From caff32bc190aef5abc2d8b493b46b7958b28dd3e Mon Sep 17 00:00:00 2001 From: pkgagent Date: Wed, 6 May 2026 10:43:08 +0800 Subject: [PATCH 1/2] fix CVE-2026-41411 --- vim-9.0.2092-CVE-2026-41411.patch | 85 +++++++++++++++++++++++++++++++ vim.spec | 2 + 2 files changed, 87 insertions(+) create mode 100644 vim-9.0.2092-CVE-2026-41411.patch diff --git a/vim-9.0.2092-CVE-2026-41411.patch b/vim-9.0.2092-CVE-2026-41411.patch new file mode 100644 index 0000000..a3b0953 --- /dev/null +++ b/vim-9.0.2092-CVE-2026-41411.patch @@ -0,0 +1,85 @@ +From c78194e41d5a0b05b0ddf383b6679b1503f977fb Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Wed, 15 Apr 2026 20:17:17 +0000 +Subject: [PATCH] patch 9.2.0357: [security]: command injection via backticks + in tag files + +Problem: [security]: command injection via backticks in tag files + (Srinivas Piskala Ganesh Babu, Andy Ngo) +Solution: Disallow backticks before attempting to expand filenames. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8 + +Supported by AI + +Signed-off-by: Christian Brabandt + +Adapted-by: PkgAgent (modified to adapt to opencloudos-stream) + +--- + src/tag.c | 4 +++- + src/testdir/test_tagjump.vim | 22 ++++++++++++++++++++++ + src/version.c | 2 ++ + 3 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/src/tag.c b/src/tag.c +index 6d9e66b..3bbde8a 100644 +--- a/src/tag.c ++++ b/src/tag.c +@@ -4098,8 +4098,10 @@ expand_tag_fname(char_u *fname, char_u *tag_fname, int expand) + + /* + * Expand file name (for environment variables) when needed. ++ * Disallow backticks, they could execute arbitrary shell ++ * commands. This is not needed for tag filenames. + */ +- if (expand && mch_has_wildcard(fname)) ++ if (expand && mch_has_wildcard(fname) && vim_strchr(fname, '`') == NULL) + { + ExpandInit(&xpc); + xpc.xp_context = EXPAND_FILES; +diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim +index 8b85bd6..fce4f14 100644 +--- a/src/testdir/test_tagjump.vim ++++ b/src/testdir/test_tagjump.vim +@@ -1545,4 +1545,26 @@ func Test_tagbsearch() + set tags& tagbsearch& + endfunc + ++" Test that backtick expressions in tag filenames are not expanded. ++" This prevents command injection via malicious tags files. ++func Test_tag_backtick_filename_not_expanded() ++ let pwned_file = 'Xtags_pwnd' ++ call assert_false(filereadable(pwned_file)) ++ ++ let tagline = "main\t`touch " .. pwned_file .. "`\t/^int main/;\"\tf" ++ call writefile([tagline], 'Xbt_tags', 'D') ++ call writefile(['int main(int argc, char **argv) {', '}'], 'Xbt_main.c', 'D') ++ ++ set tags=Xbt_tags ++ sp Xbt_main.c ++ ++ " The :tag command should fail to find the file, but must NOT execute ++ " the backtick shell command. ++ call assert_fails('tag main', 'E429:') ++ call assert_false(filereadable(pwned_file)) ++ ++ set tags& ++ bwipe! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/version.c b/src/version.c +index 0d46024..88779ba 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -704,6 +704,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 357, + /**/ + 2092, + /**/ diff --git a/vim.spec b/vim.spec index 3e71387..a717dd6 100644 --- a/vim.spec +++ b/vim.spec @@ -100,6 +100,8 @@ Patch0032: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch Patch0033: 0001-patch-9.2.0276-security-modeline-security-bypass.patch # CVE-2026-35177 Patch0034: 0001-patch-9.2.0280-security-path-traversal-issue-in-zip..patch +# CVE-2026-41411 +Patch0035: vim-9.0.2092-CVE-2026-41411.patch Patch3000: vim-7.3-manpage-typo-668894-675480.patch Patch3001: vim-manpagefixes-948566.patch -- Gitee From a438fe246bd42369a3be65c6590dc493e00aff02 Mon Sep 17 00:00:00 2001 From: pkgagent Date: Wed, 6 May 2026 10:43:14 +0800 Subject: [PATCH 2/2] fix CVE-2026-41411 --- vim-9.0.2092-CVE-2026-41411.patch | 17 ++--------------- vim.spec | 6 +++++- 2 files changed, 7 insertions(+), 16 deletions(-) diff --git a/vim-9.0.2092-CVE-2026-41411.patch b/vim-9.0.2092-CVE-2026-41411.patch index a3b0953..ecc0519 100644 --- a/vim-9.0.2092-CVE-2026-41411.patch +++ b/vim-9.0.2092-CVE-2026-41411.patch @@ -20,8 +20,7 @@ Adapted-by: PkgAgent (modified to adapt to opencloudos-stream) --- src/tag.c | 4 +++- src/testdir/test_tagjump.vim | 22 ++++++++++++++++++++++ - src/version.c | 2 ++ - 3 files changed, 27 insertions(+), 1 deletion(-) + 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/src/tag.c b/src/tag.c index 6d9e66b..3bbde8a 100644 @@ -70,16 +69,4 @@ index 8b85bd6..fce4f14 100644 +endfunc + " vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/version.c b/src/version.c -index 0d46024..88779ba 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -704,6 +704,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 357, - /**/ - 2092, - /**/ + diff --git a/vim.spec b/vim.spec index a717dd6..ecc193d 100644 --- a/vim.spec +++ b/vim.spec @@ -28,7 +28,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: 9.0.2092 -Release: 15%{?dist} +Release: 16%{?dist} License: Vim and MIT and GPL v2+ Source0: https://github.com/vim/vim/archive/refs/tags/v%{version}.tar.gz Source1: virc @@ -903,6 +903,10 @@ LC_ALL=en_US.UTF-8 make test || echo "Warning: tests have failure." %changelog +* Wed May 06 2026 PkgAgent Robot - 9.0.2092-16 +- [Type] security +- [DESC] Fix CVE-2026-41411 + * Tue Apr 07 2026 cunlongli - 9.0.2092-15 - [Type] security - [DESC] fix CVE-2026-34982 CVE-2026-35177 -- Gitee