Bug#1139999: marked as done (neovim: CVE-2026-11487)

[Debian Bug Tracking System]

Your message dated Sun, 14 Jun 2026 16:35:49 -0400
with message-id <ai8OHnwVDZchMFni@localhost>
and subject line Re: Bug#1139999: neovim: CVE-2026-11487
has caused the Debian Bug report #1139999,
regarding neovim: CVE-2026-11487
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1139999: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139999
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: neovim
Version: 0.12.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/neovim/neovim/issues/39914
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for neovim.

CVE-2026-11487[0]:
| A flaw has been found in Neovim up to 0.12.2. Affected by this issue
| is the function M.read of the file runtime/lua/vim/secure.lua of the
| component View Branch. Executing a manipulation of the argument path
| can lead to command injection. It is possible to launch the attack
| on the local host. The exploit has been published and may be used.
| This patch is called f83e0dcaf8cf18de94828341b0a1a61a86c75baf. A
| patch should be applied to remediate this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-11487
    https://www.cve.org/CVERecord?id=CVE-2026-11487
[1] https://github.com/neovim/neovim/issues/39914
[2] https://github.com/neovim/neovim/pull/39918
[3] 
https://github.com/neovim/neovim/commit/f83e0dcaf8cf18de94828341b0a1a61a86c75baf

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Version: 0.12.3-1

On Sun, Jun 14, 2026 at 03:47:54PM +0200, Salvatore Bonaccorso wrote:

CVE-2026-11487[0]:
| A flaw has been found in Neovim up to 0.12.2. Affected by this issue
| is the function M.read of the file runtime/lua/vim/secure.lua of the
| component View Branch.

This was fixed in 0.12.3-1 already. I'll add a retroactive reference in
the changelog.

Cheers,
--
James (he/him)
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7  2D23 DFE6 91AE 331B A3DB

--- End Message ---