On Fri Jun 19, 2026 at 11:01 AM CEST, Hitendra Prajapati via 
lists.openembedded.org wrote:
> Pick patch from [1], [2] & [3] also mentioned at NVD report in [4,5 & 6]
>
> [1] https://github.com/vim/vim/commit/65c1a143c331c886dc28888dd632708f953b4eb3
> [2] https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb
> [3] https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0
> [4] https://nvd.nist.gov/vuln/detail/CVE-2026-28421
> [5] https://nvd.nist.gov/vuln/detail/CVE-2026-41411

Hello,

As fas as I can tell, CVE-2026-41411 also impacts wrynose. Can you check
that for each scarthgap CVE to fix there is also a fix for master AND
wrynose?

Can you send a fix for wrynose and then, ping back here please?

Thanks!

> [6] https://nvd.nist.gov/vuln/detail/CVE-2026-44656
>
> More info :
> CVE-2026-28421 - Validate block tree indices and readfile() line bounds.
> CVE-2026-41411 - Disallow backticks before attempting to expand filenames.
> CVE-2026-44656 - Prevent shell execution from 'path' backticks via modelines.
>
> Signed-off-by: Hitendra Prajapati <[email protected]>
> ---
>  .../vim/files/CVE-2026-28421.patch            | 148 ++++++++++++++++++
>  .../vim/files/CVE-2026-41411.patch            |  75 +++++++++
>  .../vim/files/CVE-2026-44656.patch            | 130 +++++++++++++++
>  meta/recipes-support/vim/vim.inc              |   3 +
>  4 files changed, 356 insertions(+)
>  create mode 100644 meta/recipes-support/vim/files/CVE-2026-28421.patch
>  create mode 100644 meta/recipes-support/vim/files/CVE-2026-41411.patch
>  create mode 100644 meta/recipes-support/vim/files/CVE-2026-44656.patch
>
> diff --git a/meta/recipes-support/vim/files/CVE-2026-28421.patch 
> b/meta/recipes-support/vim/files/CVE-2026-28421.patch
> new file mode 100644
> index 0000000000..8739212da2
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2026-28421.patch
> @@ -0,0 +1,148 @@
> +From 65c1a143c331c886dc28888dd632708f953b4eb3 Mon Sep 17 00:00:00 2001
> +From: Christian Brabandt <[email protected]>
> +Date: Mon, 23 Feb 2026 21:42:39 +0000
> +Subject: [PATCH] patch 9.2.0077: [security]: Crash when recovering a 
> corrupted
> + swap file
> +
> +Problem:  memline: a crafted swap files with bogus pe_page_count/pe_bnum
> +          values could cause a multi-GB allocation via mf_get(), and
> +          invalid pe_old_lnum/pe_line_count values could cause a SEGV
> +          when passed to readfile() (ehdgks0627, un3xploitable)
> +Solution: Add bounds checks on pe_page_count and pe_bnum against
> +          mf_blocknr_max before descending into the block tree, and
> +          validate pe_old_lnum >= 1 and pe_line_count > 0 before calling
> +          readfile().
> +
> +Github Advisory:
> +https://github.com/vim/vim/security/advisories/GHSA-r2gw-2x48-jj5p
> +
> +Signed-off-by: Christian Brabandt <[email protected]>
> +
> +CVE: CVE-2026-28421
> +Upstream-Status: Backport from 
> [https://github.com/vim/vim/commit/65c1a143c331c886dc28888dd632708f953b4eb3]
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + src/memline.c                | 29 ++++++++++++++++++++++++++--
> + src/po/vim.pot               |  5 ++++-
> + src/testdir/test_recover.vim | 37 ++++++++++++++++++++++++++++++++++++
> + 3 files changed, 68 insertions(+), 3 deletions(-)
> +
> +diff --git a/src/memline.c b/src/memline.c
> +index b93eb0a..15ac203 100644
> +--- a/src/memline.c
> ++++ b/src/memline.c
> +@@ -1597,8 +1597,12 @@ ml_recover(int checkext)
> +                     if (!cannot_open)
> +                     {
> +                         line_count = pp->pb_pointer[idx].pe_line_count;
> +-                        if (readfile(curbuf->b_ffname, NULL, lnum,
> +-                                    pp->pb_pointer[idx].pe_old_lnum - 1,
> ++                        linenr_T pe_old_lnum = 
> pp->pb_pointer[idx].pe_old_lnum;
> ++                        // Validate pe_line_count and pe_old_lnum from the
> ++                        // untrusted swap file before passing to readfile().
> ++                        if (line_count <= 0 || pe_old_lnum < 1 ||
> ++                                readfile(curbuf->b_ffname, NULL, lnum,
> ++                                    pe_old_lnum - 1,
> +                                     line_count, NULL, 0) != OK)
> +                             cannot_open = TRUE;
> +                         else
> +@@ -1629,6 +1633,27 @@ ml_recover(int checkext)
> +                 bnum = pp->pb_pointer[idx].pe_bnum;
> +                 line_count = pp->pb_pointer[idx].pe_line_count;
> +                 page_count = pp->pb_pointer[idx].pe_page_count;
> ++                // Validate pe_bnum and pe_page_count from the untrusted
> ++                // swap file before passing to mf_get(), which uses
> ++                // page_count to calculate allocation size.  A bogus value
> ++                // (e.g. 0x40000000) would cause a multi-GB allocation.
> ++                // pe_page_count must be >= 1 and bnum + page_count must
> ++                // not exceed the number of pages in the swap file.
> ++                if (page_count < 1
> ++                        || bnum + page_count > mfp->mf_blocknr_max + 1)
> ++                {
> ++                    ++error;
> ++                    ml_append(lnum++,
> ++                            (char_u *)_("???ILLEGAL BLOCK NUMBER"),
> ++                            (colnr_T)0, TRUE);
> ++                    // Skip this entry and pop back up the stack to keep
> ++                    // recovering whatever else we can.
> ++                    idx = ip->ip_index + 1;
> ++                    bnum = ip->ip_bnum;
> ++                    page_count = 1;
> ++                    --buf->b_ml.ml_stack_top;
> ++                    continue;
> ++                }
> +                 idx = 0;
> +                 continue;
> +             }
> +diff --git a/src/po/vim.pot b/src/po/vim.pot
> +index 9608271..be79cf0 100644
> +--- a/src/po/vim.pot
> ++++ b/src/po/vim.pot
> +@@ -8,7 +8,7 @@ msgid ""
> + msgstr ""
> + "Project-Id-Version: Vim\n"
> + "Report-Msgid-Bugs-To: [email protected]\n"
> +-"POT-Creation-Date: 2026-04-30 12:40+0200\n"
> ++"POT-Creation-Date: 2026-02-27 21:04+0000\n"
> + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
> + "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
> + "Language-Team: LANGUAGE <[email protected]>\n"
> +@@ -1960,6 +1960,9 @@ msgstr ""
> + msgid "???LINES MISSING"
> + msgstr ""
> + 
> ++msgid "???ILLEGAL BLOCK NUMBER"
> ++msgstr ""
> ++
> + msgid "???BLOCK MISSING"
> + msgstr ""
> + 
> +diff --git a/src/testdir/test_recover.vim b/src/testdir/test_recover.vim
> +index db59223..93425f1 100644
> +--- a/src/testdir/test_recover.vim
> ++++ b/src/testdir/test_recover.vim
> +@@ -471,4 +471,41 @@ func Test_noname_buffer()
> +   call assert_equal(['one', 'two'], getline(1, '$'))
> + endfunc
> + 
> ++" Test for recovering a corrupted swap file, those caused a crash
> ++func Test_recover_corrupted_swap_file1()
> ++  CheckUnix
> ++  " only works correctly on 64bit Unix systems:
> ++  if v:sizeoflong != 8 || !has('unix')
> ++    throw 'Skipped: Corrupt Swap file sample requires a 64bit Unix build'
> ++  endif
> ++  " Test 1: Heap buffer-overflow
> ++  new
> ++  let sample = 'samples/recover-crash1.swp'
> ++  let target = 'Xpoc1.swp'
> ++  call filecopy(sample, target)
> ++  try
> ++    sil recover! Xpoc1
> ++  catch /^Vim\%((\S\+)\)\=:E1364:/
> ++  endtry
> ++  let content = getline(1, '$')->join()
> ++  call assert_match('???ILLEGAL BLOCK NUMBER', content)
> ++  call delete(target)
> ++  bw!
> ++"
> ++"  " Test 2: Segfault
> ++  new
> ++  let sample = 'samples/recover-crash2.swp'
> ++  let target = 'Xpoc2.swp'
> ++  call filecopy(sample, target)
> ++  try
> ++    sil recover! Xpoc2
> ++  catch /^Vim\%((\S\+)\)\=:E1364:/
> ++  endtry
> ++  let content = getline(1, '$')->join()
> ++  call assert_match('???ILLEGAL BLOCK NUMBER', content)
> ++  call assert_match('???LINES MISSING', content)
> ++  call delete(target)
> ++  bw!
> ++endfunc
> ++
> + " vim: shiftwidth=2 sts=2 expandtab
> +-- 
> +2.34.1
> +
> diff --git a/meta/recipes-support/vim/files/CVE-2026-41411.patch 
> b/meta/recipes-support/vim/files/CVE-2026-41411.patch
> new file mode 100644
> index 0000000000..85139dc1f6
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2026-41411.patch
> @@ -0,0 +1,75 @@
> +From c78194e41d5a0b05b0ddf383b6679b1503f977fb Mon Sep 17 00:00:00 2001
> +From: Christian Brabandt <[email protected]>
> +Date: Wed, 15 Apr 2026 20:17:17 +0000
> +Subject: [PATCH] patch 9.2.0357: [security]: command injection via backticks
> + in tag files
> +
> +Problem:  [security]: command injection via backticks in tag files
> +          (Srinivas Piskala Ganesh Babu, Andy Ngo)
> +Solution: Disallow backticks before attempting to expand filenames.
> +
> +Github Advisory:
> +https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8
> +
> +Supported by AI
> +
> +Signed-off-by: Christian Brabandt <[email protected]>
> +
> +CVE: CVE-2026-41411
> +Upstream-Status: Backport from 
> [https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb]
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + src/tag.c                    |  4 +++-
> + src/testdir/test_tagjump.vim | 22 ++++++++++++++++++++++
> + 2 files changed, 25 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/tag.c b/src/tag.c
> +index d3a7399..0e203f0 100644
> +--- a/src/tag.c
> ++++ b/src/tag.c
> +@@ -4126,8 +4126,10 @@ expand_tag_fname(char_u *fname, char_u *tag_fname, 
> int expand)
> + 
> +     /*
> +      * Expand file name (for environment variables) when needed.
> ++     * Disallow backticks, they could execute arbitrary shell
> ++     * commands.  This is not needed for tag filenames.
> +      */
> +-    if (expand && mch_has_wildcard(fname))
> ++    if (expand && mch_has_wildcard(fname) && vim_strchr(fname, '`') == NULL)
> +     {
> +     ExpandInit(&xpc);
> +     xpc.xp_context = EXPAND_FILES;
> +diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
> +index 47618d0..a95b8b5 100644
> +--- a/src/testdir/test_tagjump.vim
> ++++ b/src/testdir/test_tagjump.vim
> +@@ -1670,4 +1670,26 @@ func Test_tag_excmd_with_number_vim9script()
> +   bwipe!
> + endfunc
> + 
> ++" Test that backtick expressions in tag filenames are not expanded.
> ++" This prevents command injection via malicious tags files.
> ++func Test_tag_backtick_filename_not_expanded()
> ++  let pwned_file = 'Xtags_pwnd'
> ++  call assert_false(filereadable(pwned_file))
> ++
> ++  let tagline = "main\t`touch " .. pwned_file .. "`\t/^int main/;\"\tf"
> ++  call writefile([tagline], 'Xbt_tags', 'D')
> ++  call writefile(['int main(int argc, char **argv) {', '}'], 'Xbt_main.c', 
> 'D')
> ++
> ++  set tags=Xbt_tags
> ++  sp Xbt_main.c
> ++
> ++  " The :tag command should fail to find the file, but must NOT execute
> ++  " the backtick shell command.
> ++  call assert_fails('tag main', 'E429:')
> ++  call assert_false(filereadable(pwned_file))
> ++
> ++  set tags&
> ++  bwipe!
> ++endfunc
> ++
> + " vim: shiftwidth=2 sts=2 expandtab
> +-- 
> +2.34.1
> +
> diff --git a/meta/recipes-support/vim/files/CVE-2026-44656.patch 
> b/meta/recipes-support/vim/files/CVE-2026-44656.patch
> new file mode 100644
> index 0000000000..57278c08da
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2026-44656.patch
> @@ -0,0 +1,130 @@
> +From 190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0 Mon Sep 17 00:00:00 2001
> +From: Christian Brabandt <[email protected]>
> +Date: Sun, 3 May 2026 16:10:03 +0000
> +Subject: [PATCH] patch 9.2.0435: [security]: backticks in 'path' may cause
> + shell execution on completion
> +
> +Problem:  [security]: Backticks enclosed shell commands in the 'path'
> +          option value are executed during completion (q1uf3ng).
> +Solution: Skip path entries containing backticks, add P_SECURE to 'path'
> +          option, so that it cannot be set from a modeline (for symmetry with
> +          the 'cdpath' option)
> +
> +Github Advisory:
> +https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg
> +
> +Supported by AI.
> +
> +Signed-off-by: Christian Brabandt <[email protected]>
> +
> +CVE: CVE-2026-44656
> +Upstream-Status: Backport from 
> [https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0]
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + runtime/doc/options.txt            |  5 ++++-
> + src/findfile.c                     |  4 ++++
> + src/optiondefs.h                   |  2 +-
> + src/testdir/test_find_complete.vim | 17 +++++++++++++++++
> + src/testdir/test_modeline.vim      | 14 ++++++++++++++
> + 5 files changed, 40 insertions(+), 2 deletions(-)
> +
> +diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt
> +index 8dba6f4..d06411f 100644
> +--- a/runtime/doc/options.txt
> ++++ b/runtime/doc/options.txt
> +@@ -1,4 +1,4 @@
> +-*options.txt*       For Vim version 9.1.  Last change: 2025 Aug 23
> ++*options.txt*       For Vim version 9.2.  Last change: 2026 May 03
> + 
> + 
> +               VIM REFERENCE MANUAL    by Bram Moolenaar
> +@@ -6615,6 +6615,9 @@ A jump table for the options with a short description 
> can be found at |Q_op|.
> + <   Replace the ';' with a ':' or whatever separator is used.  Note that
> +     this doesn't work when $INCL contains a comma or white space.
> + 
> ++    This option cannot be set from a |modeline| or in the |sandbox|, for
> ++    security reasons.
> ++
> +                                             *'perldll'*
> + 'perldll'           string  (default depends on the build)
> +                     global
> +diff --git a/src/findfile.c b/src/findfile.c
> +index 008338c..f73a66b 100644
> +--- a/src/findfile.c
> ++++ b/src/findfile.c
> +@@ -2412,6 +2412,10 @@ expand_path_option(
> +     {
> +     buflen = copy_option_part(&path_option, buf, MAXPATHL, " ,");
> + 
> ++    // do not expand backticks, could have been set via a modeline
> ++    if (vim_strchr(buf, '`') != NULL)
> ++        continue;
> ++
> +     if (buf[0] == '.' && (buf[1] == NUL || vim_ispathsep(buf[1])))
> +     {
> +         size_t  plen;
> +diff --git a/src/optiondefs.h b/src/optiondefs.h
> +index bd02d04..72d3f36 100644
> +--- a/src/optiondefs.h
> ++++ b/src/optiondefs.h
> +@@ -1957,7 +1957,7 @@ static struct vimoption options[] =
> +                         (char_u *)&p_pm, PV_NONE,
> +                         did_set_backupext_or_patchmode, NULL,
> +                         {(char_u *)"", (char_u *)0L} SCTX_INIT},
> +-    {"path",            "pa",   P_STRING|P_EXPAND|P_VI_DEF|P_COMMA|P_NODUP,
> ++    {"path",            "pa",   
> P_STRING|P_EXPAND|P_VI_DEF|P_SECURE|P_COMMA|P_NODUP,
> +                         (char_u *)&p_path, PV_PATH, NULL, NULL,
> +                         {
> + #if defined(AMIGA) || defined(MSWIN)
> +diff --git a/src/testdir/test_find_complete.vim 
> b/src/testdir/test_find_complete.vim
> +index 079fb78..8b8b71c 100644
> +--- a/src/testdir/test_find_complete.vim
> ++++ b/src/testdir/test_find_complete.vim
> +@@ -161,4 +161,21 @@ func Test_find_complete()
> +   set path&
> + endfunc
> + 
> ++" Verify that backticks in 'path' are not executed
> ++func Test_find_completion_backtick_in_path()
> ++  CheckUnix
> ++  CheckExecutable id
> ++
> ++  new Xpoc.c
> ++  setl path+=`id>Xrce_marker`
> ++  " Triggering completion must not execute the backtick command.
> ++  call getcompletion('', 'file_in_path')
> ++  call assert_false(filereadable('Xrce_marker'))
> ++  call feedkeys(":find \t\n", "xt")
> ++  call assert_false(filereadable('Xrce_marker'))
> ++
> ++  bwipe!
> ++  call delete('Xrce_marker')
> ++endfunc
> ++
> + " vim: shiftwidth=2 sts=2 expandtab
> +diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim
> +index c00032b..fc11cc6 100644
> +--- a/src/testdir/test_modeline.vim
> ++++ b/src/testdir/test_modeline.vim
> +@@ -386,4 +386,18 @@ func Test_modeline_forbidden()
> +   bw!
> + endfunc
> + 
> ++" Verify that backticks in 'path' set from a modeline are not executed
> ++func Test_path_modeline()
> ++  let lines =<< trim END
> ++    // vim: set path+=foobar :
> ++  END
> ++  call writefile(lines, 'Xpoc.c', 'D')
> ++
> ++  set nomodelinestrict modeline
> ++  call assert_fails('split Xpoc.c', 'E520:')
> ++
> ++  bwipe!
> ++  set modelinestrict& modeline&
> ++endfunc
> ++
> + " vim: shiftwidth=2 sts=2 expandtab
> +-- 
> +2.34.1
> +
> diff --git a/meta/recipes-support/vim/vim.inc 
> b/meta/recipes-support/vim/vim.inc
> index 0b7a831eed..3a988fbe7d 100644
> --- a/meta/recipes-support/vim/vim.inc
> +++ b/meta/recipes-support/vim/vim.inc
> @@ -25,6 +25,9 @@ SRC_URI = 
> "git://github.com/vim/vim.git;branch=master;protocol=https \
>             file://CVE-2026-34714.patch \
>             file://CVE-2026-39881.patch \
>             file://CVE-2026-35177.patch \
> +           file://CVE-2026-44656.patch \
> +           file://CVE-2026-41411.patch \
> +           file://CVE-2026-28421.patch \
>             "
>  
>  PV .= ".1683"


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239664): 
https://lists.openembedded.org/g/openembedded-core/message/239664
Mute This Topic: https://lists.openembedded.org/mt/119880693/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to