Your message dated Sun, 14 Jun 2026 01:05:44 +0000
with message-id <[email protected]>
and subject line Bug#1135706: fixed in neovim 0.12.3-1
has caused the Debian Bug report #1135706,
regarding neovim: vulnerable to security bug fixed in Vim 9.2.0331, among others
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135706: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135706
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: neovim
Version: 0.11.6-1
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Neovim 0.12.2 has included several security patches from Vim that are
unpatched in the version in unstable. For instance, there is a buffer
overflow fixed in Vim 9.2.0331 that still causes Neovim to crash.
If you place the below contents in `vimrc` and run `nvim -u vimrc`,
Neovim crashes with `*** buffer overflow detected ***: terminated`.
Obviously this is a serious security bug. While this particular
variant is detected, it's not necessarily the case that every variant
will be detected, so patching this appropriately is important.
Since spell files are frequently downloaded from the Internet (and I
believe both Vim and Neovim contain functionality to do so), this allows
a malicious provider of spell files to create a buffer overflow, which
could allow arbitrary code execution.
Could you either upload Neovim 0.12.2 or backport the appropriate
security patches from newer versions of Neovim?
vimrc:
----
func s:abc()
let aff_lines = ['SET ISO8859-1', 'SFX A Y 1',
\ 'SFX A 0 s ' .. repeat(nr2char(0xff), 491)]
call writefile(aff_lines, 'Xbof.aff', 'D')
call writefile(['1', 'word/A'], 'Xbof.dic', 'D')
" Must not crash; ignore any conversion/regex errors.
try
mkspell! Xbof.spl Xbof
catch
endtry
defer delete('Xbof.spl')
let long = repeat(nr2char(0xff), 200)
let aff2_lines = ['SET ISO8859-1', 'SFX A Y 1',
\ 'SFX A 0 ' .. long .. ' .']
call writefile(aff2_lines, 'Xbof2.aff', 'D')
call writefile(['1', long .. '/A'], 'Xbof2.dic', 'D')
try
mkspell! Xbof2.spl Xbof2
catch
endtry
defer delete('Xbof2.spl')
endfunc
call s:abc()
----
These contents were derived from the test in Vim patch 9.2.0331.
-- System Information:
Debian Release: forky/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 7.0.3+deb14-amd64 (SMP w/24 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages neovim depends on:
ii libc6 2.42-15
ii libluajit-5.1-2 2.1.0+openresty20251030-1+b2
ii libtree-sitter0.25 0.25.9-7+b1
ii libunibilium4 2.1.1-2+b3
ii libutf8proc3 2.11.3-2
ii libuv1t64 1.51.0-2+b2
ii lua-lpeg 1.1.0-3+b1
ii lua-luv 1.51.0-1-1+b1
ii neovim-runtime 0.11.6-1
Versions of packages neovim recommends:
ii python3-pynvim 0.6.0-2
ii wl-clipboard 2.2.1-2
ii xclip 0.13-4
ii xxd 2:9.2.0428-1
Versions of packages neovim suggests:
pn ctags <none>
pn vim-scripts <none>
-- no debconf information
--
brian m. carlson (they/them)
Toronto, Ontario, CA
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: neovim
Source-Version: 0.12.3-1
Done: James McCoy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
neovim, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <[email protected]> (supplier of updated neovim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Jun 2026 20:10:46 -0400
Source: neovim
Architecture: source
Version: 0.12.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Vim Maintainers <[email protected]>
Changed-By: James McCoy <[email protected]>
Closes: 1132614 1135706
Changes:
neovim (0.12.3-1) unstable; urgency=medium
.
* Upload to unstable
* Update to new upstream version 0.12.3.
* Backport patch to fix skipping upstream tests
+ fix(test): support multiple --filter-out
.
neovim (0.12.2-2) experimental; urgency=medium
.
* Remove loong64 from LuaJIT architectures, since luajit crashes during
neovim build
* Remove lua-inspect test dependency
* Remove lua-busted test dependency
* Install bash and zsh completions for nvim
* Backport upstream patch to fix ppc64el test failure
+ fix(unittest): preprocess failure when __typeof declarations present
#40145
.
neovim (0.12.2-1) experimental; urgency=medium
.
* Update to new upstream version 0.12.2. (Closes: #1132614)
+ Includes various security fixes, backported from Vim (Closes: #1135706)
* Bump tree-sitter parser versions to match upstream
* Enable building with luajit on loong64, powerpc, ppc64el, and riscv64
* Switch from $BUSTED_ARGS to $TEST_ARGS run running tests
* Add git as a test dependency
* Skip test which does not expect certain Lua 5.2 functions to be present in
LuaJIT
* Bump tree-sitter Build-Depends to 0.26
* Remove shell-script-fails-syntax-check override
* Declare compliance with Policy 4.7.4
* Backport patches to fix test failures
+ fix(test): only test for unibilium if a valid compilation string exists
+ vim-patch:9.2.0395: tests: Test_backupskip() may read from $HOME (#39417)
Checksums-Sha1:
7a1cd9be8f511381db279d6de4ae321daa9c544e 3118 neovim_0.12.3-1.dsc
c6e29c10db65668373a2bc57ac45295f7f879bc0 9473188 neovim_0.12.3.orig.tar.xz
7f34c81ed65f41b762a2d4ab918337ccd4513a86 28444 neovim_0.12.3-1.debian.tar.xz
e59e8a8e335204bfbe30be002f1ca592398d382b 29207864 neovim_0.12.3-1.git.tar.xz
e474140bfad50d95b11e93924cb8283952a13279 17488 neovim_0.12.3-1_source.buildinfo
Checksums-Sha256:
7e7aad0d28a951c63220f9485ea411b26b6504917a1ad4d01d5e583ecf6baa89 3118
neovim_0.12.3-1.dsc
7c67e0244a94e8b7ba27acda9ca91a1d1a33123ef2ab8838010e5398fd7bd861 9473188
neovim_0.12.3.orig.tar.xz
1f929eef288521ff933adffe21fc5180cf6537f0745babbd4cf95085ddb85f56 28444
neovim_0.12.3-1.debian.tar.xz
f4925e72d3b4e46a59a321abcc655b57a61da01967aaf9d4db7ae5b0651009b1 29207864
neovim_0.12.3-1.git.tar.xz
6b903051161f06b217849db66ebd20b7eb7bd224631c6557027f98fa2bacd6ea 17488
neovim_0.12.3-1_source.buildinfo
Files:
f0972d7b45501c0e5ea2cbf51edae0d6 3118 editors optional neovim_0.12.3-1.dsc
ba1621e33c6fe4b3584819fa166e9820 9473188 editors optional
neovim_0.12.3.orig.tar.xz
af1d6c155fc4a08be6e1d352673856e1 28444 editors optional
neovim_0.12.3-1.debian.tar.xz
a70c1f4094ebde4a85293a06605f9b1b 29207864 editors None
neovim_0.12.3-1.git.tar.xz
75e76efde5bafde31790791bbbf21bdc 17488 editors optional
neovim_0.12.3-1_source.buildinfo
Git-Tag-Info: tag=c27f3f366a480ec305bcc9d6aa45f6f3012e7ad6
fp=91bfbf4d6956bd5df7b72d23dfe691ae331ba3db
Git-Tag-Tagger: James McCoy <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmot+VcACgkQYG0ITkaD
wHkjChAAsE/0jXJscW/F1N94T31MThg0JBlryvvhElQhvf/q9v1B5kH287zIP73B
rdiocN2SJ82PVojhd/6VHWqvmDKtrD86Ndx542pUp2CJ9RHGIzCAAU2Oei6m/6Ki
xsdWWjiSOMvSVMmLjIDr9Od+8HiQDrZ1dM0Snza/QXGJZQYGy8yGD34oGC94jjPh
Lev1n1WC2Fp3Jj1ht/63liVy4iz255A9vEoATQpan+G/Sp2qpkV04OP/E9Yv9tHe
tsWdN3j5CUmxwVj1HJ4IsmhW9/nY4Z6rJHdAAYg5iCqkZjHztKVjyTRYm4tFdaL6
Ol2gc3nVtdPLONG1PPLUEmP+ecQcXycMJEiLeofoalLAO1zHH90IkiArSYPid+Xl
8CD68sp4XVNlRX0oTKAIDYwFqSc7rnb7YfkcSuL61c4m/sRjVnw0/DFTTYX3d1cL
VkESK6XQ6dCDEwo+4jXjgWDPZiltksDrbX+GRhfB5LaFMVN2IShLMu5z8WzlEBfC
eBF2DdeQGQMDh2KgkcdTsfAvyIlGBrg5mk9b34xnuKzR2I1uLup7Pow/sjzY8hWj
dP8Z5mGzbuw2iwttjHNACpD87ZJPdeF4LFFC32mo+QVTU0yZepf90ZQ4znvmbKfm
g3GkFuBKp9R819MzyluLSOd4qzIMlCAsypQe+9Fm4HGJ235ca0c=
=nSj6
-----END PGP SIGNATURE-----
pgpgtvLRiB2Me.pgp
Description: PGP signature
--- End Message ---
