Pick patch from [1] & [2] also mentioned at NVD report in 3 & 4 [1] https://github.com/vim/vim/commit/bb6de2105b160e729c340631435cd62f3e69bd32 [2] https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-28420 [4] https://nvd.nist.gov/vuln/detail/CVE-2026-46483
Signed-off-by: Hitendra Prajapati <[email protected]> --- .../vim/files/CVE-2026-28420.patch | 162 ++++++++++++++++++ .../vim/files/CVE-2026-46483.patch | 77 +++++++++ meta/recipes-support/vim/vim.inc | 2 + 3 files changed, 241 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-28420.patch create mode 100644 meta/recipes-support/vim/files/CVE-2026-46483.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-28420.patch b/meta/recipes-support/vim/files/CVE-2026-28420.patch new file mode 100644 index 0000000000..72e87d470a --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-28420.patch @@ -0,0 +1,162 @@ +From bb6de2105b160e729c340631435cd62f3e69bd32 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <[email protected]> +Date: Mon, 23 Feb 2026 20:29:43 +0000 +Subject: [PATCH] patch 9.2.0076: [security]: buffer-overflow in terminal + handling + +Problem: When processing terminal output with many combining characters + from supplementary planes (4-byte UTF-8), a heap-buffer + overflow occurs. Additionally, the loop iterating over + cell characters can read past the end of the vterm array + (ehdgks0627, un3xploitable). +Solution: Use VTERM_MAX_CHARS_PER_CELL * 4 for ga_grow() to ensure + sufficient space. Add a boundary check to the character + loop to prevent index out-of-bounds access. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg + +Signed-off-by: Christian Brabandt <[email protected]> + +Upstream-Status: Backport from [https://github.com/vim/vim/commit/bb6de2105b160e729c340631435cd62f3e69bd32] +CVE: CVE-2026-28420 +Signed-off-by: Hitendra Prajapati <[email protected]> +--- + src/terminal.c | 5 +- + .../samples/terminal_max_combining_chars.txt | 80 +++++++++++++++++++ + src/testdir/test_terminal3.vim | 14 ++++ + 3 files changed, 97 insertions(+), 2 deletions(-) + create mode 100644 src/testdir/samples/terminal_max_combining_chars.txt + +diff --git a/src/terminal.c b/src/terminal.c +index 921b234..78990ac 100644 +--- a/src/terminal.c ++++ b/src/terminal.c +@@ -3533,12 +3533,13 @@ handle_pushline(int cols, const VTermScreenCell *cells, void *user) + { + for (col = 0; col < len; col += cells[col].width) + { +- if (ga_grow(&ga, MB_MAXBYTES) == FAIL) ++ if (ga_grow(&ga, VTERM_MAX_CHARS_PER_CELL * 4) == FAIL) + { + ga.ga_len = 0; + break; + } +- for (i = 0; (c = cells[col].chars[i]) > 0 || i == 0; ++i) ++ for (i = 0; i < VTERM_MAX_CHARS_PER_CELL && ++ ((c = cells[col].chars[i]) > 0 || i == 0); ++i) + ga.ga_len += utf_char2bytes(c == NUL ? ' ' : c, + (char_u *)ga.ga_data + ga.ga_len); + cell2cellattr(&cells[col], &p[col]); +diff --git a/src/testdir/samples/terminal_max_combining_chars.txt b/src/testdir/samples/terminal_max_combining_chars.txt +new file mode 100644 +index 0000000..a4f508d +--- /dev/null ++++ b/src/testdir/samples/terminal_max_combining_chars.txt +@@ -0,0 +1,80 @@ ++padding line 000 ++padding line 001 ++padding line 002 ++padding line 003 ++padding line 004 ++padding line 005 ++padding line 006 ++padding line 007 ++padding line 008 ++padding line 009 ++padding line 010 ++padding line 011 ++padding line 012 ++padding line 013 ++padding line 014 ++padding line 015 ++padding line 016 ++padding line 017 ++padding line 018 ++padding line 019 ++padding line 020 ++padding line 021 ++padding line 022 ++padding line 023 ++padding line 024 ++padding line 025 ++padding line 026 ++padding line 027 ++padding line 028 ++padding line 029 ++padding line 030 ++padding line 031 ++padding line 032 ++padding line 033 ++padding line 034 ++padding line 035 ++padding line 036 ++padding line 037 ++padding line 038 ++padding line 039 ++padding line 040 ++padding line 041 ++padding line 042 ++padding line 043 ++padding line 044 ++padding line 045 ++padding line 046 ++padding line 047 ++padding line 048 ++padding line 049 ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó ++AAAAAAAAAAAAAAAAAAAAAAAAAAAAđó ó ó ó ó +diff --git a/src/testdir/test_terminal3.vim b/src/testdir/test_terminal3.vim +index 218b4e6..cb1946f 100644 +--- a/src/testdir/test_terminal3.vim ++++ b/src/testdir/test_terminal3.vim +@@ -1037,4 +1037,18 @@ func Test_terminal_visual_empty_listchars() + call StopVimInTerminal(buf) + endfunc + ++func Test_terminal_max_combining_chars() ++ " somehow doesn't work on MS-Windows ++ CheckUnix ++ let cmd = "cat samples/terminal_max_combining_chars.txt\<CR>" ++ let buf = Run_shell_in_terminal({'term_rows': 15, 'term_cols': 35}) ++ call TermWait(buf) ++ call term_sendkeys(buf, cmd) ++ " last char is a space with many combining chars ++ call WaitForAssert({-> assert_match("AAAAAAAAAAAAAAAAAAAAAAAAAAAA.", term_getline(buf, 14))}) ++ ++ call term_sendkeys(buf, "exit\r") ++ exe buf . "bwipe!" ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.34.1 + diff --git a/meta/recipes-support/vim/files/CVE-2026-46483.patch b/meta/recipes-support/vim/files/CVE-2026-46483.patch new file mode 100644 index 0000000000..d28402cc67 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-46483.patch @@ -0,0 +1,77 @@ +From 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <[email protected]> +Date: Thu, 14 May 2026 15:35:28 +0000 +Subject: [PATCH] patch 9.2.0479: [security]: runtime(tar): command injection + in tar plugin + +Problem: [security]: runtime(tar): command injection in tar plugin + (Christopher Lusk) +Solution: Use the correct shellescape(args, 1) form for a :! command + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w + +Signed-off-by: Christian Brabandt <[email protected]> + +Upstream-Status: Backport from [https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1] +CVE: CVE-2026-46483 +Signed-off-by: Hitendra Prajapati <[email protected]> +--- + runtime/autoload/tar.vim | 5 +++-- + src/testdir/test_plugin_tar.vim | 19 +++++++++++++++++++ + 2 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim +index 74a5b38..95d2be0 100644 +--- a/runtime/autoload/tar.vim ++++ b/runtime/autoload/tar.vim +@@ -18,6 +18,7 @@ + " 2025 May 19 by Vim Project: restore working directory after read/write + " 2025 Jul 13 by Vim Project: warn with path traversal attacks + " 2025 Jul 16 by Vim Project: update minimum vim version ++" 2026 May 14 by Vim Project: use correct shellescape() call in Vimuntar() + " + " Contains many ideas from Michael Toren's <tar.vim> + " +@@ -800,9 +801,9 @@ fun! tar#Vimuntar(...) + " if necessary, decompress the tarball; then, extract it + if tartail =~ '\.tgz' + if executable("gunzip") +- silent exe "!gunzip ".shellescape(tartail) ++ silent exe "!gunzip ".shellescape(tartail, 1) + elseif executable("gzip") +- silent exe "!gzip -d ".shellescape(tartail) ++ silent exe "!gzip -d ".shellescape(tartail, 1) + else + echoerr "unable to decompress<".tartail."> on this system" + if simplify(curdir) != simplify(tarhome) +diff --git a/src/testdir/test_plugin_tar.vim b/src/testdir/test_plugin_tar.vim +index ebf74d7..8e776a4 100644 +--- a/src/testdir/test_plugin_tar.vim ++++ b/src/testdir/test_plugin_tar.vim +@@ -126,3 +126,22 @@ def g:Test_tar_evil() + + bw! + enddef ++ ++def g:Test_extract_command_injection() ++ CheckExecutable gunzip ++ CheckExecutable touch ++ var tgz = eval('0z1F8B08087795056A000364756D6D792E74617200EDCE2B12C2300004D01C254' .. ++ '7480269CE534080A8495BD1DBF3996106C3A08A7ACFACD8157B59A7690BFB4A0FC3707C666E357D' .. ++ 'E65BC8B5A47CC8A5D61A522EA5B510D3CEBF5ED679197B8CE17CEDB7F9D4C76FBB5F3D000000000' .. ++ '000000000FCD11D32415E2C00280000') ++ var dirname = tempname() ++ ++ mkdir(dirname, 'R') ++ var tar = dirname .. "/';%$(touch pwned)'.tgz" ++ writefile(tgz, tar) ++ new ++ exe "e " .. fnameescape(tar) ++ exe ":Vimuntar " .. dirname ++ assert_false(filereadable(dirname .. "/pwned")) ++ bw! ++enddef +-- +2.34.1 + diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 262833ea33..95d00a09bd 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -31,6 +31,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://CVE-2026-32249.patch \ file://CVE-2026-28417.patch \ file://CVE-2026-45130.patch \ + file://CVE-2026-46483.patch \ + file://CVE-2026-28420.patch \ " PV .= ".1683" -- 2.50.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239282): https://lists.openembedded.org/g/openembedded-core/message/239282 Mute This Topic: https://lists.openembedded.org/mt/119922632/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
