Your message dated Mon, 08 Jun 2026 02:49:07 +0000
with message-id <[email protected]>
and subject line Bug#1135706: fixed in neovim 0.12.2-1
has caused the Debian Bug report #1135706,
regarding neovim: vulnerable to security bug fixed in Vim 9.2.0331, among others
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135706: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135706
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: neovim
Version: 0.11.6-1
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Neovim 0.12.2 has included several security patches from Vim that are
unpatched in the version in unstable. For instance, there is a buffer
overflow fixed in Vim 9.2.0331 that still causes Neovim to crash.
If you place the below contents in `vimrc` and run `nvim -u vimrc`,
Neovim crashes with `*** buffer overflow detected ***: terminated`.
Obviously this is a serious security bug. While this particular
variant is detected, it's not necessarily the case that every variant
will be detected, so patching this appropriately is important.
Since spell files are frequently downloaded from the Internet (and I
believe both Vim and Neovim contain functionality to do so), this allows
a malicious provider of spell files to create a buffer overflow, which
could allow arbitrary code execution.
Could you either upload Neovim 0.12.2 or backport the appropriate
security patches from newer versions of Neovim?
vimrc:
----
func s:abc()
let aff_lines = ['SET ISO8859-1', 'SFX A Y 1',
\ 'SFX A 0 s ' .. repeat(nr2char(0xff), 491)]
call writefile(aff_lines, 'Xbof.aff', 'D')
call writefile(['1', 'word/A'], 'Xbof.dic', 'D')
" Must not crash; ignore any conversion/regex errors.
try
mkspell! Xbof.spl Xbof
catch
endtry
defer delete('Xbof.spl')
let long = repeat(nr2char(0xff), 200)
let aff2_lines = ['SET ISO8859-1', 'SFX A Y 1',
\ 'SFX A 0 ' .. long .. ' .']
call writefile(aff2_lines, 'Xbof2.aff', 'D')
call writefile(['1', long .. '/A'], 'Xbof2.dic', 'D')
try
mkspell! Xbof2.spl Xbof2
catch
endtry
defer delete('Xbof2.spl')
endfunc
call s:abc()
----
These contents were derived from the test in Vim patch 9.2.0331.
-- System Information:
Debian Release: forky/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 7.0.3+deb14-amd64 (SMP w/24 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages neovim depends on:
ii libc6 2.42-15
ii libluajit-5.1-2 2.1.0+openresty20251030-1+b2
ii libtree-sitter0.25 0.25.9-7+b1
ii libunibilium4 2.1.1-2+b3
ii libutf8proc3 2.11.3-2
ii libuv1t64 1.51.0-2+b2
ii lua-lpeg 1.1.0-3+b1
ii lua-luv 1.51.0-1-1+b1
ii neovim-runtime 0.11.6-1
Versions of packages neovim recommends:
ii python3-pynvim 0.6.0-2
ii wl-clipboard 2.2.1-2
ii xclip 0.13-4
ii xxd 2:9.2.0428-1
Versions of packages neovim suggests:
pn ctags <none>
pn vim-scripts <none>
-- no debconf information
--
brian m. carlson (they/them)
Toronto, Ontario, CA
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: neovim
Source-Version: 0.12.2-1
Done: James McCoy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
neovim, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <[email protected]> (supplier of updated neovim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Jun 2026 22:22:25 -0400
Source: neovim
Architecture: source
Version: 0.12.2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Vim Maintainers <[email protected]>
Changed-By: James McCoy <[email protected]>
Closes: 1132614 1135706
Changes:
neovim (0.12.2-1) experimental; urgency=medium
.
* Update to new upstream version 0.12.2. (Closes: #1132614)
+ Includes various security fixes, backported from Vim (Closes: #1135706)
* Bump tree-sitter parser versions to match upstream
* Enable building with luajit on loong64, powerpc, ppc64el, and riscv64
* Switch from $BUSTED_ARGS to $TEST_ARGS run running tests
* Add git as a test dependency
* Skip test which does not expect certain Lua 5.2 functions to be present in
LuaJIT
* Bump tree-sitter Build-Depends to 0.26
* Remove shell-script-fails-syntax-check override
* Declare compliance with Policy 4.7.4
* Backport patches to fix test failures
+ fix(test): only test for unibilium if a valid compilation string exists
+ vim-patch:9.2.0395: tests: Test_backupskip() may read from $HOME (#39417)
Checksums-Sha1:
4f05731a297701b5cf8aef09a2c82228a3c6012b 3150 neovim_0.12.2-1.dsc
eac5f0bd8c6a18d68e2a22142904953bdf552ede 9461232 neovim_0.12.2.orig.tar.xz
1309d4776bda3e9df88b746a15eaa7db9c75004e 28976 neovim_0.12.2-1.debian.tar.xz
a788978b396f01927559dc48398c9090a783a85a 27188420 neovim_0.12.2-1.git.tar.xz
69f4bedcd5fce7a3134a1c615b1267114f85f1c0 17488 neovim_0.12.2-1_source.buildinfo
Checksums-Sha256:
9d229359faef36e638a748f21307b166f80f06dc351ef9efc6c648cc0701a630 3150
neovim_0.12.2-1.dsc
5536740ef0b3000033949e04f01f758230f61435900c93372b0b24a1a63406c0 9461232
neovim_0.12.2.orig.tar.xz
97eef3194a5cb6959d33e9d622c66ac52803eb0fb669dc26acec38e3e4b1d35e 28976
neovim_0.12.2-1.debian.tar.xz
ded84b943739896b87def210c76b1c851e83d45ba8bd64fbf97904cbdfaf1da9 27188420
neovim_0.12.2-1.git.tar.xz
5c69478b3820a38064cc54832a69730f5ed2e756ab3c975bfabd53128e46c603 17488
neovim_0.12.2-1_source.buildinfo
Files:
09d9ac1324743f01a7e8530f85ec1551 3150 editors optional neovim_0.12.2-1.dsc
48311f70b1ae833dd249d8c7df971279 9461232 editors optional
neovim_0.12.2.orig.tar.xz
5c36aadec63ba21ecce935184030c66f 28976 editors optional
neovim_0.12.2-1.debian.tar.xz
492b998dc6f4ae56dd769a9495b98a06 27188420 editors None
neovim_0.12.2-1.git.tar.xz
6aaa7568cd77cc9092f56abea783f42e 17488 editors optional
neovim_0.12.2-1_source.buildinfo
Git-Tag-Info: tag=d2c17ca0e07e4f0adaefe46e096de121655aee2e
fp=91bfbf4d6956bd5df7b72d23dfe691ae331ba3db
Git-Tag-Tagger: James McCoy <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmomKN8ACgkQYG0ITkaD
wHltexAAnlkJdBjZIp3aw9Vwq5v4xrvTO1HwjLKJj2gWuZ9l7sP9/8yCtylxymFK
E6vVuV2KgXEqaP9JysgrCUBDYB+BmHJDgjvFNdO8aMtMf0HQCHWh92dM4S/Jyo85
nFeA4GfgXRZgnefBk5p1rAp6K71F/qUMTGeBpxTEUPCmMeLGaPS14OiYj3oZ27FO
EuMij47+BBZoe69OgTfCdTTbPMOePGcpi/RRCdTZi10jgg0sNY1+FT8OtNDubFPI
syDDgjpQoTWxfy0ZAn5t0Azl43/n940Q6LKBS5D1CgsmRXwNpV1t5pKR9PWSyD3i
K7WkaeZqzU8Mri3OwB8NkhNR8U7LBAcw9Anm5sx9ZVP7+9dCzRd87IbLOGLD2A06
d9YZa/f978JykFan6dEMe3QZ4ZcAAqMhUcB/hEgIj6/ussna4MFZWEcfB5isY90+
7lZ1wVfc6CQAhQUWLeDFg7mgPOIKDXytEd7hVuiQDaa1TS09BLf3LzMQ33eXpIBH
9JZBsKNji6T+0LzNRNIikRcvwsdyoCXabirO21ULIMHVGkzt5SnKEwgiuKBYMDA0
Hg2tMDPFy0nlBNV3e91JGIqGG7zWxTyddEUpZNhRBkEORDlWRy8uGR9miTNh83iY
bTWE7bvQcekGYKuAqqytsmtRZ6Cme/Gx3nPR5UxJU+Q2SvNONgo=
=j8JC
-----END PGP SIGNATURE-----
pgpaMZgJx7Q5l.pgp
Description: PGP signature
--- End Message ---
