðµ vim.VIM_SPECIAL_PATH Ð½Ð° ÐºÑ€Ð°Ñ˜ sys.path"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/sv.po.CVE-2026-28421	2026-04-01 09:23:54.127493324 -0400
 +++ vim80/src/po/sv.po	2026-04-01 09:23:54.127493324 -0400
@@ -6146,3 +6146,6 @@ msgstr "sökning nådde TOPPEN, fortsätter
 msgid "search hit BOTTOM, continuing at TOP"
 msgstr "sökning nådde BOTTEN, forsätter vid TOPPEN"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/uk.cp1251.po.CVE-2026-28421	2026-04-01 09:23:54.132493324 -0400
 +++ vim80/src/po/uk.cp1251.po	2026-04-01 09:23:54.132493324 -0400
@@ -7272,3 +7272,6 @@ msgid ""
 msgstr ""
 "Íå âäàëîñÿ âñòàíîâèòè øëÿõ: sys.path íå ñïèñîê\n"
 "Âàñ ñë³ä äîäàòè vim.VIM_SPECIAL_PATH äî sys.path"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/uk.po.CVE-2026-28421	2026-04-01 09:23:54.137493324 -0400
 +++ vim80/src/po/uk.po	2026-04-01 09:23:54.137493324 -0400
@@ -7272,3 +7272,6 @@ msgid ""
 msgstr ""
 "Ð<>Ðµ Ð²Ð´Ð°Ð»Ð¾Ñ<C2BE>Ñ<EFBFBD> Ð²Ñ<C2B2>Ñ‚Ð°Ð½Ð¾Ð²Ð¸Ñ‚Ð¸ ÑˆÐ»Ñ<C2BB>Ñ…: sys.path Ð½Ðµ Ñ<>Ð¿Ð¸Ñ<C2B8>Ð¾Ðº\n"
 "Ð’Ð°Ñ<C2B0> Ñ<>Ð»Ñ–Ð´ Ð´Ð¾Ð´Ð°Ñ‚Ð¸ vim.VIM_SPECIAL_PATH Ð´Ð¾ sys.path"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/vi.po.CVE-2026-28421	2026-04-01 09:23:54.142493324 -0400
 +++ vim80/src/po/vi.po	2026-04-01 09:23:54.142493324 -0400
@@ -5194,3 +5194,6 @@ msgstr "E449: Nháºn Ä‘Æ°á»£c má»™t biá»
 msgid "E463: Region is guarded, cannot modify"
 msgstr "E463: KhÃ´ng thá»ƒ thay Ä‘á»•i vÃ¹ng Ä‘Ã£ Ä‘Æ°á»£c báº£o vá»‡"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/zh_CN.cp936.po.CVE-2026-28421	2026-04-01 09:23:54.147493324 -0400
 +++ vim80/src/po/zh_CN.cp936.po	2026-04-01 09:23:54.147493324 -0400
@@ -6138,3 +6138,6 @@ msgstr "ÒÑ²éÕÒµ½ÎÄ¼þ½áÎ²£¬ÔÙ´Ó¿ªÍ·¼ÌÐø²é
 #~ msgid "with BeOS GUI."
 #~ msgstr "Ê¹ÓÃ BeOS Í¼ÐÎ½çÃæ¡£"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/zh_CN.po.CVE-2026-28421	2026-04-01 09:23:54.152493324 -0400
 +++ vim80/src/po/zh_CN.po	2026-04-01 09:23:54.152493324 -0400
@@ -6138,3 +6138,6 @@ msgstr "ÒÑ²éÕÒµ½ÎÄ¼þ½áÎ²£¬ÔÙ´Ó¿ªÍ·¼ÌÐø²é
 #~ msgid "with BeOS GUI."
 #~ msgstr "Ê¹ÓÃ BeOS Í¼ÐÎ½çÃæ¡£"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/zh_CN.UTF-8.po.CVE-2026-28421	2026-04-01 09:23:54.157493324 -0400
 +++ vim80/src/po/zh_CN.UTF-8.po	2026-04-01 09:23:54.157493324 -0400
@@ -6138,3 +6138,6 @@ msgstr "å·²æŸ¥æ‰¾åˆ°æ–‡ä»¶ç»“å°¾ï¼Œå†<C3A5>ä»
 #~ msgid "with BeOS GUI."
 #~ msgstr "ä½¿ç”¨ BeOS å›¾å½¢ç•Œé<C592>¢ã€‚"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/zh_TW.po.CVE-2026-28421	2026-04-01 09:23:54.163493324 -0400
 +++ vim80/src/po/zh_TW.po	2026-04-01 09:23:54.164493324 -0400
@@ -5273,3 +5273,6 @@ msgstr "E463: °Ï°ì³Q«OÅ@¡AµLªk×§ï"
 #~ msgid "E277: Unrecognized sniff request [%s]"
 #~ msgstr "E277: µLªk¿ëÃÑ sniff ©R¥O [%s]"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
 --- vim80/src/po/zh_TW.UTF-8.po.CVE-2026-28421	2026-04-01 09:23:54.170493324 -0400
 +++ vim80/src/po/zh_TW.UTF-8.po	2026-04-01 09:23:54.171493324 -0400
@@ -5280,3 +5280,6 @@ msgstr "E463: å<>€åŸŸè¢«ä¿<C3A4>è·ï¼Œç„¡æ³•ä¿
 #~ msgid "E277: Unrecognized sniff request [%s]"
 #~ msgstr "E277: ç„¡æ³•è¾¨è˜ sniff å‘½ä»¤ [%s]"
 +
 +msgid "???ILLEGAL BLOCK NUMBER"
 +msgstr ""
--- a/SOURCES/0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch
+++ b/SOURCES/0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch
@ -0,0 +1,39 @@
 diff -up vim91/runtime/autoload/netrw.vim.validateportnum vim91/runtime/autoload/netrw.vim
 --- vim91/runtime/autoload/netrw.vim.validateportnum	2026-03-17 19:35:34.062575124 +0100
 +++ vim91/runtime/autoload/netrw.vim	2026-03-17 19:39:39.005999509 +0100
@@ -3376,7 +3376,8 @@ endif
 " s:NetrwValidateHostname:  Validate that the hostname is valid {{{2
 " Input:
 -"   hostname, may include an optional username, e.g. user@hostname
 +"   hostname, may include an optional username and port number, e.g.
 +"       user@hostname:port
 "   allow a alphanumeric hostname or an IPv(4/6) address
 " Output:
 "  true if g:netrw_machine is valid according to RFC1123 #Section 2
@@ -3385,17 +3386,19 @@ fun! s:NetrwValidateHostname(hostname)
   let user_pat = '\%([a-zA-Z0-9._-]\+@\)\?'
   " Hostname: 1-64 chars, alphanumeric/dots/hyphens.
   " No underscores. No leading/trailing dots/hyphens.
 -  let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]{,62}[a-zA-Z0-9]\)\?$'
 +  let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]\{0,62}[a-zA-Z0-9]\)\?'
 +  " Port: 16 bit unsigned integer
 +  let port_pat = '\%(:\d\{1,5\}\)\?$'
   " IPv4: 1-3 digits separated by dots
 -  let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}$'
 +  let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}'
   " IPv6: Hex, colons, and optional brackets
 -  let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?$'
 +  let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?'
 -  return a:hostname =~? '^'.user_pat.host_pat ||
 -       \ a:hostname =~? '^'.user_pat.ipv4_pat ||
 -       \ a:hostname =~? '^'.user_pat.ipv6_pat
 +  return a:hostname =~? '^'.user_pat.host_pat.port_pat ||
 +       \ a:hostname =~? '^'.user_pat.ipv4_pat.port_pat ||
 +       \ a:hostname =~? '^'.user_pat.ipv6_pat.port_pat
 endfun
 " ---------------------------------------------------------------------
--- a/SOURCES/0001-patch-9.2.0202-security-command-injection-via-newlin.patch
+++ b/SOURCES/0001-patch-9.2.0202-security-command-injection-via-newlin.patch
@ -0,0 +1,40 @@
 From 645ed6597d1ea896c712cd7ddbb6edee79577e9a Mon Sep 17 00:00:00 2001
 From: pyllyukko <pyllyukko@maimed.org>
 Date: Thu, 19 Mar 2026 19:58:05 +0000
 Subject: [PATCH] patch 9.2.0202: [security]: command injection via newline in
 glob()
 Problem:  The glob() function on Unix-like systems does not escape
          newline characters when expanding wildcards. A maliciously
          crafted string containing '\n' can be used as a command
          separator to execute arbitrary shell commands via
          mch_expand_wildcards(). This depends on the user's 'shell'
          setting.
 Solution: Add the newline character ('\n') to the SHELL_SPECIAL
          definition to ensure it is properly escaped before being
          passed to the shell (pyllyukko).
 closes: #19746
 Github Advisory:
 https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
 Signed-off-by: pyllyukko <pyllyukko@maimed.org>
 Signed-off-by: Christian Brabandt <cb@256bit.org>
 ---
 src/os_unix.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/os_unix.c b/src/os_unix.c
 index 03f7649090c96..91bfd63d0dcb2 100644
 --- a/src/os_unix.c
 +++ b/src/os_unix.c
@@ -6772,7 +6772,7 @@ mch_expand_wildcards(
 # define SEEK_END 2
 #endif
 -#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|"
 +#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|\n"
     int
 mch_expand_wildcards(
--- a/SOURCES/0001-runtime-netrw-upstream-snapshot-of-v179.patch
+++ b/SOURCES/0001-runtime-netrw-upstream-snapshot-of-v179.patch
@ -0,0 +1,65 @@
 diff -up vim91/runtime/autoload/netrw.vim.validatehostname vim91/runtime/autoload/netrw.vim
 --- vim91/runtime/autoload/netrw.vim.validatehostname	2024-02-09 06:33:54.000000000 +0100
 +++ vim91/runtime/autoload/netrw.vim	2026-03-17 19:16:22.210561235 +0100
@@ -1453,6 +1453,10 @@ fun! netrw#Obtain(islocal,fname,...)
     call s:SetupNetrwStatusLine('%f %h%m%r%=%9*Obtaining '.a:fname)
    endif
    call s:NetrwMethod(b:netrw_curdir)
 +   if !s:NetrwValidateHostname(g:netrw_machine)
 +       call netrw#ErrorMsg(s:ERROR,"Rejecting invalid hostname: <" .. g:netrw_machine .. ">",107)
 +       return
 +   endif
    if b:netrw_method == 4
     " obtain file using scp
@@ -1948,6 +19,10 @@ fun! netrw#NetRead(mode,...)
 "    call Dfunc("netrw#NetRead : unsupported method")
     return
    endif
 +   if !s:NetrwValidateHostname(g:netrw_machine)
 +       call netrw#ErrorMsg(s:ERROR,"Rejecting invalid hostname: <" .. g:netrw_machine .. ">",107)
 +       return
 +   endif
    let tmpfile= s:GetTempfile(b:netrw_fname) " apply correct suffix
    " Check whether or not NetrwBrowse() should be handling this request
@@ -2565,6 +2573,10 @@ fun! netrw#NetWrite(...) range
 "    call Dfunc("netrw#NetWrite : unsupported method")
     return
    endif
 +   if !s:NetrwValidateHostname(g:netrw_machine)
 +       call netrw#ErrorMsg(s:ERROR,"Rejecting invalid hostname: <" .. g:netrw_machine .. ">",107)
 +       return
 +   endif
    " =============
    " NetWrite: Perform Protocol-Based Write {{{3
@@ -3362,6 +3374,17 @@ if has("win95") && exists("g:netrw_win95
  endfun
 endif
 +" s:NetrwValidateHostname:  Validate that the hostname is valid {{{2
 +" Input:
 +"   hostname
 +" Output:
 +"  true if g:netrw_machine is valid according to RFC1123 #Section 2
 +fun! s:NetrwValidateHostname(hostname)
 +    " RFC1123#section-2 mandates, a valid hostname starts with letters or digits
 +    " so reject everyhing else
 +    return a:hostname =~? '^[a-z0-9]'
 +endfun
 +
 " ---------------------------------------------------------------------
 " NetUserPass: set username and password for subsequent ftp transfer {{{2
 "   Usage:  :call NetUserPass()		               -- will prompt for userid and password
@@ -8842,6 +8865,10 @@ fun! s:NetrwUpload(fname,tgt,...)
    elseif a:tgt =~ '^ftp:'
     call s:NetrwMethod(a:tgt)
 +    if !s:NetrwValidateHostname(g:netrw_machine)
 +        call netrw#ErrorMsg(s:ERROR,"Rejecting invalid hostname: <" .. g:netrw_machine .. ">",107)
 +        return
 +    endif
     if b:netrw_method == 2
      " handle uploading a list of files via ftp+.netrc
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 22%{?dist}
+Release: 22%{?dist}.1
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@ -118,7 +118,24 @@ Patch3042: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch
 # 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
 Patch3043: 0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
 Patch3044: 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
-
+# RHEL-159620 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function
 Patch3045: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch
 # RHEL-155428 CVE-2026-28417 vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin
 # 3 patches:
 # 0001-runtime-netrw-upstream-snapshot-of-v179.patch - introduces NetrwValidateHostname
 # 0001-patch-9.2.0073-security-possible-command-injection-u.patch - CVE patch which sanitizes hostnames
 # and reports invalid characters in SSH commands
 # 0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch - include portnumber in hostname checking
 Patch3046: 0001-runtime-netrw-upstream-snapshot-of-v179.patch
 Patch3047: 0001-patch-9.2.0073-security-possible-command-injection-u.patch
 Patch3048: 0001-patch-9.2.0089-netrw-does-not-take-port-into-account.patch
 # RHEL-155412 CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file
 # 0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch - adds check for max page count, which fixes
 # crash which happens after applying 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
 # 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch - validates line count and page count from
 # untrusted swap file before passing it to read and allocation functions
 Patch3049: 0001-patch-9.0.1477-crash-when-recovering-from-corrupted-.patch
 Patch3050: 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -344,6 +361,12 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3042 -p1 -b .CVE-2025-53906
 %patch -P 3043 -p1 -b .tag-overflow
 %patch -P 3044 -p1 -b .tag-overflow2
 %patch -P 3045 -p1 -b .CVE-2026-33412
 %patch -P 3046 -p1 -b .validatehostname
 %patch -P 3047 -p1 -b .CVE-2026-28417
 %patch -P 3048 -p1 -b .validateportnum
 %patch -P 3049 -p1 -b .check-page-count
 %patch -P 3050 -p1 -b .CVE-2026-28421
 %build
 %if 0%{?rhel} > 7
@ -862,6 +885,11 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*
 %changelog
 * Tue Mar 31 2026 Petr Dancak   <pdancak@redhat.com> - 2:8.0.1763-22.1
 - RHEL-159620 CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function
 - RHEL-155428 CVE-2026-28417 vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin
 - RHEL-155412 CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file
 * Fri Feb 27 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-22
 - RHEL-147935 CVE-2026-25749 vim: Heap Overflow in Vim