On Fri Jun 19, 2026 at 10:58 AM CEST, Hitendra Prajapati via 
lists.openembedded.org wrote:
> Pick patch from [1], [2] & [3] also mentioned at NVD report in [4,5 & 6]
>
> [1] https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615f13a7de44c0587
> [2] https://github.com/vim/vim/commit/664701eb7576edb7c7c7d9f2d600815ec1f43459
> [3] https://github.com/vim/vim/commit/7088926316d8d4a7572a242d0765e99adfc8b083
> [4] https://nvd.nist.gov/vuln/detail/CVE-2026-34982
> [5] https://nvd.nist.gov/vuln/detail/CVE-2026-34714
> [6] https://nvd.nist.gov/vuln/detail/CVE-2026-35177
>
> More info :
> CVE-2026-34982 - vim: arbitrary command execution via modeline sandbox bypass.
> CVE-2026-34714 - vim: Arbitrary code execution via crafted file.
> CVE-2026-35177 - vim zip.vim plugin: Arbitrary file overwrite via path 
> traversal bypass.
>
> Signed-off-by: Hitendra Prajapati <[email protected]>
> ---
>  .../vim/files/CVE-2026-34714.patch            | 109 ++++++++++++++++++
>  .../vim/files/CVE-2026-34982.patch            | 105 +++++++++++++++++
>  .../vim/files/CVE-2026-35177.patch            |  58 ++++++++++
>  meta/recipes-support/vim/vim.inc              |   5 +-
>  4 files changed, 276 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-support/vim/files/CVE-2026-34714.patch
>  create mode 100644 meta/recipes-support/vim/files/CVE-2026-34982.patch
>  create mode 100644 meta/recipes-support/vim/files/CVE-2026-35177.patch
>
> diff --git a/meta/recipes-support/vim/files/CVE-2026-34714.patch 
> b/meta/recipes-support/vim/files/CVE-2026-34714.patch
> new file mode 100644
> index 0000000000..fef167e535
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2026-34714.patch
> @@ -0,0 +1,109 @@
> +From 664701eb7576edb7c7c7d9f2d600815ec1f43459 Mon Sep 17 00:00:00 2001
> +From: Christian Brabandt <[email protected]>
> +Date: Mon, 30 Mar 2026 08:20:43 +0000
> +Subject: [PATCH] patch 9.2.0272: [security]: 'tabpanel' can be set in a
> + modeline
> +
> +Problem:  'tabpanel' can be set in a modeline
> +Solution: Set the P_MLE flag for the 'tabpanel' option, disable
> +          autocmd_add()/autocomd_delete() functions in restricted/secure
> +          mode.
> +
> +Github Advisory:
> +https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh
> +
> +Signed-off-by: Christian Brabandt <[email protected]>
> +
> +CVE: CVE-2026-34714
> +Upstream-Status: Backport 
> [https://github.com/vim/vim/commit/664701eb7576edb7c7c7d9f2d600815ec1f43459]
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + src/autocmd.c                 |  3 +++
> + src/optiondefs.h              |  2 +-
> + src/testdir/test_autocmd.vim  |  5 +++++
> + src/testdir/test_tabpanel.vim | 16 ++++++++++++++++
> + src/version.c                 |  2 ++
> + 5 files changed, 27 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/autocmd.c b/src/autocmd.c
> +index 94f9c1fba4..8a6b363aad 100644
> +--- a/src/autocmd.c
> ++++ b/src/autocmd.c
> +@@ -3069,6 +3069,9 @@ autocmd_add_or_delete(typval_T *argvars, typval_T 
> *rettv, int delete)
> +     rettv->v_type = VAR_BOOL;
> +     rettv->vval.v_number = VVAL_FALSE;
> + 
> ++    if (check_restricted() || check_secure())
> ++    return;
> ++
> +     if (check_for_list_arg(argvars, 0) == FAIL)
> +     return;
> + 
> +diff --git a/src/optiondefs.h b/src/optiondefs.h
> +index 62d142e637..bd02d04f47 100644
> +--- a/src/optiondefs.h
> ++++ b/src/optiondefs.h
> +@@ -2570,7 +2570,7 @@ static struct vimoption options[] =
> +                         (char_u *)&p_tpm, PV_NONE, NULL, NULL,
> +                         {(char_u *)10L, (char_u *)0L} SCTX_INIT},
> + #if defined(FEAT_TABPANEL)
> +-    {"tabpanel",  "tpl",    P_STRING|P_VI_DEF|P_RALL,
> ++    {"tabpanel",  "tpl",    P_STRING|P_VI_DEF|P_RALL|P_MLE,
> +                         (char_u *)&p_tpl, PV_NONE, NULL, NULL,
> +                         {(char_u *)"", (char_u *)0L} SCTX_INIT},
> +     {"tabpanelopt","tplo",  P_STRING|P_ALLOCED|P_VI_DEF|P_ONECOMMA|P_COLON
> +diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
> +index 43605f7e11..1fea13b00a 100644
> +--- a/src/testdir/test_autocmd.vim
> ++++ b/src/testdir/test_autocmd.vim
> +@@ -5501,4 +5501,9 @@ func Test_VimResized_and_window_width_not_equalized()
> +   call StopVimInTerminal(buf)
> + endfunc
> + 
> ++func Test_autocmd_add_secure()
> ++  call assert_fails('sandbox call autocmd_add([{"event": "BufRead", "cmd": 
> "let x = 1"}])', 'E48:')
> ++  call assert_fails('sandbox call autocmd_delete([{"event": "BufRead"}])', 
> 'E48:')
> ++endfunc
> ++
> + " vim: shiftwidth=2 sts=2 expandtab
> +diff --git a/src/testdir/test_tabpanel.vim b/src/testdir/test_tabpanel.vim
> +index ecc12b59be..b0d4202dc4 100644
> +--- a/src/testdir/test_tabpanel.vim
> ++++ b/src/testdir/test_tabpanel.vim
> +@@ -770,4 +770,20 @@ function Test_tabpanel_with_cmdline_pum()
> + 
> +   call StopVimInTerminal(buf)
> + endfunc
> ++
> ++func Test_tabpanel_no_modeline()
> ++  let _tpl = &tabpanel
> ++  let _mls = &modelineexpr
> ++
> ++  set nomodelineexpr
> ++  setlocal modeline
> ++  new
> ++  call writefile(['/* vim: set tabpanel=test: */'], 'Xtabpanel.txt', 'D')
> ++  call assert_fails(':e Xtabpanel.txt', 'E992:')
> ++
> ++  let &tabpanel = _tpl
> ++  let &modelineexpr = _mls
> ++  bw!
> ++endfunc
> ++
> + " vim: shiftwidth=2 sts=2 expandtab
> +diff --git a/src/version.c b/src/version.c
> +index 4f47ec2688..309ddf7f7c 100644
> +--- a/src/version.c
> ++++ b/src/version.c
> +@@ -724,6 +724,8 @@ static char *(features[]) =
> + 
> + static int included_patches[] =
> + {   /* Add new patch number below this line */
> ++/**/
> ++    1687,
> + /**/
> +     1686,
> + /**/
> +-- 
> +2.50.1
> +
> diff --git a/meta/recipes-support/vim/files/CVE-2026-34982.patch 
> b/meta/recipes-support/vim/files/CVE-2026-34982.patch
> new file mode 100644
> index 0000000000..a646dfd8cb
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2026-34982.patch
> @@ -0,0 +1,105 @@
> +From 75661a66a1db1e1f3f1245c615f13a7de44c0587 Mon Sep 17 00:00:00 2001
> +From: Christian Brabandt <[email protected]>
> +Date: Tue, 31 Mar 2026 18:29:00 +0000
> +Subject: [PATCH] patch 9.2.0276: [security]: modeline security bypass
> +
> +Problem:  [security]: modeline security bypass
> +Solution: disallow mapset() from secure mode, set the P_MLE flag for the
> +          'complete', 'guitabtooltip' and 'printheader' options.
> +
> +Github Advisory:
> +https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9
> +
> +Signed-off-by: Christian Brabandt <[email protected]>
> +
> +CVE: CVE-2026-34982
> +Upstream-Status: Backport from 
> [https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615f13a7de44c0587]
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + src/map.c                     |  3 +++
> + src/optiondefs.h              |  6 +++---
> + src/testdir/test_modeline.vim | 25 +++++++++++++++++++++++++
> + 3 files changed, 31 insertions(+), 3 deletions(-)
> +
> +diff --git a/src/map.c b/src/map.c
> +index fbecf4aced..7677243625 100644
> +--- a/src/map.c
> ++++ b/src/map.c
> +@@ -2746,6 +2746,9 @@ f_mapset(typval_T *argvars, typval_T *rettv UNUSED)
> +     int             dict_only;
> +     mapblock_T      *mp_result[2] = {NULL, NULL};
> + 
> ++    if (check_secure())
> ++    return;
> ++
> +     // If first arg is a dict, then that's the only arg permitted.
> +     dict_only = argvars[0].v_type == VAR_DICT;
> +     if (in_vim9script()
> +diff --git a/src/optiondefs.h b/src/optiondefs.h
> +index 77155a63e8..62d142e637 100644
> +--- a/src/optiondefs.h
> ++++ b/src/optiondefs.h
> +@@ -683,7 +683,7 @@ static struct vimoption options[] =
> +     {"compatible",  "cp",   P_BOOL|P_RALL,
> +                         (char_u *)&p_cp, PV_NONE, did_set_compatible, NULL,
> +                         {(char_u *)TRUE, (char_u *)FALSE} SCTX_INIT},
> +-    {"complete",    "cpt",  P_STRING|P_ALLOCED|P_VI_DEF|P_ONECOMMA|P_NODUP,
> ++    {"complete",    "cpt",  
> P_STRING|P_ALLOCED|P_VI_DEF|P_ONECOMMA|P_NODUP|P_MLE,
> +                         (char_u *)&p_cpt, PV_CPT, did_set_complete, 
> expand_set_complete,
> +                         {(char_u *)".,w,b,u,t,i", (char_u *)0L}
> +                         SCTX_INIT},
> +@@ -1326,7 +1326,7 @@ static struct vimoption options[] =
> +                         {(char_u *)NULL, (char_u *)0L}
> + #endif
> +                         SCTX_INIT},
> +-    {"guitabtooltip",  "gtt", P_STRING|P_VI_DEF|P_RWIN,
> ++    {"guitabtooltip",  "gtt", P_STRING|P_VI_DEF|P_RWIN|P_MLE,
> + #if defined(FEAT_GUI_TABLINE)
> +                         (char_u *)&p_gtt, PV_NONE, NULL, NULL,
> +                         {(char_u *)"", (char_u *)0L}
> +@@ -2044,7 +2044,7 @@ static struct vimoption options[] =
> +                         {(char_u *)NULL, (char_u *)0L}
> + #endif
> +                         SCTX_INIT},
> +-    {"printheader", "pheader",  P_STRING|P_VI_DEF|P_GETTEXT,
> ++    {"printheader", "pheader",  P_STRING|P_VI_DEF|P_GETTEXT|P_MLE,
> + #ifdef FEAT_PRINTER
> +                         (char_u *)&p_header, PV_NONE, NULL, NULL,
> +                         // untranslated to avoid problems when 'encoding'
> +diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim
> +index 1f8686328a..c00032ba72 100644
> +--- a/src/testdir/test_modeline.vim
> ++++ b/src/testdir/test_modeline.vim
> +@@ -361,4 +361,29 @@ func Test_modeline_disable()
> +   call assert_equal(2, &sw)
> + endfunc
> + 
> ++func Test_modeline_forbidden()
> ++  let tempfile = tempname()
> ++  let lines =<< trim END
> ++    some test text for completion
> ++    vim: set complete=F{->system('touch_should_not_run')} :
> ++  END
> ++  call writefile(lines, tempfile, 'D')
> ++  call assert_fails($'new {tempfile}', 'E992:')
> ++  bw!
> ++  let lines =<< trim END
> ++    some text
> ++    vim: set guitabtooltip=%{%mapset()%}:
> ++  END
> ++  call writefile(lines, tempfile)
> ++  call assert_fails($'new {tempfile}', 'E992:')
> ++  bw!
> ++  let lines =<< trim END
> ++    some text
> ++    vim: set printheader=%{mapset('n',0,{})%)%}:
> ++  END
> ++  call writefile(lines, tempfile, 'D')
> ++  call assert_fails($'new {tempfile}', 'E992:')
> ++  bw!
> ++endfunc
> ++
> + " vim: shiftwidth=2 sts=2 expandtab
> +-- 
> +2.35.7
> +
> diff --git a/meta/recipes-support/vim/files/CVE-2026-35177.patch 
> b/meta/recipes-support/vim/files/CVE-2026-35177.patch
> new file mode 100644
> index 0000000000..23e1043879
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2026-35177.patch
> @@ -0,0 +1,58 @@
> +From 7088926316d8d4a7572a242d0765e99adfc8b083 Mon Sep 17 00:00:00 2001
> +From: Christian Brabandt <[email protected]>
> +Date: Wed, 1 Apr 2026 16:23:49 +0000
> +Subject: [PATCH] patch 9.2.0280: [security]: path traversal issue in zip.vim
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Problem:  [security]: path traversal issue in zip.vim
> +          (MichaƂ Majchrowicz)
> +Solution: Detect more such attacks and warn the user.
> +
> +Github Advisory:
> +https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24
> +
> +CVE: CVE-2026-35177
> +Upstream-Status: Backport from 
> https://github.com/vim/vim/commit/7088926316d8d4a7572a242d0765e99adfc8b083

Please respect the syntax "Upstream-Status: Backport [URL]" (with
Brackets). I do use this syntax to automate much of my reviews.

> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + runtime/autoload/zip.vim | 8 +++++++-
> + 1 files changed, 7 insertions(+), 1 deletion(-)
> +
> +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim
> +index c46ec44708..e57fbcfde0 100644
> +--- a/runtime/autoload/zip.vim
> ++++ b/runtime/autoload/zip.vim
> +@@ -16,6 +16,7 @@
> + " 2024 Aug 21 by Vim Project: simplify condition to detect MS-Windows
> + " 2025 Mar 11 by Vim Project: handle filenames with leading '-' correctly
> + " 2025 Jul 12 by Vim Project: drop ../ on write to prevent path traversal 
> attacks
> ++" 2026 Apr 01 by Vim Project: Detect more path traversal attacks
> + " License:  Vim License  (see vim's :help license)
> + " Copyright:        Copyright (C) 2005-2019 Charles E. Campbell {{{1
> + "           Permission is hereby granted to use and distribute this code,
> +@@ -246,6 +247,11 @@ fun! zip#Write(fname)
> +     return
> +   endif
> + 
> ++  if simplify(a:fname) =~ '\.\.[/\\]'
> ++    call s:Mess('Error', "***error*** (zip#Write) Path Traversal Attack 
> detected, not writing!")
> ++    return
> ++  endif
> ++
> +   let curdir= getcwd()
> +   let tmpdir= tempname()
> +   if tmpdir =~ '\.'
> +@@ -344,7 +350,7 @@ fun! zip#Extract()
> +   if fname =~ '/$'
> +     call s:Mess('Error', "***error*** (zip#Extract) Please specify a file, 
> not a directory")
> +     return
> +-  elseif fname =~ '^[.]\?[.]/'
> ++  elseif fname =~ '^[.]\?[.]/' || simplify(fname) =~ '\.\.[/\\]'
> +     call s:Mess('Error', "***error*** (zip#Browse) Path Traversal Attack 
> detected, not extracting!")
> +     return
> +   endif
> +-- 
> +2.35.7
> +
> diff --git a/meta/recipes-support/vim/vim.inc 
> b/meta/recipes-support/vim/vim.inc
> index 1396ac4fbc..0b7a831eed 100644
> --- a/meta/recipes-support/vim/vim.inc
> +++ b/meta/recipes-support/vim/vim.inc
> @@ -16,12 +16,15 @@ SRC_URI = 
> "git://github.com/vim/vim.git;branch=master;protocol=https \
>             file://disable_acl_header_check.patch \
>             file://0001-src-Makefile-improve-reproducibility.patch \
>             file://no-path-adjust.patch \
> +           file://CVE-2026-34982.patch \
> +           file://CVE-2026-33412.patch \
>             file://CVE-2026-25749.patch \
>             file://CVE-2026-26269.patch \
> -           file://CVE-2026-33412.patch \

CVE-2026-33412.patch was moved without being mentionned in commit
message. Please don't mix unrelated changes.

Since you sent 5 individual patches for vim: can you send me a v2 this
the above changes but as a series (with the 4 other patches)?

Thanks!

>             file://CVE-2026-28418.patch \
>             file://CVE-2026-28419.patch \
> +           file://CVE-2026-34714.patch \
>             file://CVE-2026-39881.patch \
> +           file://CVE-2026-35177.patch \
>             "
>  
>  PV .= ".1683"


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239663): 
https://lists.openembedded.org/g/openembedded-core/message/239663
Mute This Topic: https://lists.openembedded.org/mt/119880670/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to