On Mon Jun 22, 2026 at 7:58 AM CEST, Hitendra Prajapati via 
lists.openembedded.org wrote:
> Pick patch from [1], [2] & [3] also mentioned at NVD report in [4,5 & 6]
>
> [1] https://github.com/vim/vim/commit/79348dbbc09332130f4c86045e1541d68514fcc1
> [2] https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec
> [3] https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8
> [4] https://nvd.nist.gov/vuln/detail/CVE-2026-28417
> [5] https://nvd.nist.gov/vuln/detail/CVE-2026-32249
> [6] https://nvd.nist.gov/vuln/detail/CVE-2026-45130

Hello,

CVE-2026-45130 impacts wrynose and a patch must be sent for wrynose
before the fix can be merged on scarthgap.

Regards,

>
> Signed-off-by: Hitendra Prajapati <[email protected]>
> ---
>  .../vim/files/CVE-2026-28417.patch            |  92 ++++++++++++++
>  .../vim/files/CVE-2026-32249.patch            | 117 ++++++++++++++++++
>  .../vim/files/CVE-2026-45130.patch            | 115 +++++++++++++++++
>  meta/recipes-support/vim/vim.inc              |   3 +
>  4 files changed, 327 insertions(+)
>  create mode 100644 meta/recipes-support/vim/files/CVE-2026-28417.patch
>  create mode 100644 meta/recipes-support/vim/files/CVE-2026-32249.patch
>  create mode 100644 meta/recipes-support/vim/files/CVE-2026-45130.patch
>
> diff --git a/meta/recipes-support/vim/files/CVE-2026-28417.patch 
> b/meta/recipes-support/vim/files/CVE-2026-28417.patch
> new file mode 100644
> index 0000000000..6598323c41
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2026-28417.patch
> @@ -0,0 +1,92 @@
> +From 79348dbbc09332130f4c86045e1541d68514fcc1 Mon Sep 17 00:00:00 2001
> +From: Christian Brabandt <[email protected]>
> +Date: Sun, 22 Feb 2026 21:24:48 +0000
> +Subject: [PATCH] patch 9.2.0073: [security]: possible command injection using
> + netrw
> +
> +Problem:  [security]: Insufficient validation of hostname and port in
> +          netrw URIs allows command injection via shell metacharacters
> +          (ehdgks0627, un3xploitable).
> +Solution: Implement stricter RFC1123 hostname and IP validation.
> +          Use shellescape() for the provided hostname and port.
> +
> +Github Advisory:
> +https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336
> +
> +Signed-off-by: Christian Brabandt <[email protected]>
> +
> +Upstream-Status: Backport from 
> [https://github.com/vim/vim/commit/79348dbbc09332130f4c86045e1541d68514fcc1]
> +CVE: CVE-2026-28417
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + .../pack/dist/opt/netrw/autoload/netrw.vim    | 34 +++++++++++++------
> + 1 file changed, 24 insertions(+), 10 deletions(-)
> +
> +diff --git a/runtime/pack/dist/opt/netrw/autoload/netrw.vim 
> b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
> +index 1c98104..7ebcd92 100644
> +--- a/runtime/pack/dist/opt/netrw/autoload/netrw.vim
> ++++ b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
> +@@ -5,6 +5,7 @@
> + " 2025 Aug 07 by Vim Project (use correct "=~#" for netrw_stylesize option 
> #17901)
> + " 2025 Aug 07 by Vim Project (netrw#BrowseX() distinguishes remote files 
> #17794)
> + " 2025 Aug 22 by Vim Project netrw#Explore handle terminal correctly #18069
> ++" 2026 Feb 27 by Vim Project Make the hostname validation more strict
> + " Copyright:  Copyright (C) 2016 Charles E. Campbell {{{1
> + "             Permission is hereby granted to use and distribute this code,
> + "             with or without modifications, provided that this copyright
> +@@ -2575,13 +2576,26 @@ endfunction
> + 
> + " s:NetrwValidateHostname:  Validate that the hostname is valid {{{2
> + " Input:
> +-"   hostname
> ++"   hostname, may include an optional username, e.g. user@hostname
> ++"   allow a alphanumeric hostname or an IPv(4/6) address
> + " Output:
> + "  true if g:netrw_machine is valid according to RFC1123 #Section 2
> + function s:NetrwValidateHostname(hostname)
> +-    " RFC1123#section-2 mandates, a valid hostname starts with letters or 
> digits
> +-    " so reject everyhing else
> +-    return a:hostname =~? '^[a-z0-9]'
> ++  " Username:
> ++  let user_pat = '\%([a-zA-Z0-9._-]\+@\)\?'
> ++  " Hostname: 1-64 chars, alphanumeric/dots/hyphens.
> ++  " No underscores. No leading/trailing dots/hyphens.
> ++  let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]{,62}[a-zA-Z0-9]\)\?$'
> ++
> ++  " IPv4: 1-3 digits separated by dots
> ++  let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}$'
> ++
> ++  " IPv6: Hex, colons, and optional brackets
> ++  let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?$'
> ++
> ++  return a:hostname =~? '^'.user_pat.host_pat ||
> ++       \ a:hostname =~? '^'.user_pat.ipv4_pat ||
> ++       \ a:hostname =~? '^'.user_pat.ipv6_pat
> + endfunction
> + 
> + " NetUserPass: set username and password for subsequent ftp transfer {{{2
> +@@ -8948,15 +8962,15 @@ endfunction
> + " s:MakeSshCmd: transforms input command using USEPORT HOSTNAME into {{{2
> + "               a correct command for use with a system() call
> + function s:MakeSshCmd(sshcmd)
> +-    if s:user == ""
> +-        let sshcmd = substitute(a:sshcmd,'\<HOSTNAME\>',s:machine,'')
> +-    else
> +-        let sshcmd = 
> substitute(a:sshcmd,'\<HOSTNAME\>',s:user."@".s:machine,'')
> ++    let machine = shellescape(s:machine, 1)
> ++    if s:user != ''
> ++        let machine    = shellescape(s:user, 1).'@'.machine
> +     endif
> ++    let sshcmd = substitute(a:sshcmd,'\<HOSTNAME\>',machine,'')
> +     if exists("g:netrw_port") && g:netrw_port != ""
> +-        let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' 
> '.g:netrw_port,'')
> ++        let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' 
> '.shellescape(g:netrw_port,1),'')
> +     elseif exists("s:port") && s:port != ""
> +-        let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' 
> '.s:port,'')
> ++        let sshcmd= substitute(sshcmd,"USEPORT",g:netrw_sshport.' 
> '.shellescape(s:port,1),'')
> +     else
> +         let sshcmd= substitute(sshcmd,"USEPORT ",'','')
> +     endif
> +-- 
> +2.34.1
> +
> diff --git a/meta/recipes-support/vim/files/CVE-2026-32249.patch 
> b/meta/recipes-support/vim/files/CVE-2026-32249.patch
> new file mode 100644
> index 0000000000..841db9e016
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2026-32249.patch
> @@ -0,0 +1,117 @@
> +From 36d6e87542cf823d833e451e09a90ee429899cec Mon Sep 17 00:00:00 2001
> +From: Christian Brabandt <[email protected]>
> +Date: Wed, 11 Mar 2026 14:16:29 +0100
> +Subject: [PATCH] patch 9.2.0137: [security]: crash with composing char in
> + collection range
> +
> +Problem:  Using a composing character as the end of a range inside a
> +          collection may corrupt the NFA postfix stack
> +          (Nathan Mills, after v9.1.0011)
> +Solution: When a character is used as the endpoint of a range, do not emit
> +          its composing characters separately. Range handling only uses
> +          the base codepoint.
> +
> +supported by AI
> +
> +Github Advisory:
> +https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r
> +
> +Signed-off-by: Christian Brabandt <[email protected]>
> +
> +Upstream-Status: Backport from 
> [https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec]
> +CVE: CVE-2026-32249
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + src/regexp_nfa.c                 | 17 +++++++++++++++--
> + src/testdir/test_regexp_utf8.vim | 19 +++++++++++++++++++
> + 2 files changed, 34 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
> +index 6ad682b..7905ec1 100644
> +--- a/src/regexp_nfa.c
> ++++ b/src/regexp_nfa.c
> +@@ -1765,6 +1765,7 @@ collection:
> +         if (*endp == ']')
> +         {
> +             int plen;
> ++            bool range_endpoint;
> +             /*
> +              * Try to reverse engineer character classes. For example,
> +              * recognize that [0-9] stands for \d and [A-Za-z_] for \h,
> +@@ -1812,6 +1813,7 @@ collection:
> +             while (regparse < endp)
> +             {
> +                 int     oldstartc = startc;
> ++                range_endpoint = false;
> + 
> +                 startc = -1;
> +                 got_coll_char = FALSE;
> +@@ -1975,6 +1977,7 @@ collection:
> +                 if (emit_range)
> +                 {
> +                     int     endc = startc;
> ++                    range_endpoint = true;
> + 
> +                     startc = oldstartc;
> +                     if (startc > endc)
> +@@ -2053,7 +2056,14 @@ collection:
> +                     }
> +                 }
> + 
> +-                if (enc_utf8 && (utf_ptr2len(regparse) != (plen = 
> utfc_ptr2len(regparse))))
> ++                //
> ++                // If this character was consumed as the end of a range, do 
> not emit its
> ++                // composing characters separately.  Range handling only 
> uses the base
> ++                // codepoint; emitting the composing part again would 
> duplicate the
> ++                // character in the postfix stream and corrupt the NFA 
> stack.
> ++                //
> ++                if (!range_endpoint && enc_utf8 &&
> ++                        (utf_ptr2len(regparse) != (plen = 
> utfc_ptr2len(regparse))))
> +                 {
> +                     int i = utf_ptr2len(regparse);
> + 
> +@@ -3187,7 +3197,10 @@ nfa_max_width(nfa_state_T *startstate, int depth)
> +                 ++len;
> +             if (state->c != NFA_ANY)
> +             {
> +-                // skip over the characters
> ++                // Skip over the compiled collection.
> ++                // malformed NFAs must not crash width estimation.
> ++                if (state->out1 == NULL || state->out1->out == NULL)
> ++                    return -1;
> +                 state = state->out1->out;
> +                 continue;
> +             }
> +diff --git a/src/testdir/test_regexp_utf8.vim 
> b/src/testdir/test_regexp_utf8.vim
> +index a4353f1..3b58416 100644
> +--- a/src/testdir/test_regexp_utf8.vim
> ++++ b/src/testdir/test_regexp_utf8.vim
> +@@ -615,6 +615,25 @@ func Test_search_multibyte_match_ascii()
> +     call assert_equal(['ſſ','ſ'], noic_match3, "No-Ignorecase Collection 
> Regex-engine: " .. &re)
> +   endfor
> +   bw!
> ++  set ignorecase&vim re&vim
> ++endfun
> ++
> ++func Test_regex_collection_range_with_composing_crash()
> ++  " Regression test: composing char in collection range caused NFA 
> crash/E874
> ++  new
> ++  call setline(1, ['00', '0ֻ', '01'])
> ++  let patterns = [ '0[0-0ֻ]\@<!','0[0ֻ]\@<!']
> ++
> ++  for pat in patterns
> ++    " Should compile and execute without crash or error
> ++    for re in range(3)
> ++      let regex = '\%#=' .. re .. pat
> ++      call search(regex)
> ++      call assert_fails($"/{regex}\<cr>", 'E486:')
> ++    endfor
> ++  endfor
> ++
> ++  bwipe!
> + endfunc
> + 
> + " vim: shiftwidth=2 sts=2 expandtab
> +-- 
> +2.34.1
> +
> diff --git a/meta/recipes-support/vim/files/CVE-2026-45130.patch 
> b/meta/recipes-support/vim/files/CVE-2026-45130.patch
> new file mode 100644
> index 0000000000..f44dfd66d6
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2026-45130.patch
> @@ -0,0 +1,115 @@
> +From 92993329178cb1f72d700fff45ca86e1c2d369f8 Mon Sep 17 00:00:00 2001
> +From: Christian Brabandt <[email protected]>
> +Date: Wed, 6 May 2026 20:50:00 +0200
> +Subject: [PATCH] patch 9.2.0450: [security]: heap buffer overflow in
> + spellfile.c read_compound()
> +
> +Problem:  read_compound() in spellfile.c computes the size of the regex
> +          pattern buffer using signed-int arithmetic on the attacker
> +          controlled SN_COMPOUND sectionlen.  With sectionlen=0x40000008
> +          and UTF-8 encoding active the multiplication wraps to 27 while
> +          the per-byte loop writes up to ~1B bytes, overflowing the heap.
> +          Reachable when loading a crafted .spl file (e.g. via 'set spell'
> +          after a modeline sets 'spelllang').  The cp/ap/crp allocations
> +          have the same int + 1 overflow class (Daniel Cervera)
> +Solution: Use type size_t as buffer size and reject values larger than
> +          COMPOUND_MAX_LEN (100000).  Apply the same size_t treatment to
> +          the cp/ap/crp allocations.
> +
> +Github Advisory:
> +https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv
> +
> +Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
> +Signed-off-by: Christian Brabandt <[email protected]>
> +
> +Upstream-Status: Backport from 
> [https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8]
> +CVE: CVE-2026-45130
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + src/spellfile.c                | 20 ++++++++++++++------
> + src/testdir/test_spellfile.vim |  4 ++++
> + 2 files changed, 18 insertions(+), 6 deletions(-)
> +
> +diff --git a/src/spellfile.c b/src/spellfile.c
> +index 0b9536d..768e9fd 100644
> +--- a/src/spellfile.c
> ++++ b/src/spellfile.c
> +@@ -296,6 +296,9 @@
> + #define CF_WORD             0x01
> + #define CF_UPPER    0x02
> + 
> ++// Max allowed length for COMPOUND section
> ++#define COMPOUND_MAX_LEN    100000
> ++
> + /*
> +  * Loop through all the siblings of a node (including the node)
> +  */
> +@@ -1225,6 +1228,8 @@ read_compound(FILE *fd, slang_T *slang, int len)
> +     char_u  *crp;
> +     int             cnt;
> +     garray_T        *gap;
> ++    size_t  patsize;
> ++    size_t  flagsize;
> + 
> +     if (todo < 2)
> +     return SP_FORMERROR;    // need at least two bytes
> +@@ -1281,16 +1286,19 @@ read_compound(FILE *fd, slang_T *slang, int len)
> +     // "a[bc]/a*b+" -> "^\(a[bc]\|a*b\+\)$".
> +     // Inserting backslashes may double the length, "^\(\)$<Nul>" is 7 
> bytes.
> +     // Conversion to utf-8 may double the size.
> +-    c = todo * 2 + 7;
> ++    if ((size_t)todo > COMPOUND_MAX_LEN)
> ++    return SP_FORMERROR;
> ++    patsize = (size_t)todo * 2 + 7;
> +     if (enc_utf8)
> +-    c += todo * 2;
> +-    pat = alloc(c);
> ++    patsize += (size_t)todo * 2;
> ++    flagsize = (size_t)todo + 1;
> ++    pat = alloc(patsize);
> +     if (pat == NULL)
> +     return SP_OTHERERROR;
> + 
> +     // We also need a list of all flags that can appear at the start and one
> +     // for all flags.
> +-    cp = alloc(todo + 1);
> ++    cp = alloc(flagsize);
> +     if (cp == NULL)
> +     {
> +     vim_free(pat);
> +@@ -1299,7 +1307,7 @@ read_compound(FILE *fd, slang_T *slang, int len)
> +     slang->sl_compstartflags = cp;
> +     *cp = NUL;
> + 
> +-    ap = alloc(todo + 1);
> ++    ap = alloc(flagsize);
> +     if (ap == NULL)
> +     {
> +     vim_free(pat);
> +@@ -1311,7 +1319,7 @@ read_compound(FILE *fd, slang_T *slang, int len)
> +     // And a list of all patterns in their original form, for checking 
> whether
> +     // compounding may work in match_compoundrule().  This is freed when we
> +     // encounter a wildcard, the check doesn't work then.
> +-    crp = alloc(todo + 1);
> ++    crp = alloc(flagsize);
> +     slang->sl_comprules = crp;
> + 
> +     pp = pat;
> +diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim
> +index b72974e..d345492 100644
> +--- a/src/testdir/test_spellfile.vim
> ++++ b/src/testdir/test_spellfile.vim
> +@@ -334,6 +334,10 @@ func Test_spellfile_format_error()
> +   " SN_COMPOUND: incorrect comppatlen
> +   call Spellfile_Test(0z080000000007040101000000020165, 'E758:')
> + 
> ++  " SN_COMPOUND: oversized sectionlen
> ++  let v = eval('0z08004000000803010161' .. repeat('61', 50) .. 'FF')
> ++  call Spellfile_Test(v, 'E759:')
> ++
> +   " SN_INFO: missing info
> +   call Spellfile_Test(0z0F0000000005040101, '')
> + 
> +-- 
> +2.34.1
> +
> diff --git a/meta/recipes-support/vim/vim.inc 
> b/meta/recipes-support/vim/vim.inc
> index 3a988fbe7d..262833ea33 100644
> --- a/meta/recipes-support/vim/vim.inc
> +++ b/meta/recipes-support/vim/vim.inc
> @@ -28,6 +28,9 @@ SRC_URI = 
> "git://github.com/vim/vim.git;branch=master;protocol=https \
>             file://CVE-2026-44656.patch \
>             file://CVE-2026-41411.patch \
>             file://CVE-2026-28421.patch \
> +           file://CVE-2026-32249.patch \
> +           file://CVE-2026-28417.patch \
> +           file://CVE-2026-45130.patch \
>             "
>  
>  PV .= ".1683"


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239665): 
https://lists.openembedded.org/g/openembedded-core/message/239665
Mute This Topic: https://lists.openembedded.org/mt/119920115/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to