Your message dated Sun, 24 May 2026 02:48:39 +0000
with message-id <[email protected]>
and subject line Bug#1136803: fixed in vim 2:9.2.0524-1
has caused the Debian Bug report #1136803,
regarding vim: CVE-2026-46483
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136803: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136803
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vim
Version: 2:9.2.0461-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for vim.
CVE-2026-46483[0]:
| Vim is an open source, command line text editor. Prior to 9.2.0479,
| a command injection vulnerability exists in tar#Vimuntar() in
| runtime/autoload/tar.vim when decompressing .tgz archives on Unix-
| like systems. The function builds :!gunzip and :!gzip -d commands
| using shellescape(tartail) without the {special} flag, allowing a
| crafted archive filename to trigger Vim cmdline-special expansion
| and execute shell commands in the user's context. This vulnerability
| is fixed in 9.2.0479.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-46483
https://www.cve.org/CVERecord?id=CVE-2026-46483
[1] https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
[2] https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: vim
Source-Version: 2:9.2.0524-1
Done: James McCoy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <[email protected]> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 23 May 2026 22:34:42 -0400
Source: vim
Architecture: source
Version: 2:9.2.0524-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Vim Maintainers <[email protected]>
Changed-By: James McCoy <[email protected]>
Closes: 1136803 1136828
Changes:
vim (2:9.2.0524-1) unstable; urgency=medium
.
* New upstream tag
+ Security fixes
- 9.2.0479: command injection in tar plugin (Closes: #1136803,
CVE-2026-46483)
- 9.2.0480: command injection in netrw via mf command (Closes: #1136828,
CVE-2026-43961)
* debian/rules:
+ Disable gtk4 configure check until new UI stabilizes
+ Remove obsolete --enable-sockerserver switch
Checksums-Sha1:
0d2dd6b310d23ef316a58875a22e4d1164ab1112 3194 vim_9.2.0524-1.dsc
e175e7273bf29d975a2742f5fa8d2d9817046273 13505740 vim_9.2.0524.orig.tar.xz
294a78f776c33a63a9f69adf5cace056c2d3afef 162716 vim_9.2.0524-1.debian.tar.xz
953ba2fb493968c0cca7dddf1842b3fa3e55efa7 30377748 vim_9.2.0524-1.git.tar.xz
abec646d978b012ea93f4ad74ccc62b65e4fdfd3 17420 vim_9.2.0524-1_source.buildinfo
Checksums-Sha256:
a9ad9e9932d7ae679596d956e76cd532ce3245db9155d3e5e0948b7301add6cb 3194
vim_9.2.0524-1.dsc
0d5842da302f3e180acf1fc373dc2aff597656b418180e343a08d2dea475dc4d 13505740
vim_9.2.0524.orig.tar.xz
38b6718310d4e557939fed8ac74ea64b974e7d1022b3cb0ca7cc2946ee1b893d 162716
vim_9.2.0524-1.debian.tar.xz
1c790fd6113a06286f9fb5edccd11141e0580fe8c4dfe347e9da70d74801305f 30377748
vim_9.2.0524-1.git.tar.xz
06ea67c979594e26ae99d40dd53fadab567f1823047161f162c37ba39493e355 17420
vim_9.2.0524-1_source.buildinfo
Files:
a43f16a1a28afb231d4884ffae1161b0 3194 editors optional vim_9.2.0524-1.dsc
5eb361fdccdea0c6f19e8a1f86134362 13505740 editors optional
vim_9.2.0524.orig.tar.xz
97512c8d4131a433fe70e6aeaa82eccc 162716 editors optional
vim_9.2.0524-1.debian.tar.xz
69d564189ea532f8065a87deadbffe88 30377748 editors None
vim_9.2.0524-1.git.tar.xz
36f1a2663a05dbe6db8a597c966c05c3 17420 editors optional
vim_9.2.0524-1_source.buildinfo
Git-Tag-Info: tag=a2b5cf6604a0ddce56ef5690d5f5713fe19b4ac0
fp=91bfbf4d6956bd5df7b72d23dfe691ae331ba3db
Git-Tag-Tagger: James McCoy <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmoSZLEACgkQYG0ITkaD
wHn0ZQ//TbIOnYRDQ037JvFK23Y0LEiKKumJLjSRM6P6g0DwBN+dFks860JtHN6v
xfdsNv5/Xa3i7FZq6Mnt37yQaaHFBjwKY/ubkM2+0yTyrmQ5fKPemFSeimzPoAWe
zW0oQih3AjN1LaVyPzikRi80mnAipZuArC6S4qCQvQQSLxKA/dfVCTehoInLbFsF
0lj2FsHRokUBCg2YhN1VtL55mQewZV51mgb/x3xbYVHSOqlOjahjk6rP7ciNW6AP
7FuwsyoTtdD23cPfF97B4x5UpNmDkkMI6MdR1U4MVQ4crBenKSVxR9IyhKpHOZl8
TSxNZoIln+yBJlwXvTlIlHlD4nt93KrUArTCbf8MQLEmiEse901yrRtsMcDNkn4U
0OvN1yTWslSKPBc0bn7nEgSJOKDEiG0vPvH9Qu4t8Xvre0I6p3OU3XvV27JYuJcP
/Zry9tMDzqg3TrPAgMqZxly+xdK2sD+fxd1a8cri6jML07Pa06LFEGEZUhsLAEuO
PCU3DnxzjV4m26dJKo6Z5QgRiiZZ7jYH8eaMLEtm5Q0h5iB6CBf9wQOSaBSd4QUX
IvwDdtDnXqeaM3y0Ftoz65HbFO5tcqwfV8WMRwzQYPEtr1Ur0ppeOrYCE37Svu1K
GHi/Vf85sBTJtlJnfUdgjx/7mI1EHr8RSNQxFX1795IqR3jv9ho=
=4mzR
-----END PGP SIGNATURE-----
pgpP5Q10YkDxD.pgp
Description: PGP signature
--- End Message ---
