Your message dated Wed, 08 Jul 2026 02:23:35 +0000
with message-id <[email protected]>
and subject line Bug#1139730: fixed in vim 2:9.2.0782-1
has caused the Debian Bug report #1139730,
regarding vim: CVE-2026-52860
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1139730: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139730
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vim
Version: 2:9.2.0524-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for vim.

CVE-2026-52860[0]:
| Vim is an open source, command line text editor. Prior to version
| 9.2.0597, Vim's Python omni-completion executes reconstructed
| function and class definitions from the current buffer with exec()
| as part of populating the completion dictionary. Python evaluates
| function default values, parameter annotations, and class base
| expressions at definition time, so a hostile buffer can execute
| attacker-controlled Python expressions during omni-completion. The
| existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-
| rq6p-rc7c) does not cover this path, because the attacker-controlled
| code is not a harvested import/from statement. This issue has been
| patched in version 9.2.0597.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-52860
    https://www.cve.org/CVERecord?id=CVE-2026-52860
[1] https://github.com/vim/vim/security/advisories/GHSA-65p9-mwwx-7468
[2] https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: vim
Source-Version: 2:9.2.0782-1
Done: James McCoy <[email protected]>

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James McCoy <[email protected]> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Jul 2026 21:46:03 -0400
Source: vim
Architecture: source
Version: 2:9.2.0782-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Vim Maintainers <[email protected]>
Changed-By: James McCoy <[email protected]>
Closes: 1139728 1139729 1139730 1140775
Changes:
 vim (2:9.2.0782-1) unstable; urgency=medium
 .
   * New upstream tag
     + Security fixes (Closes: #1140775)
       - 9.2.0561: possible code execution with python3complete (Closes:
         #1139728, CVE-2026-52858)
       - 9.2.0565: out-of-bounds read in :terminal if a cell has 5 combining
         marks (Closes: #1139729, CVE-2026-52859)
       - 9.2.0597: Allocation failure not handled when defining a dictionary
         function (Closes: #1139730, CVE-2026-52860)
       - 9.2.0653: out-of-bounds read with a crafted spell file, CVE-2026-55693
       - 9.2.0662: out-of-bounds write with a crafted spell file,
         CVE-2026-55892
       - 9.2.0663: possible code execution in netrw when deleting a file with a
         "|" in its name, CVE-2026-55895
       - 9.2.0670: out-of-bounds read of text properties when handling a
         crafted undo file, CVE-2026-57451
       - 9.2.0671: Possible out-of-bounds read when opening a sodium-encrypted
         file, CVE-2026-57452
       - 9.2.0678: Possible powershell code execution when opening a zip file,
         CVE-2026-57453
       - 9.2.0679: out-of-bounds read of text properties when handling a
         crafted undo file, CVE-2026-57454
       - 9.2.0698: out-of-bounds write when using soundfold() on a large input,
         CVE-2026-57455
       - 9.2.0699: possible code execution when using python complete,
         CVE-2026-57456
   * Skip Test_clientserver_serverlist_list() and Test_remote_serverlist()
Checksums-Sha1:
 a609e7242f12d41a5dce21e5a45165e815835280 3194 vim_9.2.0782-1.dsc
 beed2cf7178146ce0f84ee327ee1fb44d54e7642 13351408 vim_9.2.0782.orig.tar.xz
 d431f5a6b895c0e107492e5ca61b873be5d189a1 163036 vim_9.2.0782-1.debian.tar.xz
 cb6cb0e9c6695dbb803edba74b2dbca06af48867 33332736 vim_9.2.0782-1.git.tar.xz
 1967cda9af46b0b37c09877f7e326a0ebfda3d9c 17502 vim_9.2.0782-1_source.buildinfo
Checksums-Sha256:
 1401ef8df7b80e1abcd22fa945db933c4788a798a57341ec85fb37278b935e8f 3194 
vim_9.2.0782-1.dsc
 01bf8bb001a4f5d1dbfdb727461e0eb72c817429b20c5724d70ef15187588460 13351408 
vim_9.2.0782.orig.tar.xz
 f3da60e14f497abe267a9e1bab3a37d4461b3906f16a7799324e3f9bd454c476 163036 
vim_9.2.0782-1.debian.tar.xz
 8bfc5a9c538c1d9cc1b5e629dd4ebb2b1e57e72daf37628f9dd777c86918d42f 33332736 
vim_9.2.0782-1.git.tar.xz
 b0fb7085baddc94c4d6a9538710e0aa105ce8baf3810b0132920ac8993795335 17502 
vim_9.2.0782-1_source.buildinfo
Files:
 c49a4e11724c67b0e994a0f8c7c72bf7 3194 editors optional vim_9.2.0782-1.dsc
 fd6609ff8d0b8e6d0502db1f07eb4516 13351408 editors optional 
vim_9.2.0782.orig.tar.xz
 e3bf08090bc19413e337a7b7d1a1c4ad 163036 editors optional 
vim_9.2.0782-1.debian.tar.xz
 1e2e56fd9b321f7d419645da9f3c6817 33332736 editors None 
vim_9.2.0782-1.git.tar.xz
 6d27dcedb24542d4b823f57ee88af3da 17502 editors optional 
vim_9.2.0782-1_source.buildinfo
Git-Tag-Info: tag=bd3c81b4f366230f158a88786d8a7b878e00d420 
fp=91bfbf4d6956bd5df7b72d23dfe691ae331ba3db
Git-Tag-Tagger: James McCoy <[email protected]>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmpNrLkACgkQYG0ITkaD
wHlRzRAA0aZCexb3rib5G50oMRQIUfoioG8/K9hVt95zKBYiTlT66hoLx1ljrncX
7iaaNb5o12RyehbUjSTOJFQFKQ9t5UbQkkO8JYmi+45qHXmEAQ/VrdHHHrjotAUd
wnUD3HoqYIqGWVrLUIS7wFUlO68LaTEJgS85HxZ2saH6BUeBe7MCR/pmB0IuY6TA
cvqdEd5aF69EBdXtWv4HXXhQoQqLohiBM5eIDJJ7RhWDbLDd1qd6TPRWDzvW03of
Quw98Qu1FnAxFpMw/82yfqEQrxpUX0POCe1DKxuKdSnN96WN5EmAeI5E52vdUjnp
xRR+5gIfLAmrWmZcVwJ12awSmAjDetNlcOCQxj1O3z5w00Ertd0NC6p7nZxQdmT/
6ewtwePQWcSQtWwATgumqWcyv/jFNdaYR6hg+0MAACa5N8+6hHE6fgvx//2dxZBp
WxYNVIKaLy1JFRwnfaEMgCfv1sTEQ4P1zS1sEzyGLraiFjMyobs5B+e+6icVROLv
6jZ5qU+UOgsA3NyFwf9wCyxinph7GUGUWXH/Ny5qbgkGpJ3Z+OJAejLKo5mR+cb4
Mu7I7L3DAtEc7xmPgixvP7CTy9mxcvwxhFx0RyDNMiRwgLABFWNci8P9iySscdnu
6k5kfCeD0rhwV8BFNvUCMWhxAhf8sxVnfIbVHh5y3CfSgFnfzXI=
=Zk0N
-----END PGP SIGNATURE-----

Attachment: pgpjezj5go1Hl.pgp
Description: PGP signature


--- End Message ---

Reply via email to