Backport upstream commit 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1
to fix a command injection vulnerability (CVE-2026-46483) in
the vim tar plugin. The fix changes shellescape(tartail) to
shellescape(tartail, 1) in two places in the tar#Vimuntar()
function in runtime/autoload/tar.vim, ensuring proper shell
escaping when executing external commands via :! commands.
The patch was manually adapted for vim 8.0, omitting the
src/version.c hunk and the Vim9-based test file which are not
compatible with this version.
CVE: CVE-2026-46483
Upstream patches:
- 3fb5e58fbc.patch
Resolves: RHEL-178234
This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Ymir
38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
From 448ae03067c85a48c9c73517fb9f7046be3ed200 Mon Sep 17 00:00:00 2001
|
|
From: RHEL Packaging Agent <redhat-ymir-agent@redhat.com>
|
|
Date: Wed, 3 Jun 2026 10:56:51 +0000
|
|
Subject: [PATCH] patch 9.2.0479: [security]: runtime(tar): command injection
|
|
in tar plugin
|
|
|
|
Problem: [security]: runtime(tar): command injection in tar plugin
|
|
(Christopher Lusk)
|
|
Solution: Use the correct shellescape(args, 1) form for a :! command
|
|
|
|
Github Advisory:
|
|
https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
|
|
|
|
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
|
---
|
|
runtime/autoload/tar.vim | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
|
|
index e320b9a..b60e94a 100644
|
|
--- a/runtime/autoload/tar.vim
|
|
+++ b/runtime/autoload/tar.vim
|
|
@@ -588,9 +588,9 @@ fun! tar#Vimuntar(...)
|
|
" if necessary, decompress the tarball; then, extract it
|
|
if tartail =~ '\.tgz'
|
|
if executable("gunzip")
|
|
- silent exe "!gunzip ".shellescape(tartail)
|
|
+ silent exe "!gunzip ".shellescape(tartail, 1)
|
|
elseif executable("gzip")
|
|
- silent exe "!gzip -d ".shellescape(tartail)
|
|
+ silent exe "!gzip -d ".shellescape(tartail, 1)
|
|
else
|
|
echoerr "unable to decompress<".tartail."> on this sytem"
|
|
if simplify(curdir) != simplify(tarhome)
|
|
--
|
|
2.52.0
|
|
|