Pick patch from [1] & [2] also mentioned at NVD report in 3 & 4

[1] https://github.com/vim/vim/commit/bb6de2105b160e729c340631435cd62f3e69bd32
[2] https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-28420
[4] https://nvd.nist.gov/vuln/detail/CVE-2026-46483

Signed-off-by: Hitendra Prajapati <[email protected]>
---
 .../vim/files/CVE-2026-28420.patch            | 162 ++++++++++++++++++
 .../vim/files/CVE-2026-46483.patch            |  77 +++++++++
 meta/recipes-support/vim/vim.inc              |   2 +
 3 files changed, 241 insertions(+)
 create mode 100644 meta/recipes-support/vim/files/CVE-2026-28420.patch
 create mode 100644 meta/recipes-support/vim/files/CVE-2026-46483.patch

diff --git a/meta/recipes-support/vim/files/CVE-2026-28420.patch 
b/meta/recipes-support/vim/files/CVE-2026-28420.patch
new file mode 100644
index 0000000000..72e87d470a
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2026-28420.patch
@@ -0,0 +1,162 @@
+From bb6de2105b160e729c340631435cd62f3e69bd32 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <[email protected]>
+Date: Mon, 23 Feb 2026 20:29:43 +0000
+Subject: [PATCH] patch 9.2.0076: [security]: buffer-overflow in terminal
+ handling
+
+Problem:  When processing terminal output with many combining characters
+          from supplementary planes (4-byte UTF-8), a heap-buffer
+          overflow occurs. Additionally, the loop iterating over
+          cell characters can read past the end of the vterm array
+          (ehdgks0627, un3xploitable).
+Solution: Use VTERM_MAX_CHARS_PER_CELL * 4 for ga_grow() to ensure
+          sufficient space. Add a boundary check to the character
+          loop to prevent index out-of-bounds access.
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg
+
+Signed-off-by: Christian Brabandt <[email protected]>
+
+Upstream-Status: Backport from 
[https://github.com/vim/vim/commit/bb6de2105b160e729c340631435cd62f3e69bd32]
+CVE: CVE-2026-28420
+Signed-off-by: Hitendra Prajapati <[email protected]>
+---
+ src/terminal.c                                |  5 +-
+ .../samples/terminal_max_combining_chars.txt  | 80 +++++++++++++++++++
+ src/testdir/test_terminal3.vim                | 14 ++++
+ 3 files changed, 97 insertions(+), 2 deletions(-)
+ create mode 100644 src/testdir/samples/terminal_max_combining_chars.txt
+
+diff --git a/src/terminal.c b/src/terminal.c
+index 921b234..78990ac 100644
+--- a/src/terminal.c
++++ b/src/terminal.c
+@@ -3533,12 +3533,13 @@ handle_pushline(int cols, const VTermScreenCell 
*cells, void *user)
+     {
+       for (col = 0; col < len; col += cells[col].width)
+       {
+-          if (ga_grow(&ga, MB_MAXBYTES) == FAIL)
++          if (ga_grow(&ga, VTERM_MAX_CHARS_PER_CELL * 4) == FAIL)
+           {
+               ga.ga_len = 0;
+               break;
+           }
+-          for (i = 0; (c = cells[col].chars[i]) > 0 || i == 0; ++i)
++          for (i = 0; i < VTERM_MAX_CHARS_PER_CELL &&
++                  ((c = cells[col].chars[i]) > 0 || i == 0); ++i)
+               ga.ga_len += utf_char2bytes(c == NUL ? ' ' : c,
+                       (char_u *)ga.ga_data + ga.ga_len);
+           cell2cellattr(&cells[col], &p[col]);
+diff --git a/src/testdir/samples/terminal_max_combining_chars.txt 
b/src/testdir/samples/terminal_max_combining_chars.txt
+new file mode 100644
+index 0000000..a4f508d
+--- /dev/null
++++ b/src/testdir/samples/terminal_max_combining_chars.txt
+@@ -0,0 +1,80 @@
++padding line 000
++padding line 001
++padding line 002
++padding line 003
++padding line 004
++padding line 005
++padding line 006
++padding line 007
++padding line 008
++padding line 009
++padding line 010
++padding line 011
++padding line 012
++padding line 013
++padding line 014
++padding line 015
++padding line 016
++padding line 017
++padding line 018
++padding line 019
++padding line 020
++padding line 021
++padding line 022
++padding line 023
++padding line 024
++padding line 025
++padding line 026
++padding line 027
++padding line 028
++padding line 029
++padding line 030
++padding line 031
++padding line 032
++padding line 033
++padding line 034
++padding line 035
++padding line 036
++padding line 037
++padding line 038
++padding line 039
++padding line 040
++padding line 041
++padding line 042
++padding line 043
++padding line 044
++padding line 045
++padding line 046
++padding line 047
++padding line 048
++padding line 049
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
+diff --git a/src/testdir/test_terminal3.vim b/src/testdir/test_terminal3.vim
+index 218b4e6..cb1946f 100644
+--- a/src/testdir/test_terminal3.vim
++++ b/src/testdir/test_terminal3.vim
+@@ -1037,4 +1037,18 @@ func Test_terminal_visual_empty_listchars()
+   call StopVimInTerminal(buf)
+ endfunc
+ 
++func Test_terminal_max_combining_chars()
++  " somehow doesn't work on MS-Windows
++  CheckUnix
++  let cmd = "cat samples/terminal_max_combining_chars.txt\<CR>"
++  let buf = Run_shell_in_terminal({'term_rows': 15, 'term_cols': 35})
++  call TermWait(buf)
++  call term_sendkeys(buf, cmd)
++  " last char is a space with many combining chars
++  call WaitForAssert({-> assert_match("AAAAAAAAAAAAAAAAAAAAAAAAAAAA.", 
term_getline(buf, 14))})
++
++  call term_sendkeys(buf, "exit\r")
++  exe buf . "bwipe!"
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/vim/files/CVE-2026-46483.patch 
b/meta/recipes-support/vim/files/CVE-2026-46483.patch
new file mode 100644
index 0000000000..d28402cc67
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2026-46483.patch
@@ -0,0 +1,77 @@
+From 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <[email protected]>
+Date: Thu, 14 May 2026 15:35:28 +0000
+Subject: [PATCH] patch 9.2.0479: [security]: runtime(tar): command injection
+ in tar plugin
+
+Problem:  [security]: runtime(tar): command injection in tar plugin
+          (Christopher Lusk)
+Solution: Use the correct shellescape(args, 1) form for a :! command
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
+
+Signed-off-by: Christian Brabandt <[email protected]>
+
+Upstream-Status: Backport from 
[https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1]
+CVE: CVE-2026-46483
+Signed-off-by: Hitendra Prajapati <[email protected]>
+---
+ runtime/autoload/tar.vim        |  5 +++--
+ src/testdir/test_plugin_tar.vim | 19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
+index 74a5b38..95d2be0 100644
+--- a/runtime/autoload/tar.vim
++++ b/runtime/autoload/tar.vim
+@@ -18,6 +18,7 @@
+ "   2025 May 19 by Vim Project: restore working directory after read/write
+ "   2025 Jul 13 by Vim Project: warn with path traversal attacks
+ "   2025 Jul 16 by Vim Project: update minimum vim version
++"   2026 May 14 by Vim Project: use correct shellescape() call in Vimuntar()
+ "
+ "     Contains many ideas from Michael Toren's <tar.vim>
+ "
+@@ -800,9 +801,9 @@ fun! tar#Vimuntar(...)
+   " if necessary, decompress the tarball; then, extract it
+   if tartail =~ '\.tgz'
+    if executable("gunzip")
+-    silent exe "!gunzip ".shellescape(tartail)
++    silent exe "!gunzip ".shellescape(tartail, 1)
+    elseif executable("gzip")
+-    silent exe "!gzip -d ".shellescape(tartail)
++    silent exe "!gzip -d ".shellescape(tartail, 1)
+    else
+     echoerr "unable to decompress<".tartail."> on this system"
+     if simplify(curdir) != simplify(tarhome)
+diff --git a/src/testdir/test_plugin_tar.vim b/src/testdir/test_plugin_tar.vim
+index ebf74d7..8e776a4 100644
+--- a/src/testdir/test_plugin_tar.vim
++++ b/src/testdir/test_plugin_tar.vim
+@@ -126,3 +126,22 @@ def g:Test_tar_evil()
+ 
+   bw!
+ enddef
++
++def g:Test_extract_command_injection()
++  CheckExecutable gunzip
++  CheckExecutable touch
++  var tgz = 
eval('0z1F8B08087795056A000364756D6D792E74617200EDCE2B12C2300004D01C254' ..
++   
'7480269CE534080A8495BD1DBF3996106C3A08A7ACFACD8157B59A7690BFB4A0FC3707C666E357D'
 ..
++   
'E65BC8B5A47CC8A5D61A522EA5B510D3CEBF5ED679197B8CE17CEDB7F9D4C76FBB5F3D000000000'
 ..
++   '000000000FCD11D32415E2C00280000')
++  var dirname = tempname()
++
++  mkdir(dirname, 'R')
++  var tar = dirname .. "/';%$(touch pwned)'.tgz"
++  writefile(tgz, tar)
++  new
++  exe "e " .. fnameescape(tar)
++  exe ":Vimuntar " .. dirname
++  assert_false(filereadable(dirname .. "/pwned"))
++  bw!
++enddef
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 262833ea33..95d00a09bd 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -31,6 +31,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
            file://CVE-2026-32249.patch \
            file://CVE-2026-28417.patch \
            file://CVE-2026-45130.patch \
+           file://CVE-2026-46483.patch \
+           file://CVE-2026-28420.patch \
            "
 
 PV .= ".1683"
-- 
2.50.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239282): 
https://lists.openembedded.org/g/openembedded-core/message/239282
Mute This Topic: https://lists.openembedded.org/mt/119922632/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to