On Mon Jun 22, 2026 at 2:25 PM CEST, Hitendra Prajapati via 
lists.openembedded.org wrote:
> Pick patch from [1] & [2] also mentioned at NVD report in 3 & 4
>
> [1] https://github.com/vim/vim/commit/bb6de2105b160e729c340631435cd62f3e69bd32
> [2] https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1
> [3] https://nvd.nist.gov/vuln/detail/CVE-2026-28420
> [4] https://nvd.nist.gov/vuln/detail/CVE-2026-46483

Hello,

CVE-2026-46483 impacts wrynose and a patch must be sent for wrynose
before the fix can be merged on scarthgap.

Regards,

>
> Signed-off-by: Hitendra Prajapati <[email protected]>
> ---
>  .../vim/files/CVE-2026-28420.patch            | 162 ++++++++++++++++++
>  .../vim/files/CVE-2026-46483.patch            |  77 +++++++++
>  meta/recipes-support/vim/vim.inc              |   2 +
>  3 files changed, 241 insertions(+)
>  create mode 100644 meta/recipes-support/vim/files/CVE-2026-28420.patch
>  create mode 100644 meta/recipes-support/vim/files/CVE-2026-46483.patch
>
> diff --git a/meta/recipes-support/vim/files/CVE-2026-28420.patch 
> b/meta/recipes-support/vim/files/CVE-2026-28420.patch
> new file mode 100644
> index 0000000000..72e87d470a
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2026-28420.patch
> @@ -0,0 +1,162 @@
> +From bb6de2105b160e729c340631435cd62f3e69bd32 Mon Sep 17 00:00:00 2001
> +From: Christian Brabandt <[email protected]>
> +Date: Mon, 23 Feb 2026 20:29:43 +0000
> +Subject: [PATCH] patch 9.2.0076: [security]: buffer-overflow in terminal
> + handling
> +
> +Problem:  When processing terminal output with many combining characters
> +          from supplementary planes (4-byte UTF-8), a heap-buffer
> +          overflow occurs. Additionally, the loop iterating over
> +          cell characters can read past the end of the vterm array
> +          (ehdgks0627, un3xploitable).
> +Solution: Use VTERM_MAX_CHARS_PER_CELL * 4 for ga_grow() to ensure
> +          sufficient space. Add a boundary check to the character
> +          loop to prevent index out-of-bounds access.
> +
> +Github Advisory:
> +https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg
> +
> +Signed-off-by: Christian Brabandt <[email protected]>
> +
> +Upstream-Status: Backport from 
> [https://github.com/vim/vim/commit/bb6de2105b160e729c340631435cd62f3e69bd32]
> +CVE: CVE-2026-28420
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + src/terminal.c                                |  5 +-
> + .../samples/terminal_max_combining_chars.txt  | 80 +++++++++++++++++++
> + src/testdir/test_terminal3.vim                | 14 ++++
> + 3 files changed, 97 insertions(+), 2 deletions(-)
> + create mode 100644 src/testdir/samples/terminal_max_combining_chars.txt
> +
> +diff --git a/src/terminal.c b/src/terminal.c
> +index 921b234..78990ac 100644
> +--- a/src/terminal.c
> ++++ b/src/terminal.c
> +@@ -3533,12 +3533,13 @@ handle_pushline(int cols, const VTermScreenCell 
> *cells, void *user)
> +     {
> +     for (col = 0; col < len; col += cells[col].width)
> +     {
> +-        if (ga_grow(&ga, MB_MAXBYTES) == FAIL)
> ++        if (ga_grow(&ga, VTERM_MAX_CHARS_PER_CELL * 4) == FAIL)
> +         {
> +             ga.ga_len = 0;
> +             break;
> +         }
> +-        for (i = 0; (c = cells[col].chars[i]) > 0 || i == 0; ++i)
> ++        for (i = 0; i < VTERM_MAX_CHARS_PER_CELL &&
> ++                ((c = cells[col].chars[i]) > 0 || i == 0); ++i)
> +             ga.ga_len += utf_char2bytes(c == NUL ? ' ' : c,
> +                     (char_u *)ga.ga_data + ga.ga_len);
> +         cell2cellattr(&cells[col], &p[col]);
> +diff --git a/src/testdir/samples/terminal_max_combining_chars.txt 
> b/src/testdir/samples/terminal_max_combining_chars.txt
> +new file mode 100644
> +index 0000000..a4f508d
> +--- /dev/null
> ++++ b/src/testdir/samples/terminal_max_combining_chars.txt
> +@@ -0,0 +1,80 @@
> ++padding line 000
> ++padding line 001
> ++padding line 002
> ++padding line 003
> ++padding line 004
> ++padding line 005
> ++padding line 006
> ++padding line 007
> ++padding line 008
> ++padding line 009
> ++padding line 010
> ++padding line 011
> ++padding line 012
> ++padding line 013
> ++padding line 014
> ++padding line 015
> ++padding line 016
> ++padding line 017
> ++padding line 018
> ++padding line 019
> ++padding line 020
> ++padding line 021
> ++padding line 022
> ++padding line 023
> ++padding line 024
> ++padding line 025
> ++padding line 026
> ++padding line 027
> ++padding line 028
> ++padding line 029
> ++padding line 030
> ++padding line 031
> ++padding line 032
> ++padding line 033
> ++padding line 034
> ++padding line 035
> ++padding line 036
> ++padding line 037
> ++padding line 038
> ++padding line 039
> ++padding line 040
> ++padding line 041
> ++padding line 042
> ++padding line 043
> ++padding line 044
> ++padding line 045
> ++padding line 046
> ++padding line 047
> ++padding line 048
> ++padding line 049
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> ++AAAAAAAAAAAAAAAAAAAAAAAAAAAA𐀀󠄀󠄁󠄂󠄃󠄄
> +diff --git a/src/testdir/test_terminal3.vim b/src/testdir/test_terminal3.vim
> +index 218b4e6..cb1946f 100644
> +--- a/src/testdir/test_terminal3.vim
> ++++ b/src/testdir/test_terminal3.vim
> +@@ -1037,4 +1037,18 @@ func Test_terminal_visual_empty_listchars()
> +   call StopVimInTerminal(buf)
> + endfunc
> + 
> ++func Test_terminal_max_combining_chars()
> ++  " somehow doesn't work on MS-Windows
> ++  CheckUnix
> ++  let cmd = "cat samples/terminal_max_combining_chars.txt\<CR>"
> ++  let buf = Run_shell_in_terminal({'term_rows': 15, 'term_cols': 35})
> ++  call TermWait(buf)
> ++  call term_sendkeys(buf, cmd)
> ++  " last char is a space with many combining chars
> ++  call WaitForAssert({-> assert_match("AAAAAAAAAAAAAAAAAAAAAAAAAAAA.", 
> term_getline(buf, 14))})
> ++
> ++  call term_sendkeys(buf, "exit\r")
> ++  exe buf . "bwipe!"
> ++endfunc
> ++
> + " vim: shiftwidth=2 sts=2 expandtab
> +-- 
> +2.34.1
> +
> diff --git a/meta/recipes-support/vim/files/CVE-2026-46483.patch 
> b/meta/recipes-support/vim/files/CVE-2026-46483.patch
> new file mode 100644
> index 0000000000..d28402cc67
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2026-46483.patch
> @@ -0,0 +1,77 @@
> +From 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 Mon Sep 17 00:00:00 2001
> +From: Christian Brabandt <[email protected]>
> +Date: Thu, 14 May 2026 15:35:28 +0000
> +Subject: [PATCH] patch 9.2.0479: [security]: runtime(tar): command injection
> + in tar plugin
> +
> +Problem:  [security]: runtime(tar): command injection in tar plugin
> +          (Christopher Lusk)
> +Solution: Use the correct shellescape(args, 1) form for a :! command
> +
> +Github Advisory:
> +https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
> +
> +Signed-off-by: Christian Brabandt <[email protected]>
> +
> +Upstream-Status: Backport from 
> [https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1]
> +CVE: CVE-2026-46483
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + runtime/autoload/tar.vim        |  5 +++--
> + src/testdir/test_plugin_tar.vim | 19 +++++++++++++++++++
> + 2 files changed, 22 insertions(+), 2 deletions(-)
> +
> +diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
> +index 74a5b38..95d2be0 100644
> +--- a/runtime/autoload/tar.vim
> ++++ b/runtime/autoload/tar.vim
> +@@ -18,6 +18,7 @@
> + "   2025 May 19 by Vim Project: restore working directory after read/write
> + "   2025 Jul 13 by Vim Project: warn with path traversal attacks
> + "   2025 Jul 16 by Vim Project: update minimum vim version
> ++"   2026 May 14 by Vim Project: use correct shellescape() call in Vimuntar()
> + "
> + "   Contains many ideas from Michael Toren's <tar.vim>
> + "
> +@@ -800,9 +801,9 @@ fun! tar#Vimuntar(...)
> +   " if necessary, decompress the tarball; then, extract it
> +   if tartail =~ '\.tgz'
> +    if executable("gunzip")
> +-    silent exe "!gunzip ".shellescape(tartail)
> ++    silent exe "!gunzip ".shellescape(tartail, 1)
> +    elseif executable("gzip")
> +-    silent exe "!gzip -d ".shellescape(tartail)
> ++    silent exe "!gzip -d ".shellescape(tartail, 1)
> +    else
> +     echoerr "unable to decompress<".tartail."> on this system"
> +     if simplify(curdir) != simplify(tarhome)
> +diff --git a/src/testdir/test_plugin_tar.vim 
> b/src/testdir/test_plugin_tar.vim
> +index ebf74d7..8e776a4 100644
> +--- a/src/testdir/test_plugin_tar.vim
> ++++ b/src/testdir/test_plugin_tar.vim
> +@@ -126,3 +126,22 @@ def g:Test_tar_evil()
> + 
> +   bw!
> + enddef
> ++
> ++def g:Test_extract_command_injection()
> ++  CheckExecutable gunzip
> ++  CheckExecutable touch
> ++  var tgz = 
> eval('0z1F8B08087795056A000364756D6D792E74617200EDCE2B12C2300004D01C254' ..
> ++   
> '7480269CE534080A8495BD1DBF3996106C3A08A7ACFACD8157B59A7690BFB4A0FC3707C666E357D'
>  ..
> ++   
> 'E65BC8B5A47CC8A5D61A522EA5B510D3CEBF5ED679197B8CE17CEDB7F9D4C76FBB5F3D000000000'
>  ..
> ++   '000000000FCD11D32415E2C00280000')
> ++  var dirname = tempname()
> ++
> ++  mkdir(dirname, 'R')
> ++  var tar = dirname .. "/';%$(touch pwned)'.tgz"
> ++  writefile(tgz, tar)
> ++  new
> ++  exe "e " .. fnameescape(tar)
> ++  exe ":Vimuntar " .. dirname
> ++  assert_false(filereadable(dirname .. "/pwned"))
> ++  bw!
> ++enddef
> +-- 
> +2.34.1
> +
> diff --git a/meta/recipes-support/vim/vim.inc 
> b/meta/recipes-support/vim/vim.inc
> index 262833ea33..95d00a09bd 100644
> --- a/meta/recipes-support/vim/vim.inc
> +++ b/meta/recipes-support/vim/vim.inc
> @@ -31,6 +31,8 @@ SRC_URI = 
> "git://github.com/vim/vim.git;branch=master;protocol=https \
>             file://CVE-2026-32249.patch \
>             file://CVE-2026-28417.patch \
>             file://CVE-2026-45130.patch \
> +           file://CVE-2026-46483.patch \
> +           file://CVE-2026-28420.patch \
>             "
>  
>  PV .= ".1683"


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239666): 
https://lists.openembedded.org/g/openembedded-core/message/239666
Mute This Topic: https://lists.openembedded.org/mt/119922632/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to