Your message dated Wed, 08 Jul 2026 02:23:35 +0000
with message-id <[email protected]>
and subject line Bug#1140775: fixed in vim 2:9.2.0782-1
has caused the Debian Bug report #1140775,
regarding vim: CVE-2026-55693 CVE-2026-55892 CVE-2026-55895 CVE-2026-57451
CVE-2026-57452 CVE-2026-57453 CVE-2026-57454 CVE-2026-57455 CVE-2026-57456
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140775: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140775
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vim
Version: 2:9.2.0524-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for vim.
CVE-2026-55693[0]:
| Vim is an open source, command line text editor. Prior to 9.2.0653,
| the tree_count_words() function in src/spellfile.c fills in the
| word-count fields of a spell-file word trie by walking it
| iteratively with a depth counter. The counter is bounded only by the
| trie structure itself; it is never checked against the size of the
| fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[],
| wordcount[]). A crafted .spl/.sug file pair, loaded when the user
| invokes spell suggestion, can drive the descent arbitrarily deep, so
| the function writes past the end of those arrays. This is a stack
| out-of-bounds write that corrupts the call frame and crashes the
| editor. This vulnerability is fixed in 9.2.0653.
CVE-2026-55892[1]:
| Vim is an open source, command line text editor. Prior to 9.2.0662,
| the dump_prefixes() function in src/spell.c walks a spell-file
| prefix trie iteratively with a depth counter while dumping the
| prefixes that apply to a word. The counter is bounded only by the
| trie structure itself; it is never checked against the size of the
| fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[],
| curi[]). A crafted .spl file, loaded when the user dumps the word
| list, can drive the descent arbitrarily deep, so the function writes
| past the end of those arrays. This is a stack out-of-bounds write
| that corrupts the call frame and crashes the editor. This
| vulnerability is fixed in 9.2.0662.
CVE-2026-55895[2]:
| Vim is an open source, command line text editor. Prior to 9.2.0663,
| a Vimscript code injection vulnerability exists in
| s:NetrwLocalRmFile() in the netrw plugin
| (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a
| local file from the browser. A filename derived from the buffer's
| directory listing is interpolated into an Ex command line passed to
| :execute with only the backslash character escaped, allowing a
| crafted filename containing a bar (|) to terminate the intended
| command and execute arbitrary Vimscript, including shell commands
| via :call system() and :!. This vulnerability is fixed in 9.2.0663.
CVE-2026-57451[3]:
| Vim is an open source, command line text editor. Prior to 9.2.0670,
| get_text_props() in src/textprop.c reads a uint16 property count
| stored inline after a line's text and returns it as the number of
| 32-byte textprop_T entries that follow. The only check is a floor
| that guarantees room for a single entry; the count is never checked
| against the amount of data actually present. A line that declares a
| large count while carrying little data causes consumers to read far
| past the end of the line buffer. Such a line can be delivered
| through a crafted undo file, leading to a crash. This vulnerability
| is fixed in 9.2.0670.
CVE-2026-57452[4]:
| Vim is an open source, command line text editor. Prior to 9.2.0671,
| when Vim opens a file encrypted with the VimCrypt~04! or
| VimCrypt~05! method (xchacha20poly1305, requires the +sodium
| feature) whose body is shorter than a single libsodium secretstream
| header, an unsigned length calculation underflows and a subsequent
| decryption call reads far past the end of the input buffer, crashing
| Vim. This vulnerability is fixed in 9.2.0671.
CVE-2026-57453[5]:
| Vim is an open source, command line text editor. From 9.1.1784 until
| 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to
| PowerShell to browse, read, extract, update or delete entries in a
| zip archive, it builds the PowerShell command by inserting archive
| entry names that are quoted only for the shell, not for PowerShell.
| A crafted entry name can break out of the intended string context
| and cause PowerShell to execute arbitrary commands with the
| privileges of the user running Vim, triggered by opening, viewing or
| extracting the archive. This vulnerability is fixed in 9.2.0678.
CVE-2026-57454[6]:
| Vim is an open source, command line text editor. From 9.2.0320 until
| 9.2.0679, a crafted undo or swap file can store a virtual-text
| property whose offset and length point outside the line's property
| data. When Vim restores or displays such a line it converts the
| offset into a pointer and reads the virtual text without bounds
| checking, causing an out-of-bounds read that can crash Vim or
| disclose adjacent heap memory. This vulnerability is fixed in
| 9.2.0679.
CVE-2026-57455[7]:
| Vim is an open source, command line text editor. Prior to 9.2.0698,
| the single-byte branch of spell_soundfold_sofo() in src/spell.c
| translates a word through a spell file's SOFO (sound-folding) byte
| map into a caller-owned result buffer. Its copy loop advances the
| output index ri with no upper bound and terminates only on the input
| NUL, writing one byte per input byte into the MAXWLEN-element stack
| buffer the caller provides. A word longer than MAXWLEN, passed to
| soundfold() (or reached via sound-based spell suggestion) while a
| SOFO-based spell language is active, therefore writes past the end
| of that buffer. This is a stack out-of-bounds write that corrupts
| the call frame and crashes the editor. This vulnerability is fixed
| in 9.2.0698.
CVE-2026-57456[8]:
| Vim is an open source, command line text editor. Prior to 9.2.0699,
| Vim's Python omni-completion (runtime/autoload/python3complete.vim
| and the legacy pythoncomplete.vim) executes reconstructed function
| and class definitions from the current buffer with exec() as part of
| populating the completion dictionary. When reconstructing that
| source, each scope's docstring is inserted verbatim between triple
| quotes with no escaping, so a hostile buffer can break out of the
| triple-quoted literal and execute attacker-controlled Python during
| omni-completion. This vulnerability is fixed in 9.2.0699.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-55693
https://www.cve.org/CVERecord?id=CVE-2026-55693
[1] https://security-tracker.debian.org/tracker/CVE-2026-55892
https://www.cve.org/CVERecord?id=CVE-2026-55892
[2] https://security-tracker.debian.org/tracker/CVE-2026-55895
https://www.cve.org/CVERecord?id=CVE-2026-55895
[3] https://security-tracker.debian.org/tracker/CVE-2026-57451
https://www.cve.org/CVERecord?id=CVE-2026-57451
[4] https://security-tracker.debian.org/tracker/CVE-2026-57452
https://www.cve.org/CVERecord?id=CVE-2026-57452
[5] https://security-tracker.debian.org/tracker/CVE-2026-57453
https://www.cve.org/CVERecord?id=CVE-2026-57453
[6] https://security-tracker.debian.org/tracker/CVE-2026-57454
https://www.cve.org/CVERecord?id=CVE-2026-57454
[7] https://security-tracker.debian.org/tracker/CVE-2026-57455
https://www.cve.org/CVERecord?id=CVE-2026-57455
[8] https://security-tracker.debian.org/tracker/CVE-2026-57456
https://www.cve.org/CVERecord?id=CVE-2026-57456
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: vim
Source-Version: 2:9.2.0782-1
Done: James McCoy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <[email protected]> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 Jul 2026 21:46:03 -0400
Source: vim
Architecture: source
Version: 2:9.2.0782-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Vim Maintainers <[email protected]>
Changed-By: James McCoy <[email protected]>
Closes: 1139728 1139729 1139730 1140775
Changes:
vim (2:9.2.0782-1) unstable; urgency=medium
.
* New upstream tag
+ Security fixes (Closes: #1140775)
- 9.2.0561: possible code execution with python3complete (Closes:
#1139728, CVE-2026-52858)
- 9.2.0565: out-of-bounds read in :terminal if a cell has 5 combining
marks (Closes: #1139729, CVE-2026-52859)
- 9.2.0597: Allocation failure not handled when defining a dictionary
function (Closes: #1139730, CVE-2026-52860)
- 9.2.0653: out-of-bounds read with a crafted spell file, CVE-2026-55693
- 9.2.0662: out-of-bounds write with a crafted spell file,
CVE-2026-55892
- 9.2.0663: possible code execution in netrw when deleting a file with a
"|" in its name, CVE-2026-55895
- 9.2.0670: out-of-bounds read of text properties when handling a
crafted undo file, CVE-2026-57451
- 9.2.0671: Possible out-of-bounds read when opening a sodium-encrypted
file, CVE-2026-57452
- 9.2.0678: Possible powershell code execution when opening a zip file,
CVE-2026-57453
- 9.2.0679: out-of-bounds read of text properties when handling a
crafted undo file, CVE-2026-57454
- 9.2.0698: out-of-bounds write when using soundfold() on a large input,
CVE-2026-57455
- 9.2.0699: possible code execution when using python complete,
CVE-2026-57456
* Skip Test_clientserver_serverlist_list() and Test_remote_serverlist()
Checksums-Sha1:
a609e7242f12d41a5dce21e5a45165e815835280 3194 vim_9.2.0782-1.dsc
beed2cf7178146ce0f84ee327ee1fb44d54e7642 13351408 vim_9.2.0782.orig.tar.xz
d431f5a6b895c0e107492e5ca61b873be5d189a1 163036 vim_9.2.0782-1.debian.tar.xz
cb6cb0e9c6695dbb803edba74b2dbca06af48867 33332736 vim_9.2.0782-1.git.tar.xz
1967cda9af46b0b37c09877f7e326a0ebfda3d9c 17502 vim_9.2.0782-1_source.buildinfo
Checksums-Sha256:
1401ef8df7b80e1abcd22fa945db933c4788a798a57341ec85fb37278b935e8f 3194
vim_9.2.0782-1.dsc
01bf8bb001a4f5d1dbfdb727461e0eb72c817429b20c5724d70ef15187588460 13351408
vim_9.2.0782.orig.tar.xz
f3da60e14f497abe267a9e1bab3a37d4461b3906f16a7799324e3f9bd454c476 163036
vim_9.2.0782-1.debian.tar.xz
8bfc5a9c538c1d9cc1b5e629dd4ebb2b1e57e72daf37628f9dd777c86918d42f 33332736
vim_9.2.0782-1.git.tar.xz
b0fb7085baddc94c4d6a9538710e0aa105ce8baf3810b0132920ac8993795335 17502
vim_9.2.0782-1_source.buildinfo
Files:
c49a4e11724c67b0e994a0f8c7c72bf7 3194 editors optional vim_9.2.0782-1.dsc
fd6609ff8d0b8e6d0502db1f07eb4516 13351408 editors optional
vim_9.2.0782.orig.tar.xz
e3bf08090bc19413e337a7b7d1a1c4ad 163036 editors optional
vim_9.2.0782-1.debian.tar.xz
1e2e56fd9b321f7d419645da9f3c6817 33332736 editors None
vim_9.2.0782-1.git.tar.xz
6d27dcedb24542d4b823f57ee88af3da 17502 editors optional
vim_9.2.0782-1_source.buildinfo
Git-Tag-Info: tag=bd3c81b4f366230f158a88786d8a7b878e00d420
fp=91bfbf4d6956bd5df7b72d23dfe691ae331ba3db
Git-Tag-Tagger: James McCoy <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmpNrLkACgkQYG0ITkaD
wHlRzRAA0aZCexb3rib5G50oMRQIUfoioG8/K9hVt95zKBYiTlT66hoLx1ljrncX
7iaaNb5o12RyehbUjSTOJFQFKQ9t5UbQkkO8JYmi+45qHXmEAQ/VrdHHHrjotAUd
wnUD3HoqYIqGWVrLUIS7wFUlO68LaTEJgS85HxZ2saH6BUeBe7MCR/pmB0IuY6TA
cvqdEd5aF69EBdXtWv4HXXhQoQqLohiBM5eIDJJ7RhWDbLDd1qd6TPRWDzvW03of
Quw98Qu1FnAxFpMw/82yfqEQrxpUX0POCe1DKxuKdSnN96WN5EmAeI5E52vdUjnp
xRR+5gIfLAmrWmZcVwJ12awSmAjDetNlcOCQxj1O3z5w00Ertd0NC6p7nZxQdmT/
6ewtwePQWcSQtWwATgumqWcyv/jFNdaYR6hg+0MAACa5N8+6hHE6fgvx//2dxZBp
WxYNVIKaLy1JFRwnfaEMgCfv1sTEQ4P1zS1sEzyGLraiFjMyobs5B+e+6icVROLv
6jZ5qU+UOgsA3NyFwf9wCyxinph7GUGUWXH/Ny5qbgkGpJ3Z+OJAejLKo5mR+cb4
Mu7I7L3DAtEc7xmPgixvP7CTy9mxcvwxhFx0RyDNMiRwgLABFWNci8P9iySscdnu
6k5kfCeD0rhwV8BFNvUCMWhxAhf8sxVnfIbVHh5y3CfSgFnfzXI=
=Zk0N
-----END PGP SIGNATURE-----
pgptMrDcyaaDt.pgp
Description: PGP signature
--- End Message ---