Your message dated Sun, 10 May 2026 01:19:40 +0000
with message-id <[email protected]>
and subject line Bug#1136097: fixed in vim 2:9.2.0461-1
has caused the Debian Bug report #1136097,
regarding vim: CVE-2026-45130
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136097
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vim
Version: 2:9.2.0428-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for vim.
CVE-2026-45130[0]:
| Vim is an open source, command line text editor. Prior to version
| 9.2.0450, a heap buffer overflow exists in read_compound() in
| src/spellfile.c when loading a crafted spell file (.spl) with UTF-8
| encoding active. An attacker-controlled length field in the spell
| file's compound section overflows a 32-bit signed integer
| multiplication, causing a small buffer to be allocated for a write
| loop that runs many iterations, overflowing the heap. Because the
| 'spelllang' option can be set from a modeline, a text file modeline
| can trigger spell file loading if a malicious .spl file has been
| planted on the runtimepath. This issue has been patched in version
| 9.2.0450.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-45130
https://www.cve.org/CVERecord?id=CVE-2026-45130
[1] https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv
[2] https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: vim
Source-Version: 2:9.2.0461-1
Done: James McCoy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <[email protected]> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 09 May 2026 19:41:43 -0400
Source: vim
Architecture: source
Version: 2:9.2.0461-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Vim Maintainers <[email protected]>
Changed-By: James McCoy <[email protected]>
Closes: 1136086 1136097
Changes:
vim (2:9.2.0461-1) unstable; urgency=medium
.
* New upstream tag
+ Security fixes
- 9.2.0435: backticks in 'path' may cause shell execution on completion
(Closes: #1136086, CVE-2026-44656)
- 9.2.0450: heap buffer overflow in spellfile SN_COMPOUND handling
(Closes: #1136097, CVE-2026-45130)
+ syntax/autopkgtest.vim: Fix typos in breaks-testbed, build-needed, and
hint-testsuite-triggers. Mark skip-not-installable as deprecated.
Checksums-Sha1:
d94f98170f1526ceee4ccd151edffd1d678b0f91 3194 vim_9.2.0461-1.dsc
050e8991071f6d281def8b665b32150678eb2690 13465284 vim_9.2.0461.orig.tar.xz
b7bf3087500d5e6375a5e3af37ff87e681a23a82 162588 vim_9.2.0461-1.debian.tar.xz
baf76678012c736739351cd525d6e4ca50a01cd4 28782088 vim_9.2.0461-1.git.tar.xz
8ff5a3a708668948131e81bd4a003e1bc1ac68bd 17346 vim_9.2.0461-1_source.buildinfo
Checksums-Sha256:
042b08b2293be7d226fabb8eeb7af8e838838dd9647324a214fd33253687ed25 3194
vim_9.2.0461-1.dsc
03e8d8238f54a3724c811dfdfdba5de2794905b0e13c4ca95b6a7ff68919c778 13465284
vim_9.2.0461.orig.tar.xz
ff3b8ffa6ffa6cd762b1dbb2901c52cf7f66dc083a6c5d1f114ba8cd846a13a0 162588
vim_9.2.0461-1.debian.tar.xz
30ec5cd65d13b7d7330a97dc3f9c7e8770bbce03055b098fffd0f827c4753cb6 28782088
vim_9.2.0461-1.git.tar.xz
14d32f88e177f2cb38e75b87ffe69aba4bed31dcb814b06140ff710508881325 17346
vim_9.2.0461-1_source.buildinfo
Files:
cf88b784597508ded0a522214d073ae5 3194 editors optional vim_9.2.0461-1.dsc
386df5edc2fe6b1e179f8839228c0aeb 13465284 editors optional
vim_9.2.0461.orig.tar.xz
b58061e3c116aa5e8b46721642ca8444 162588 editors optional
vim_9.2.0461-1.debian.tar.xz
acf97fad8ba51a2760e0dbf3be1b271c 28782088 editors None
vim_9.2.0461-1.git.tar.xz
43ddad03261a271ddc8b4fc68c6eeb99 17346 editors optional
vim_9.2.0461-1_source.buildinfo
Git-Tag-Info: tag=c58ff58a0d037b4fb090ace2a4430c77d0127d21
fp=91bfbf4d6956bd5df7b72d23dfe691ae331ba3db
Git-Tag-Tagger: James McCoy <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmn/1xMACgkQYG0ITkaD
wHlm9RAA3HxrQzjooyZDX/Csn+Z2ZiXR09AmwMCaXPZzfxWxZp841/Cc56/QvUpL
P/VUrBxz2j8gOMiN8ZWbOh5enGy4lY2/4rXtnYVtVcik8Z/4D1sz9GCT8/dEeRfp
Vw20lY0tHlDebd37yn5dC0tB4Rw2e/rve/B4uoTc52wSjjFo89LhyOf1G/Vs8bv0
pAi50U6B6L3qRIE3nU9HH8F3G2aqooFucLAc0Li8xOshm5WGhTOaqYcoUDBTX3Fg
StdBr04MfbkGqS3VyNflsbqdIklEYoJC8DtQjthFzsoM1EaUqJFhOMNwX8GZnrbx
yexu8XCh2iaUNRzQcWBGHrpMrB7VTP2HxiG3KDuFC522eJQLmbDGmifk/1PwZyaJ
zD+Q+C/DLaeWtUKKWXqNsSejhIPSjH5uM7M81ibG7awYIoLhv3DbjupZp+Hc8u3W
AdMsfLjONZrZyvcCrMCpbCA+vb4moxZNcVK5il8YUB8dv7RervzE/MRjI2HwpDby
Paz6G+kE6fnGcHclcVWO/z+eKPlCXLDe/avXGML1TQE3E/aG/Wfu2w8gFOxVjJm/
X0n71J5rLb6GrJEYhdj4H+c5o3lgpflznWL9AtTM0PczzQ3jUjBu/430bajkYOyh
rGu4QNKQlIhOsq4cjSUQJEyTFQONRRSwBdjMTmVhP1TJgsnQodY=
=Pd7d
-----END PGP SIGNATURE-----
pgpG1UmcL5Usl.pgp
Description: PGP signature
--- End Message ---
