* [OE-core] [Whinlatter] [PATCH 1/2] vim v9.1.1683: Fix CVE-2026-25749 @ 2026-03-09 7:02 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-09 7:02 ` [OE-core] [Whinlatter] [PATCH 2/2] vim v9.1.1683: Fix CVE-2026-26269 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-10 23:56 ` [OE-core] [Whinlatter] [PATCH 1/2] vim v9.1.1683: Fix CVE-2026-25749 Yoann Congal 0 siblings, 2 replies; 19+ messages in thread From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-09 7:02 UTC (permalink / raw) To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare From: Anil Dongare <adongare@cisco.com> Upstream Repository: https://github.com/vim/vim.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25749 Type: Security Fix CVE: CVE-2026-25749 Score: 6.6 Patch: https://github.com/vim/vim/commit/0714b15940b2 Signed-off-by: Anil Dongare <adongare@cisco.com> --- .../vim/files/CVE-2026-25749.patch | 57 +++++++++++++++++++ meta/recipes-support/vim/vim.inc | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-25749.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-25749.patch b/meta/recipes-support/vim/files/CVE-2026-25749.patch new file mode 100644 index 0000000000..1e3779d3c4 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-25749.patch @@ -0,0 +1,57 @@ +From 04c5e03c2c638e6c82c250f7b612eab29fe7d9ba Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Thu, 5 Feb 2026 18:51:54 +0000 +Subject: [PATCH] patch 9.1.2132: [security]: buffer-overflow in 'helpfile' + option handling + +Problem: [security]: buffer-overflow in 'helpfile' option handling by + using strcpy without bound checks (Rahul Hoysala) +Solution: Limit strncpy to the length of the buffer (MAXPATHL) + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43 + +CVE: CVE-2026-25749 +Upstream-Status: Backport [https://github.com/vim/vim/commit/0714b15940b2] + +Signed-off-by: Christian Brabandt <cb@256bit.org> +(cherry picked from commit 0714b15940b245108e6e9d7aa2260dd849a26fa9) +Signed-off-by: Anil Dongare <adongare@cisco.com> +--- + src/tag.c | 2 +- + src/testdir/test_help.vim | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/tag.c b/src/tag.c +index 6912e8743..a32bbb245 100644 +--- a/src/tag.c ++++ b/src/tag.c +@@ -3348,7 +3348,7 @@ get_tagfname( + if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL) + return FAIL; + ++tnp->tn_hf_idx; +- STRCPY(buf, p_hf); ++ vim_strncpy(buf, p_hf, MAXPATHL - 1); + STRCPY(gettail(buf), "tags"); + #ifdef BACKSLASH_IN_FILENAME + slash_adjust(buf); +diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim +index dac153d86..f9e4686bb 100644 +--- a/src/testdir/test_help.vim ++++ b/src/testdir/test_help.vim +@@ -222,4 +222,13 @@ func Test_helptag_navigation() + endfunc + + ++" This caused a buffer overflow ++func Test_helpfile_overflow() ++ let _helpfile = &helpfile ++ let &helpfile = repeat('A', 5000) ++ help ++ helpclose ++ let &helpfile = _helpfile ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.43.7 diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index c730f1d0cf..044117a57f 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -16,6 +16,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://disable_acl_header_check.patch \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ + file://CVE-2026-25749.patch \ " PV .= ".1683" -- 2.44.1 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core] [Whinlatter] [PATCH 2/2] vim v9.1.1683: Fix CVE-2026-26269 2026-03-09 7:02 [OE-core] [Whinlatter] [PATCH 1/2] vim v9.1.1683: Fix CVE-2026-25749 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-09 7:02 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-10 23:56 ` [OE-core] [Whinlatter] [PATCH 1/2] vim v9.1.1683: Fix CVE-2026-25749 Yoann Congal 1 sibling, 0 replies; 19+ messages in thread From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-09 7:02 UTC (permalink / raw) To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare From: Anil Dongare <adongare@cisco.com> Upstream Repository: https://github.com/vim/vim.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2026-26269 Type: Security Fix CVE: CVE-2026-26269 Score: 7.5 Patch: https://github.com/vim/vim/commit/c5f312aad8e4 Signed-off-by: Anil Dongare <adongare@cisco.com> --- .../vim/files/CVE-2026-26269.patch | 143 ++++++++++++++++++ meta/recipes-support/vim/vim.inc | 1 + 2 files changed, 144 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-26269.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-26269.patch b/meta/recipes-support/vim/files/CVE-2026-26269.patch new file mode 100644 index 0000000000..fd4a652506 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-26269.patch @@ -0,0 +1,143 @@ +From b4fb08c06ee37e38c257d800347b062b78fed141 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Fri, 13 Feb 2026 10:27:12 +0100 +Subject: [PATCH] patch 9.1.2148: [security]: Buffer overflow in netbeans + interface + +Problem: [security]: Buffer overflow in netbeans special_keys() handling +Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of + bounds. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-9w5c-hwr9-hc68 + +CVE: CVE-2026-26269 +Upstream-Status: Backport [https://github.com/vim/vim/commit/c5f312aad8e4] + +Signed-off-by: Christian Brabandt <cb@256bit.org> +(cherry picked from commit c5f312aad8e4179e437f81ad39a860cd0ef11970) +Signed-off-by: Anil Dongare <adongare@cisco.com> +--- + runtime/doc/version9.txt | 5 +++ + src/netbeans.c | 2 +- + src/testdir/test_netbeans.py | 4 ++- + src/testdir/test_netbeans.vim | 57 +++++++++++++++++++++++++++++++++++ + 4 files changed, 66 insertions(+), 2 deletions(-) + +diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt +index b82071757..b32400f17 100644 +--- a/runtime/doc/version9.txt ++++ b/runtime/doc/version9.txt +@@ -41899,4 +41899,9 @@ features, but does not include runtime file changes (syntax, indent, ftplugin, + documentation, etc.) + + ++Patch 9.1.2148 ++Problem: [security]: Buffer overflow in netbeans special_keys() handling ++Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of ++ bounds. ++ + vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable +diff --git a/src/netbeans.c b/src/netbeans.c +index 4f5378512..8a341a20b 100644 +--- a/src/netbeans.c ++++ b/src/netbeans.c +@@ -2302,7 +2302,7 @@ special_keys(char_u *args) + if ((sep = strchr(tok, '-')) != NULL) + { + *sep = NUL; +- while (*tok) ++ while (*tok && i + 2 < KEYBUFLEN) + { + switch (*tok) + { +diff --git a/src/testdir/test_netbeans.py b/src/testdir/test_netbeans.py +index 0d6b09680..585886fb4 100644 +--- a/src/testdir/test_netbeans.py ++++ b/src/testdir/test_netbeans.py +@@ -112,7 +112,9 @@ class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler): + 'startAtomic_Test' : '0:startAtomic!94\n', + 'endAtomic_Test' : '0:endAtomic!95\n', + 'AnnoScale_Test' : "".join(['2:defineAnnoType!60 ' + str(i) + ' "s' + str(i) + '" "x" "=>" blue none\n' for i in range(2, 26)]), +- 'detach_Test' : '2:close!96\n1:close!97\nDETACH\n' ++ 'detach_Test' : '2:close!96\n1:close!97\nDETACH\n', ++ 'specialKeys_overflow_Test' : '0:specialKeys!200 "' + 'A'*80 + '-X"\n' ++ + } + # execute the specified test + if cmd not in testmap: +diff --git a/src/testdir/test_netbeans.vim b/src/testdir/test_netbeans.vim +index d3d5e8baf..d1be5066e 100644 +--- a/src/testdir/test_netbeans.vim ++++ b/src/testdir/test_netbeans.vim +@@ -958,6 +958,58 @@ func Nb_bwipe_buffer(port) + sleep 10m + endfunc + ++func Nb_specialKeys_overflow(port) ++ call delete("Xnetbeans") ++ call writefile([], "Xnetbeans") ++ ++ " Last line number in the Xnetbeans file. Used to verify the result of the ++ " communication with the netbeans server ++ let g:last = 0 ++ ++ " Establish the connection with the netbeans server ++ exe 'nbstart :localhost:' .. a:port .. ':bunny' ++ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') ++ let l = ReadXnetbeans() ++ call assert_equal(['AUTH bunny', ++ \ '0:version=0 "2.5"', ++ \ '0:startupDone=0'], l[-3:]) ++ let g:last += 3 ++ ++ " Open the command buffer to communicate with the server ++ split Xcmdbuf ++ let cmdbufnr = bufnr() ++ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') ++ let l = ReadXnetbeans() ++ call assert_equal('0:fileOpened=0 "Xcmdbuf" T F', ++ \ substitute(l[-3], '".*/', '"', '')) ++ call assert_equal('send: 1:putBufferNumber!15 "Xcmdbuf"', ++ \ substitute(l[-2], '".*/', '"', '')) ++ call assert_equal('1:startDocumentListen!16', l[-1]) ++ let g:last += 3 ++ ++ " Keep the command buffer loaded for communication ++ hide ++ ++ sleep 1m ++ ++ " Open the command buffer to communicate with the server ++ split Xcmdbuf ++ let cmdbufnr = bufnr() ++ call appendbufline(cmdbufnr, '$', 'specialKeys_overflow_Test') ++ call WaitFor('len(ReadXnetbeans()) >= (g:last + 6)') ++ call WaitForAssert({-> assert_match('send: 0:specialKeys!200 "A\{80}-X"', ++ \ ReadXnetbeans()[-1])}) ++ ++ " Verify that specialKeys test, still works after the previous junk ++ call appendbufline(cmdbufnr, '$', 'specialKeys_Test') ++ call WaitFor('len(ReadXnetbeans()) >= (g:last + 1)') ++ call WaitForAssert({-> assert_match('^send: 0:specialKeys!91 "F12 F13 C-F13"$', ++ \ ReadXnetbeans()[-1])}) ++ let g:last += 1 ++ ++ sleep 10m ++endfunc ++ + " This test used to reference a buffer after it was freed leading to an ASAN + " error. + func Test_nb_bwipe_buffer() +@@ -967,4 +1019,9 @@ func Test_nb_bwipe_buffer() + nbclose + endfunc + ++" Verify that the specialKeys argument does not overflow ++func Test_nb_specialKeys_overflow() ++ call s:run_server('Nb_specialKeys_overflow') ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.43.7 diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 044117a57f..792a46faf7 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ file://CVE-2026-25749.patch \ + file://CVE-2026-26269.patch \ " PV .= ".1683" -- 2.44.1 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [OE-core] [Whinlatter] [PATCH 1/2] vim v9.1.1683: Fix CVE-2026-25749 2026-03-09 7:02 [OE-core] [Whinlatter] [PATCH 1/2] vim v9.1.1683: Fix CVE-2026-25749 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-09 7:02 ` [OE-core] [Whinlatter] [PATCH 2/2] vim v9.1.1683: Fix CVE-2026-26269 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-10 23:56 ` Yoann Congal 2026-03-11 9:13 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 1 sibling, 1 reply; 19+ messages in thread From: Yoann Congal @ 2026-03-10 23:56 UTC (permalink / raw) To: adongare, openembedded-core; +Cc: xe-linux-external, to Hello, Thank for the patches, they both looks right but the form need improvment (review should apply to both patches) The subject should just say "vim: Fix CVE-2026-25749" (no version before ":") On Mon Mar 9, 2026 at 8:02 AM CET, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Anil Dongare <adongare@cisco.com> > > Upstream Repository: https://github.com/vim/vim.git > > Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25749 > Type: Security Fix > CVE: CVE-2026-25749 > Score: 6.6 > Patch: https://github.com/vim/vim/commit/0714b15940b2 There is a lot of useless/redundant information in this commit message. The thing I look for in a commit message for a CVE fix like this, is "how do you go from the CVE to the patch you apply". Here, this is quite simple, you apply the fix cited in the CVE NVD page (the URL to the NVD page is appreciated). > Signed-off-by: Anil Dongare <adongare@cisco.com> > --- > .../vim/files/CVE-2026-25749.patch | 57 +++++++++++++++++++ > meta/recipes-support/vim/vim.inc | 1 + > 2 files changed, 58 insertions(+) > create mode 100644 meta/recipes-support/vim/files/CVE-2026-25749.patch > > diff --git a/meta/recipes-support/vim/files/CVE-2026-25749.patch b/meta/recipes-support/vim/files/CVE-2026-25749.patch > new file mode 100644 > index 0000000000..1e3779d3c4 > --- /dev/null > +++ b/meta/recipes-support/vim/files/CVE-2026-25749.patch > @@ -0,0 +1,57 @@ > +From 04c5e03c2c638e6c82c250f7b612eab29fe7d9ba Mon Sep 17 00:00:00 2001 > +From: Christian Brabandt <cb@256bit.org> > +Date: Thu, 5 Feb 2026 18:51:54 +0000 > +Subject: [PATCH] patch 9.1.2132: [security]: buffer-overflow in 'helpfile' > + option handling > + > +Problem: [security]: buffer-overflow in 'helpfile' option handling by > + using strcpy without bound checks (Rahul Hoysala) > +Solution: Limit strncpy to the length of the buffer (MAXPATHL) > + > +Github Advisory: > +https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43 > + > +CVE: CVE-2026-25749 > +Upstream-Status: Backport [https://github.com/vim/vim/commit/0714b15940b2] Please use the full hash instead. > + > +Signed-off-by: Christian Brabandt <cb@256bit.org> > +(cherry picked from commit 0714b15940b245108e6e9d7aa2260dd849a26fa9) > +Signed-off-by: Anil Dongare <adongare@cisco.com> > +--- > + src/tag.c | 2 +- > + src/testdir/test_help.vim | 9 +++++++++ > + 2 files changed, 10 insertions(+), 1 deletion(-) > + > +diff --git a/src/tag.c b/src/tag.c > +index 6912e8743..a32bbb245 100644 > +--- a/src/tag.c > ++++ b/src/tag.c > +@@ -3348,7 +3348,7 @@ get_tagfname( > + if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL) > + return FAIL; > + ++tnp->tn_hf_idx; > +- STRCPY(buf, p_hf); > ++ vim_strncpy(buf, p_hf, MAXPATHL - 1); > + STRCPY(gettail(buf), "tags"); > + #ifdef BACKSLASH_IN_FILENAME > + slash_adjust(buf); > +diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim > +index dac153d86..f9e4686bb 100644 > +--- a/src/testdir/test_help.vim > ++++ b/src/testdir/test_help.vim > +@@ -222,4 +222,13 @@ func Test_helptag_navigation() > + endfunc > + > + > ++" This caused a buffer overflow > ++func Test_helpfile_overflow() > ++ let _helpfile = &helpfile > ++ let &helpfile = repeat('A', 5000) > ++ help > ++ helpclose > ++ let &helpfile = _helpfile > ++endfunc > ++ > + " vim: shiftwidth=2 sts=2 expandtab > +-- > +2.43.7 > diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc > index c730f1d0cf..044117a57f 100644 > --- a/meta/recipes-support/vim/vim.inc > +++ b/meta/recipes-support/vim/vim.inc > @@ -16,6 +16,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} > file://disable_acl_header_check.patch \ > file://0001-src-Makefile-improve-reproducibility.patch \ > file://no-path-adjust.patch \ > + file://CVE-2026-25749.patch \ > " > > PV .= ".1683" -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [Whinlatter] [PATCH 1/2] vim v9.1.1683: Fix CVE-2026-25749 2026-03-10 23:56 ` [OE-core] [Whinlatter] [PATCH 1/2] vim v9.1.1683: Fix CVE-2026-25749 Yoann Congal @ 2026-03-11 9:13 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-11 9:45 ` [OE-core] [scarthgap] [PATCH V2 1/2] vim: " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-11 9:51 ` [OE-core] [Whinlatter] " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 2 replies; 19+ messages in thread From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-11 9:13 UTC (permalink / raw) To: openembedded-core [-- Attachment #1: Type: text/plain, Size: 528 bytes --] Hi Yoann, Thank you for reviewing the patches. I appreciate the feedback. I will apply these corrections to both patches: * Update the subject lines to remove the version number (e.g., "vim: Fix CVE-2026-25749"). * Clean up the commit messages to remove the redundant information and only include the NVD URLs. * Update the Upstream-Status tags to use the full 40-character Git hashes instead of the short ones. I will format and send out a v2 patch series shortly. Best regards, Anil Dongare [-- Attachment #2: Type: text/html, Size: 926 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core] [scarthgap] [PATCH V2 1/2] vim: Fix CVE-2026-25749 2026-03-11 9:13 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-11 9:45 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-11 9:45 ` [OE-core] [scarthgap] [PATCH V2 2/2] vim: Fix CVE-2026-26269 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-19 23:52 ` [OE-core] [scarthgap] [PATCH V2 1/2] vim: Fix CVE-2026-25749 Yoann Congal 2026-03-11 9:51 ` [OE-core] [Whinlatter] " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 1 sibling, 2 replies; 19+ messages in thread From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-11 9:45 UTC (permalink / raw) To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare From: Anil Dongare <adongare@cisco.com> Pick patch from [1] also mentioned in [2] [1] https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-25749 Signed-off-by: Anil Dongare <adongare@cisco.com> --- .../vim/files/CVE-2026-25749.patch | 63 +++++++++++++++++++ meta/recipes-support/vim/vim.inc | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-25749.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-25749.patch b/meta/recipes-support/vim/files/CVE-2026-25749.patch new file mode 100644 index 0000000000..4236464c99 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-25749.patch @@ -0,0 +1,63 @@ +From 04c5e03c2c638e6c82c250f7b612eab29fe7d9ba Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Thu, 5 Feb 2026 18:51:54 +0000 +Subject: [PATCH] patch 9.1.2132: [security]: buffer-overflow in 'helpfile' + option handling + +Problem: [security]: buffer-overflow in 'helpfile' option handling by + using strcpy without bound checks (Rahul Hoysala) +Solution: Limit strncpy to the length of the buffer (MAXPATHL) + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43 + +CVE: CVE-2026-25749 +Upstream-Status: Backport [https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9] + +Backport Changes: +- Excluded changes to src/version.c and runtime/doc/version9.txt + from this backport. This file only tracks upstream version increments. + We are applying a security fix, not a version upgrade. These changes + were skipped to maintain current package versioning and avoid merge conflicts. + +Signed-off-by: Christian Brabandt <cb@256bit.org> +(cherry picked from commit 0714b15940b245108e6e9d7aa2260dd849a26fa9) +Signed-off-by: Anil Dongare <adongare@cisco.com> +--- + src/tag.c | 2 +- + src/testdir/test_help.vim | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/tag.c b/src/tag.c +index 6912e8743..a32bbb245 100644 +--- a/src/tag.c ++++ b/src/tag.c +@@ -3348,7 +3348,7 @@ get_tagfname( + if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL) + return FAIL; + ++tnp->tn_hf_idx; +- STRCPY(buf, p_hf); ++ vim_strncpy(buf, p_hf, MAXPATHL - 1); + STRCPY(gettail(buf), "tags"); + #ifdef BACKSLASH_IN_FILENAME + slash_adjust(buf); +diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim +index dac153d86..f9e4686bb 100644 +--- a/src/testdir/test_help.vim ++++ b/src/testdir/test_help.vim +@@ -222,4 +222,13 @@ func Test_helptag_navigation() + endfunc + + ++" This caused a buffer overflow ++func Test_helpfile_overflow() ++ let _helpfile = &helpfile ++ let &helpfile = repeat('A', 5000) ++ help ++ helpclose ++ let &helpfile = _helpfile ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.43.7 diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index c730f1d0cf..044117a57f 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -16,6 +16,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://disable_acl_header_check.patch \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ + file://CVE-2026-25749.patch \ " PV .= ".1683" -- 2.44.1 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core] [scarthgap] [PATCH V2 2/2] vim: Fix CVE-2026-26269 2026-03-11 9:45 ` [OE-core] [scarthgap] [PATCH V2 1/2] vim: " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-11 9:45 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-19 23:52 ` [OE-core] [scarthgap] [PATCH V2 1/2] vim: Fix CVE-2026-25749 Yoann Congal 1 sibling, 0 replies; 19+ messages in thread From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-11 9:45 UTC (permalink / raw) To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare From: Anil Dongare <adongare@cisco.com> Pick patch from [1] also mentioned in [2] [1] https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-26269 Signed-off-by: Anil Dongare <adongare@cisco.com> --- .../vim/files/CVE-2026-26269.patch | 149 ++++++++++++++++++ meta/recipes-support/vim/vim.inc | 1 + 2 files changed, 150 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-26269.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-26269.patch b/meta/recipes-support/vim/files/CVE-2026-26269.patch new file mode 100644 index 0000000000..c1c93782f2 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-26269.patch @@ -0,0 +1,149 @@ +From b4fb08c06ee37e38c257d800347b062b78fed141 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Fri, 13 Feb 2026 10:27:12 +0100 +Subject: [PATCH] patch 9.1.2148: [security]: Buffer overflow in netbeans + interface + +Problem: [security]: Buffer overflow in netbeans special_keys() handling +Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of + bounds. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-9w5c-hwr9-hc68 + +CVE: CVE-2026-26269 +Upstream-Status: Backport [https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970] + +Backport Changes: +- Excluded changes to src/version.c and runtime/doc/version9.txt + from this backport. This file only tracks upstream version increments. + We are applying a security fix, not a version upgrade. These changes + were skipped to maintain current package versioning and avoid merge conflicts. + +Signed-off-by: Christian Brabandt <cb@256bit.org> +(cherry picked from commit c5f312aad8e4179e437f81ad39a860cd0ef11970) +Signed-off-by: Anil Dongare <adongare@cisco.com> +--- + runtime/doc/version9.txt | 5 +++ + src/netbeans.c | 2 +- + src/testdir/test_netbeans.py | 4 ++- + src/testdir/test_netbeans.vim | 57 +++++++++++++++++++++++++++++++++++ + 4 files changed, 66 insertions(+), 2 deletions(-) + +diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt +index b82071757..b32400f17 100644 +--- a/runtime/doc/version9.txt ++++ b/runtime/doc/version9.txt +@@ -41899,4 +41899,9 @@ features, but does not include runtime file changes (syntax, indent, ftplugin, + documentation, etc.) + + ++Patch 9.1.2148 ++Problem: [security]: Buffer overflow in netbeans special_keys() handling ++Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of ++ bounds. ++ + vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable +diff --git a/src/netbeans.c b/src/netbeans.c +index 4f5378512..8a341a20b 100644 +--- a/src/netbeans.c ++++ b/src/netbeans.c +@@ -2302,7 +2302,7 @@ special_keys(char_u *args) + if ((sep = strchr(tok, '-')) != NULL) + { + *sep = NUL; +- while (*tok) ++ while (*tok && i + 2 < KEYBUFLEN) + { + switch (*tok) + { +diff --git a/src/testdir/test_netbeans.py b/src/testdir/test_netbeans.py +index 0d6b09680..585886fb4 100644 +--- a/src/testdir/test_netbeans.py ++++ b/src/testdir/test_netbeans.py +@@ -112,7 +112,9 @@ class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler): + 'startAtomic_Test' : '0:startAtomic!94\n', + 'endAtomic_Test' : '0:endAtomic!95\n', + 'AnnoScale_Test' : "".join(['2:defineAnnoType!60 ' + str(i) + ' "s' + str(i) + '" "x" "=>" blue none\n' for i in range(2, 26)]), +- 'detach_Test' : '2:close!96\n1:close!97\nDETACH\n' ++ 'detach_Test' : '2:close!96\n1:close!97\nDETACH\n', ++ 'specialKeys_overflow_Test' : '0:specialKeys!200 "' + 'A'*80 + '-X"\n' ++ + } + # execute the specified test + if cmd not in testmap: +diff --git a/src/testdir/test_netbeans.vim b/src/testdir/test_netbeans.vim +index d3d5e8baf..d1be5066e 100644 +--- a/src/testdir/test_netbeans.vim ++++ b/src/testdir/test_netbeans.vim +@@ -958,6 +958,58 @@ func Nb_bwipe_buffer(port) + sleep 10m + endfunc + ++func Nb_specialKeys_overflow(port) ++ call delete("Xnetbeans") ++ call writefile([], "Xnetbeans") ++ ++ " Last line number in the Xnetbeans file. Used to verify the result of the ++ " communication with the netbeans server ++ let g:last = 0 ++ ++ " Establish the connection with the netbeans server ++ exe 'nbstart :localhost:' .. a:port .. ':bunny' ++ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') ++ let l = ReadXnetbeans() ++ call assert_equal(['AUTH bunny', ++ \ '0:version=0 "2.5"', ++ \ '0:startupDone=0'], l[-3:]) ++ let g:last += 3 ++ ++ " Open the command buffer to communicate with the server ++ split Xcmdbuf ++ let cmdbufnr = bufnr() ++ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') ++ let l = ReadXnetbeans() ++ call assert_equal('0:fileOpened=0 "Xcmdbuf" T F', ++ \ substitute(l[-3], '".*/', '"', '')) ++ call assert_equal('send: 1:putBufferNumber!15 "Xcmdbuf"', ++ \ substitute(l[-2], '".*/', '"', '')) ++ call assert_equal('1:startDocumentListen!16', l[-1]) ++ let g:last += 3 ++ ++ " Keep the command buffer loaded for communication ++ hide ++ ++ sleep 1m ++ ++ " Open the command buffer to communicate with the server ++ split Xcmdbuf ++ let cmdbufnr = bufnr() ++ call appendbufline(cmdbufnr, '$', 'specialKeys_overflow_Test') ++ call WaitFor('len(ReadXnetbeans()) >= (g:last + 6)') ++ call WaitForAssert({-> assert_match('send: 0:specialKeys!200 "A\{80}-X"', ++ \ ReadXnetbeans()[-1])}) ++ ++ " Verify that specialKeys test, still works after the previous junk ++ call appendbufline(cmdbufnr, '$', 'specialKeys_Test') ++ call WaitFor('len(ReadXnetbeans()) >= (g:last + 1)') ++ call WaitForAssert({-> assert_match('^send: 0:specialKeys!91 "F12 F13 C-F13"$', ++ \ ReadXnetbeans()[-1])}) ++ let g:last += 1 ++ ++ sleep 10m ++endfunc ++ + " This test used to reference a buffer after it was freed leading to an ASAN + " error. + func Test_nb_bwipe_buffer() +@@ -967,4 +1019,9 @@ func Test_nb_bwipe_buffer() + nbclose + endfunc + ++" Verify that the specialKeys argument does not overflow ++func Test_nb_specialKeys_overflow() ++ call s:run_server('Nb_specialKeys_overflow') ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.43.7 diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 044117a57f..792a46faf7 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ file://CVE-2026-25749.patch \ + file://CVE-2026-26269.patch \ " PV .= ".1683" -- 2.44.1 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [OE-core] [scarthgap] [PATCH V2 1/2] vim: Fix CVE-2026-25749 2026-03-11 9:45 ` [OE-core] [scarthgap] [PATCH V2 1/2] vim: " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-11 9:45 ` [OE-core] [scarthgap] [PATCH V2 2/2] vim: Fix CVE-2026-26269 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-19 23:52 ` Yoann Congal 2026-03-30 18:21 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 1 sibling, 1 reply; 19+ messages in thread From: Yoann Congal @ 2026-03-19 23:52 UTC (permalink / raw) To: adongare, openembedded-core; +Cc: xe-linux-external, to On Wed Mar 11, 2026 at 10:45 AM CET, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Anil Dongare <adongare@cisco.com> > > Pick patch from [1] also mentioned in [2] > [1] https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9 > [2] https://nvd.nist.gov/vuln/detail/CVE-2026-25749 > > Signed-off-by: Anil Dongare <adongare@cisco.com> > --- > .../vim/files/CVE-2026-25749.patch | 63 +++++++++++++++++++ > meta/recipes-support/vim/vim.inc | 1 + > 2 files changed, 64 insertions(+) > create mode 100644 meta/recipes-support/vim/files/CVE-2026-25749.patch > > diff --git a/meta/recipes-support/vim/files/CVE-2026-25749.patch b/meta/recipes-support/vim/files/CVE-2026-25749.patch > new file mode 100644 > index 0000000000..4236464c99 > --- /dev/null > +++ b/meta/recipes-support/vim/files/CVE-2026-25749.patch > @@ -0,0 +1,63 @@ > +From 04c5e03c2c638e6c82c250f7b612eab29fe7d9ba Mon Sep 17 00:00:00 2001 > +From: Christian Brabandt <cb@256bit.org> > +Date: Thu, 5 Feb 2026 18:51:54 +0000 > +Subject: [PATCH] patch 9.1.2132: [security]: buffer-overflow in 'helpfile' > + option handling > + > +Problem: [security]: buffer-overflow in 'helpfile' option handling by > + using strcpy without bound checks (Rahul Hoysala) > +Solution: Limit strncpy to the length of the buffer (MAXPATHL) > + > +Github Advisory: > +https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43 > + > +CVE: CVE-2026-25749 > +Upstream-Status: Backport [https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9] > + > +Backport Changes: > +- Excluded changes to src/version.c and runtime/doc/version9.txt > + from this backport. This file only tracks upstream version increments. > + We are applying a security fix, not a version upgrade. These changes > + were skipped to maintain current package versioning and avoid merge conflicts. > + > +Signed-off-by: Christian Brabandt <cb@256bit.org> > +(cherry picked from commit 0714b15940b245108e6e9d7aa2260dd849a26fa9) > +Signed-off-by: Anil Dongare <adongare@cisco.com> > +--- > + src/tag.c | 2 +- > + src/testdir/test_help.vim | 9 +++++++++ > + 2 files changed, 10 insertions(+), 1 deletion(-) > + > +diff --git a/src/tag.c b/src/tag.c > +index 6912e8743..a32bbb245 100644 > +--- a/src/tag.c > ++++ b/src/tag.c > +@@ -3348,7 +3348,7 @@ get_tagfname( > + if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL) Hello, This patch has a weird format. The context lines starts with tabs and not a single space as usual. While it seems like it passes tests, I'm afraid it will break something down the line and I'd rather not take this like this. Can you please check? Thanks! > + return FAIL; > + ++tnp->tn_hf_idx; > +- STRCPY(buf, p_hf); > ++ vim_strncpy(buf, p_hf, MAXPATHL - 1); > + STRCPY(gettail(buf), "tags"); > + #ifdef BACKSLASH_IN_FILENAME > + slash_adjust(buf); > +diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim > +index dac153d86..f9e4686bb 100644 > +--- a/src/testdir/test_help.vim > ++++ b/src/testdir/test_help.vim > +@@ -222,4 +222,13 @@ func Test_helptag_navigation() > + endfunc > + > + > ++" This caused a buffer overflow > ++func Test_helpfile_overflow() > ++ let _helpfile = &helpfile > ++ let &helpfile = repeat('A', 5000) > ++ help > ++ helpclose > ++ let &helpfile = _helpfile > ++endfunc > ++ > + " vim: shiftwidth=2 sts=2 expandtab > +-- > +2.43.7 > diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc > index c730f1d0cf..044117a57f 100644 > --- a/meta/recipes-support/vim/vim.inc > +++ b/meta/recipes-support/vim/vim.inc > @@ -16,6 +16,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} > file://disable_acl_header_check.patch \ > file://0001-src-Makefile-improve-reproducibility.patch \ > file://no-path-adjust.patch \ > + file://CVE-2026-25749.patch \ > " > > PV .= ".1683" -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [scarthgap] [PATCH V2 1/2] vim: Fix CVE-2026-25749 2026-03-19 23:52 ` [OE-core] [scarthgap] [PATCH V2 1/2] vim: Fix CVE-2026-25749 Yoann Congal @ 2026-03-30 18:21 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-30 20:52 ` [OE-core] " Yoann Congal 0 siblings, 1 reply; 19+ messages in thread From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-30 18:21 UTC (permalink / raw) To: openembedded-core [-- Attachment #1: Type: text/plain, Size: 513 bytes --] Hi Yoann, Thank you for reviewing the patch. I have double-checked the formatting against the upstream repository. The context lines starting with tabs rather than a single space exactly match the original upstream source code indentation in src/tag.c for that specific block. I kept the formatting identical to the upstream commit to ensure consistency and avoid introducing any unintended whitespace or indentation issues. Please let me know if you would still prefer me to modify it! Thanks, Anil [-- Attachment #2: Type: text/html, Size: 737 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [OE-core] [scarthgap] [PATCH V2 1/2] vim: Fix CVE-2026-25749 2026-03-30 18:21 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-30 20:52 ` Yoann Congal 2026-03-31 8:54 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 1 reply; 19+ messages in thread From: Yoann Congal @ 2026-03-30 20:52 UTC (permalink / raw) To: adongare, openembedded-core On Mon Mar 30, 2026 at 8:21 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > Hi Yoann, > > Thank you for reviewing the patch. I have double-checked the formatting against the upstream repository. > > The context lines starting with tabs rather than a single space exactly match the original upstream source code indentation in src/tag.c for that specific block. I kept the formatting identical to the upstream commit to ensure consistency and avoid introducing any unintended whitespace or indentation issues. Hello, I think I was not clear enough. Let me be more precise. I'm not talking about indentation style in the upstream file tag.c (those can be either spaces or tabs, that is perfectly fine). I'm talking about the format of the patch modifying this file. For example, your CVE-2026-25749.patch file: As per https://www.gnu.org/software/diffutils/manual/html_node/Detailed-Unified.html: > The lines common to both files begin with a space character. The lines > that actually differ between the two files have one of the following > indicator characters in the left print column: But, in you patch you actually got a tab instead of the space meaning that both before/after state have the same line (in another word: context). Using "cat -t" to display tab: $ cat -nt meta/recipes-support/vim/files/CVE-2026-25749.patch 33 --- a/src/tag.c 34 +++ b/src/tag.c 35 @@ -3348,7 +3348,7 @@ get_tagfname( 36 ^I if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL) ^ Here, there is a tab where the format says it should be a space to indicate context. But some lines later this is fine: 44 diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim 45 index dac153d86..f9e4686bb 100644 46 --- a/src/testdir/test_help.vim 47 +++ b/src/testdir/test_help.vim 48 @@ -222,4 +222,13 @@ func Test_helptag_navigation() 49 endfunc ^ here, this is a space to indicate that this line is context. (Like every other patch you will find in the oe-core repository) Is this more clear? > Please let me know if you would still prefer me to modify it! Yes, I still like a properly formatted patch please. I don't know how you generated this patch but I recommend using devtool: https://docs.yoctoproject.org/dev/ref-manual/devtool-reference.html#updating-a-recipe Regards, > > Thanks, Anil -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [scarthgap] [PATCH V2 1/2] vim: Fix CVE-2026-25749 2026-03-30 20:52 ` [OE-core] " Yoann Congal @ 2026-03-31 8:54 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-31 11:18 ` [OE-core] " Yoann Congal 0 siblings, 1 reply; 19+ messages in thread From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-31 8:54 UTC (permalink / raw) To: openembedded-core [-- Attachment #1: Type: text/plain, Size: 689 bytes --] Hi Yoann, Thank you for the detailed explanation! That makes perfect sense now. I misunderstood and was looking at the source code indentation rather than the unified diff format itself. I clearly see now via cat -t that the context line indicator was a tab instead of a space. I will regenerate the patch properly (I'll look into using devtool as you recommended) and send out an updated version. Going forward, besides manually checking the diff, is there a specific script or tool (like a patch checker) you recommend using to verify the patch format is strictly correct before sending it to the mailing list? Thanks again for your patience and help! Best regards, Anil [-- Attachment #2: Type: text/html, Size: 1003 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [OE-core] [scarthgap] [PATCH V2 1/2] vim: Fix CVE-2026-25749 2026-03-31 8:54 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-31 11:18 ` Yoann Congal 0 siblings, 0 replies; 19+ messages in thread From: Yoann Congal @ 2026-03-31 11:18 UTC (permalink / raw) To: adongare, openembedded-core On Tue Mar 31, 2026 at 10:54 AM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > Hi Yoann, > > Thank you for the detailed explanation! That makes perfect sense now. I misunderstood and was looking at the source code indentation rather than the unified diff format itself. I clearly see now via cat -t that the context line indicator was a tab instead of a space. > > I will regenerate the patch properly (I'll look into using devtool as you recommended) and send out an updated version. > > Going forward, besides manually checking the diff, is there a specific script or tool (like a patch checker) you recommend using to verify the patch format is strictly correct before sending it to the mailing list? I don't know of any. I just noticed it because I've setup my text editor to display whitespaces (but that's mostly luck). Maybe check your next patches with a trivial regexp? grep '^\t' xxx.patch and review output? > Thanks again for your patience and help! > > Best regards, Anil Regards, -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core] [Whinlatter] [PATCH V2 1/2] vim: Fix CVE-2026-25749 2026-03-11 9:13 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-11 9:45 ` [OE-core] [scarthgap] [PATCH V2 1/2] vim: " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-11 9:51 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-11 9:51 ` [OE-core] [Whinlatter] [PATCH V2 2/2] vim: Fix CVE-2026-26269 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 1 sibling, 1 reply; 19+ messages in thread From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-11 9:51 UTC (permalink / raw) To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare From: Anil Dongare <adongare@cisco.com> Pick patch from [1] also mentioned in [2] [1] https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-25749 Signed-off-by: Anil Dongare <adongare@cisco.com> --- .../vim/files/CVE-2026-25749.patch | 63 +++++++++++++++++++ meta/recipes-support/vim/vim.inc | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-25749.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-25749.patch b/meta/recipes-support/vim/files/CVE-2026-25749.patch new file mode 100644 index 0000000000..4236464c99 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-25749.patch @@ -0,0 +1,63 @@ +From 04c5e03c2c638e6c82c250f7b612eab29fe7d9ba Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Thu, 5 Feb 2026 18:51:54 +0000 +Subject: [PATCH] patch 9.1.2132: [security]: buffer-overflow in 'helpfile' + option handling + +Problem: [security]: buffer-overflow in 'helpfile' option handling by + using strcpy without bound checks (Rahul Hoysala) +Solution: Limit strncpy to the length of the buffer (MAXPATHL) + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43 + +CVE: CVE-2026-25749 +Upstream-Status: Backport [https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9] + +Backport Changes: +- Excluded changes to src/version.c and runtime/doc/version9.txt + from this backport. This file only tracks upstream version increments. + We are applying a security fix, not a version upgrade. These changes + were skipped to maintain current package versioning and avoid merge conflicts. + +Signed-off-by: Christian Brabandt <cb@256bit.org> +(cherry picked from commit 0714b15940b245108e6e9d7aa2260dd849a26fa9) +Signed-off-by: Anil Dongare <adongare@cisco.com> +--- + src/tag.c | 2 +- + src/testdir/test_help.vim | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/tag.c b/src/tag.c +index 6912e8743..a32bbb245 100644 +--- a/src/tag.c ++++ b/src/tag.c +@@ -3348,7 +3348,7 @@ get_tagfname( + if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL) + return FAIL; + ++tnp->tn_hf_idx; +- STRCPY(buf, p_hf); ++ vim_strncpy(buf, p_hf, MAXPATHL - 1); + STRCPY(gettail(buf), "tags"); + #ifdef BACKSLASH_IN_FILENAME + slash_adjust(buf); +diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim +index dac153d86..f9e4686bb 100644 +--- a/src/testdir/test_help.vim ++++ b/src/testdir/test_help.vim +@@ -222,4 +222,13 @@ func Test_helptag_navigation() + endfunc + + ++" This caused a buffer overflow ++func Test_helpfile_overflow() ++ let _helpfile = &helpfile ++ let &helpfile = repeat('A', 5000) ++ help ++ helpclose ++ let &helpfile = _helpfile ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.43.7 diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index c730f1d0cf..044117a57f 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -16,6 +16,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://disable_acl_header_check.patch \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ + file://CVE-2026-25749.patch \ " PV .= ".1683" -- 2.44.1 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core] [Whinlatter] [PATCH V2 2/2] vim: Fix CVE-2026-26269 2026-03-11 9:51 ` [OE-core] [Whinlatter] " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-11 9:51 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-11 11:24 ` Yoann Congal 0 siblings, 1 reply; 19+ messages in thread From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-11 9:51 UTC (permalink / raw) To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare From: Anil Dongare <adongare@cisco.com> Pick patch from [1] also mentioned in [2] [1] https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-26269 Signed-off-by: Anil Dongare <adongare@cisco.com> --- .../vim/files/CVE-2026-26269.patch | 149 ++++++++++++++++++ meta/recipes-support/vim/vim.inc | 1 + 2 files changed, 150 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-26269.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-26269.patch b/meta/recipes-support/vim/files/CVE-2026-26269.patch new file mode 100644 index 0000000000..c1c93782f2 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-26269.patch @@ -0,0 +1,149 @@ +From b4fb08c06ee37e38c257d800347b062b78fed141 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Fri, 13 Feb 2026 10:27:12 +0100 +Subject: [PATCH] patch 9.1.2148: [security]: Buffer overflow in netbeans + interface + +Problem: [security]: Buffer overflow in netbeans special_keys() handling +Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of + bounds. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-9w5c-hwr9-hc68 + +CVE: CVE-2026-26269 +Upstream-Status: Backport [https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970] + +Backport Changes: +- Excluded changes to src/version.c and runtime/doc/version9.txt + from this backport. This file only tracks upstream version increments. + We are applying a security fix, not a version upgrade. These changes + were skipped to maintain current package versioning and avoid merge conflicts. + +Signed-off-by: Christian Brabandt <cb@256bit.org> +(cherry picked from commit c5f312aad8e4179e437f81ad39a860cd0ef11970) +Signed-off-by: Anil Dongare <adongare@cisco.com> +--- + runtime/doc/version9.txt | 5 +++ + src/netbeans.c | 2 +- + src/testdir/test_netbeans.py | 4 ++- + src/testdir/test_netbeans.vim | 57 +++++++++++++++++++++++++++++++++++ + 4 files changed, 66 insertions(+), 2 deletions(-) + +diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt +index b82071757..b32400f17 100644 +--- a/runtime/doc/version9.txt ++++ b/runtime/doc/version9.txt +@@ -41899,4 +41899,9 @@ features, but does not include runtime file changes (syntax, indent, ftplugin, + documentation, etc.) + + ++Patch 9.1.2148 ++Problem: [security]: Buffer overflow in netbeans special_keys() handling ++Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of ++ bounds. ++ + vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable +diff --git a/src/netbeans.c b/src/netbeans.c +index 4f5378512..8a341a20b 100644 +--- a/src/netbeans.c ++++ b/src/netbeans.c +@@ -2302,7 +2302,7 @@ special_keys(char_u *args) + if ((sep = strchr(tok, '-')) != NULL) + { + *sep = NUL; +- while (*tok) ++ while (*tok && i + 2 < KEYBUFLEN) + { + switch (*tok) + { +diff --git a/src/testdir/test_netbeans.py b/src/testdir/test_netbeans.py +index 0d6b09680..585886fb4 100644 +--- a/src/testdir/test_netbeans.py ++++ b/src/testdir/test_netbeans.py +@@ -112,7 +112,9 @@ class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler): + 'startAtomic_Test' : '0:startAtomic!94\n', + 'endAtomic_Test' : '0:endAtomic!95\n', + 'AnnoScale_Test' : "".join(['2:defineAnnoType!60 ' + str(i) + ' "s' + str(i) + '" "x" "=>" blue none\n' for i in range(2, 26)]), +- 'detach_Test' : '2:close!96\n1:close!97\nDETACH\n' ++ 'detach_Test' : '2:close!96\n1:close!97\nDETACH\n', ++ 'specialKeys_overflow_Test' : '0:specialKeys!200 "' + 'A'*80 + '-X"\n' ++ + } + # execute the specified test + if cmd not in testmap: +diff --git a/src/testdir/test_netbeans.vim b/src/testdir/test_netbeans.vim +index d3d5e8baf..d1be5066e 100644 +--- a/src/testdir/test_netbeans.vim ++++ b/src/testdir/test_netbeans.vim +@@ -958,6 +958,58 @@ func Nb_bwipe_buffer(port) + sleep 10m + endfunc + ++func Nb_specialKeys_overflow(port) ++ call delete("Xnetbeans") ++ call writefile([], "Xnetbeans") ++ ++ " Last line number in the Xnetbeans file. Used to verify the result of the ++ " communication with the netbeans server ++ let g:last = 0 ++ ++ " Establish the connection with the netbeans server ++ exe 'nbstart :localhost:' .. a:port .. ':bunny' ++ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') ++ let l = ReadXnetbeans() ++ call assert_equal(['AUTH bunny', ++ \ '0:version=0 "2.5"', ++ \ '0:startupDone=0'], l[-3:]) ++ let g:last += 3 ++ ++ " Open the command buffer to communicate with the server ++ split Xcmdbuf ++ let cmdbufnr = bufnr() ++ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') ++ let l = ReadXnetbeans() ++ call assert_equal('0:fileOpened=0 "Xcmdbuf" T F', ++ \ substitute(l[-3], '".*/', '"', '')) ++ call assert_equal('send: 1:putBufferNumber!15 "Xcmdbuf"', ++ \ substitute(l[-2], '".*/', '"', '')) ++ call assert_equal('1:startDocumentListen!16', l[-1]) ++ let g:last += 3 ++ ++ " Keep the command buffer loaded for communication ++ hide ++ ++ sleep 1m ++ ++ " Open the command buffer to communicate with the server ++ split Xcmdbuf ++ let cmdbufnr = bufnr() ++ call appendbufline(cmdbufnr, '$', 'specialKeys_overflow_Test') ++ call WaitFor('len(ReadXnetbeans()) >= (g:last + 6)') ++ call WaitForAssert({-> assert_match('send: 0:specialKeys!200 "A\{80}-X"', ++ \ ReadXnetbeans()[-1])}) ++ ++ " Verify that specialKeys test, still works after the previous junk ++ call appendbufline(cmdbufnr, '$', 'specialKeys_Test') ++ call WaitFor('len(ReadXnetbeans()) >= (g:last + 1)') ++ call WaitForAssert({-> assert_match('^send: 0:specialKeys!91 "F12 F13 C-F13"$', ++ \ ReadXnetbeans()[-1])}) ++ let g:last += 1 ++ ++ sleep 10m ++endfunc ++ + " This test used to reference a buffer after it was freed leading to an ASAN + " error. + func Test_nb_bwipe_buffer() +@@ -967,4 +1019,9 @@ func Test_nb_bwipe_buffer() + nbclose + endfunc + ++" Verify that the specialKeys argument does not overflow ++func Test_nb_specialKeys_overflow() ++ call s:run_server('Nb_specialKeys_overflow') ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.43.7 diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 044117a57f..792a46faf7 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ file://CVE-2026-25749.patch \ + file://CVE-2026-26269.patch \ " PV .= ".1683" -- 2.44.1 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [OE-core] [Whinlatter] [PATCH V2 2/2] vim: Fix CVE-2026-26269 2026-03-11 9:51 ` [OE-core] [Whinlatter] [PATCH V2 2/2] vim: Fix CVE-2026-26269 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-11 11:24 ` Yoann Congal 2026-03-16 12:35 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 1 reply; 19+ messages in thread From: Yoann Congal @ 2026-03-11 11:24 UTC (permalink / raw) To: adongare, openembedded-core; +Cc: xe-linux-external, to On Wed Mar 11, 2026 at 10:51 AM CET, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Anil Dongare <adongare@cisco.com> > > Pick patch from [1] also mentioned in [2] > [1] https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970 > [2] https://nvd.nist.gov/vuln/detail/CVE-2026-26269 > > Signed-off-by: Anil Dongare <adongare@cisco.com> > --- > .../vim/files/CVE-2026-26269.patch | 149 ++++++++++++++++++ > meta/recipes-support/vim/vim.inc | 1 + > 2 files changed, 150 insertions(+) > create mode 100644 meta/recipes-support/vim/files/CVE-2026-26269.patch > > diff --git a/meta/recipes-support/vim/files/CVE-2026-26269.patch b/meta/recipes-support/vim/files/CVE-2026-26269.patch > new file mode 100644 > index 0000000000..c1c93782f2 > --- /dev/null > +++ b/meta/recipes-support/vim/files/CVE-2026-26269.patch > @@ -0,0 +1,149 @@ > +From b4fb08c06ee37e38c257d800347b062b78fed141 Mon Sep 17 00:00:00 2001 > +From: Christian Brabandt <cb@256bit.org> > +Date: Fri, 13 Feb 2026 10:27:12 +0100 > +Subject: [PATCH] patch 9.1.2148: [security]: Buffer overflow in netbeans > + interface > + > +Problem: [security]: Buffer overflow in netbeans special_keys() handling > +Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of > + bounds. > + > +Github Advisory: > +https://github.com/vim/vim/security/advisories/GHSA-9w5c-hwr9-hc68 > + > +CVE: CVE-2026-26269 > +Upstream-Status: Backport [https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970] > + > +Backport Changes: > +- Excluded changes to src/version.c and runtime/doc/version9.txt Except version9.txt is still included in the patch. Since you are adding comment to the patch, please make sure they are accurate. Thanks! > + from this backport. This file only tracks upstream version increments. > + We are applying a security fix, not a version upgrade. These changes > + were skipped to maintain current package versioning and avoid merge conflicts. > + > +Signed-off-by: Christian Brabandt <cb@256bit.org> > +(cherry picked from commit c5f312aad8e4179e437f81ad39a860cd0ef11970) > +Signed-off-by: Anil Dongare <adongare@cisco.com> > +--- > + runtime/doc/version9.txt | 5 +++ > + src/netbeans.c | 2 +- > + src/testdir/test_netbeans.py | 4 ++- > + src/testdir/test_netbeans.vim | 57 +++++++++++++++++++++++++++++++++++ > + 4 files changed, 66 insertions(+), 2 deletions(-) > + > +diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt > +index b82071757..b32400f17 100644 > +--- a/runtime/doc/version9.txt > ++++ b/runtime/doc/version9.txt > +@@ -41899,4 +41899,9 @@ features, but does not include runtime file changes (syntax, indent, ftplugin, > + documentation, etc.) > + > + > ++Patch 9.1.2148 > ++Problem: [security]: Buffer overflow in netbeans special_keys() handling > ++Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of > ++ bounds. > ++ > + vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable > +diff --git a/src/netbeans.c b/src/netbeans.c > +index 4f5378512..8a341a20b 100644 > +--- a/src/netbeans.c > ++++ b/src/netbeans.c > +@@ -2302,7 +2302,7 @@ special_keys(char_u *args) > + if ((sep = strchr(tok, '-')) != NULL) > + { > + *sep = NUL; > +- while (*tok) > ++ while (*tok && i + 2 < KEYBUFLEN) > + { > + switch (*tok) > + { > +diff --git a/src/testdir/test_netbeans.py b/src/testdir/test_netbeans.py > +index 0d6b09680..585886fb4 100644 > +--- a/src/testdir/test_netbeans.py > ++++ b/src/testdir/test_netbeans.py > +@@ -112,7 +112,9 @@ class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler): > + 'startAtomic_Test' : '0:startAtomic!94\n', > + 'endAtomic_Test' : '0:endAtomic!95\n', > + 'AnnoScale_Test' : "".join(['2:defineAnnoType!60 ' + str(i) + ' "s' + str(i) + '" "x" "=>" blue none\n' for i in range(2, 26)]), > +- 'detach_Test' : '2:close!96\n1:close!97\nDETACH\n' > ++ 'detach_Test' : '2:close!96\n1:close!97\nDETACH\n', > ++ 'specialKeys_overflow_Test' : '0:specialKeys!200 "' + 'A'*80 + '-X"\n' > ++ > + } > + # execute the specified test > + if cmd not in testmap: > +diff --git a/src/testdir/test_netbeans.vim b/src/testdir/test_netbeans.vim > +index d3d5e8baf..d1be5066e 100644 > +--- a/src/testdir/test_netbeans.vim > ++++ b/src/testdir/test_netbeans.vim > +@@ -958,6 +958,58 @@ func Nb_bwipe_buffer(port) > + sleep 10m > + endfunc > + > ++func Nb_specialKeys_overflow(port) > ++ call delete("Xnetbeans") > ++ call writefile([], "Xnetbeans") > ++ > ++ " Last line number in the Xnetbeans file. Used to verify the result of the > ++ " communication with the netbeans server > ++ let g:last = 0 > ++ > ++ " Establish the connection with the netbeans server > ++ exe 'nbstart :localhost:' .. a:port .. ':bunny' > ++ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') > ++ let l = ReadXnetbeans() > ++ call assert_equal(['AUTH bunny', > ++ \ '0:version=0 "2.5"', > ++ \ '0:startupDone=0'], l[-3:]) > ++ let g:last += 3 > ++ > ++ " Open the command buffer to communicate with the server > ++ split Xcmdbuf > ++ let cmdbufnr = bufnr() > ++ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') > ++ let l = ReadXnetbeans() > ++ call assert_equal('0:fileOpened=0 "Xcmdbuf" T F', > ++ \ substitute(l[-3], '".*/', '"', '')) > ++ call assert_equal('send: 1:putBufferNumber!15 "Xcmdbuf"', > ++ \ substitute(l[-2], '".*/', '"', '')) > ++ call assert_equal('1:startDocumentListen!16', l[-1]) > ++ let g:last += 3 > ++ > ++ " Keep the command buffer loaded for communication > ++ hide > ++ > ++ sleep 1m > ++ > ++ " Open the command buffer to communicate with the server > ++ split Xcmdbuf > ++ let cmdbufnr = bufnr() > ++ call appendbufline(cmdbufnr, '$', 'specialKeys_overflow_Test') > ++ call WaitFor('len(ReadXnetbeans()) >= (g:last + 6)') > ++ call WaitForAssert({-> assert_match('send: 0:specialKeys!200 "A\{80}-X"', > ++ \ ReadXnetbeans()[-1])}) > ++ > ++ " Verify that specialKeys test, still works after the previous junk > ++ call appendbufline(cmdbufnr, '$', 'specialKeys_Test') > ++ call WaitFor('len(ReadXnetbeans()) >= (g:last + 1)') > ++ call WaitForAssert({-> assert_match('^send: 0:specialKeys!91 "F12 F13 C-F13"$', > ++ \ ReadXnetbeans()[-1])}) > ++ let g:last += 1 > ++ > ++ sleep 10m > ++endfunc > ++ > + " This test used to reference a buffer after it was freed leading to an ASAN > + " error. > + func Test_nb_bwipe_buffer() > +@@ -967,4 +1019,9 @@ func Test_nb_bwipe_buffer() > + nbclose > + endfunc > + > ++" Verify that the specialKeys argument does not overflow > ++func Test_nb_specialKeys_overflow() > ++ call s:run_server('Nb_specialKeys_overflow') > ++endfunc > ++ > + " vim: shiftwidth=2 sts=2 expandtab > +-- > +2.43.7 > diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc > index 044117a57f..792a46faf7 100644 > --- a/meta/recipes-support/vim/vim.inc > +++ b/meta/recipes-support/vim/vim.inc > @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} > file://0001-src-Makefile-improve-reproducibility.patch \ > file://no-path-adjust.patch \ > file://CVE-2026-25749.patch \ > + file://CVE-2026-26269.patch \ > " > > PV .= ".1683" -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [Whinlatter] [PATCH V2 2/2] vim: Fix CVE-2026-26269 2026-03-11 11:24 ` Yoann Congal @ 2026-03-16 12:35 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-16 13:59 ` [OE-core] [Whinlatter] [PATCH V3] " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 1 reply; 19+ messages in thread From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-16 12:35 UTC (permalink / raw) To: openembedded-core [-- Attachment #1: Type: text/plain, Size: 347 bytes --] Hi Yoann, Thank you for catching that oversight! My apologies for the mismatch between the backport notes and the actual patch contents. I will correct this right away to ensure the Backport Changes description is completely accurate, and I will send out a V3 patch shortly. Thanks again for the thorough review. Best regards, Anil Dongare [-- Attachment #2: Type: text/html, Size: 416 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core] [Whinlatter] [PATCH V3] vim: Fix CVE-2026-26269 2026-03-16 12:35 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-16 13:59 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-19 23:54 ` Yoann Congal 0 siblings, 1 reply; 19+ messages in thread From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-16 13:59 UTC (permalink / raw) To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare From: Anil Dongare <adongare@cisco.com> Pick patch from [1] also mentioned in [2] [1] https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-26269 Signed-off-by: Anil Dongare <adongare@cisco.com> --- .../vim/files/CVE-2026-26269.patch | 149 ++++++++++++++++++ meta/recipes-support/vim/vim.inc | 1 + 2 files changed, 150 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-26269.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-26269.patch b/meta/recipes-support/vim/files/CVE-2026-26269.patch new file mode 100644 index 0000000000..d0796ef77e --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-26269.patch @@ -0,0 +1,149 @@ +From b4fb08c06ee37e38c257d800347b062b78fed141 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt <cb@256bit.org> +Date: Fri, 13 Feb 2026 10:27:12 +0100 +Subject: [PATCH] patch 9.1.2148: [security]: Buffer overflow in netbeans + interface + +Problem: [security]: Buffer overflow in netbeans special_keys() handling +Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of + bounds. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-9w5c-hwr9-hc68 + +CVE: CVE-2026-26269 +Upstream-Status: Backport [https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970] + +Backport Changes: +- Excluded changes to src/version.c from this backport. This file only tracks + upstream version increments. We are applying a security fix, not a version + upgrade. These changes were skipped to maintain current package versioning + and avoid merge conflicts. + +Signed-off-by: Christian Brabandt <cb@256bit.org> +(cherry picked from commit c5f312aad8e4179e437f81ad39a860cd0ef11970) +Signed-off-by: Anil Dongare <adongare@cisco.com> +--- + runtime/doc/version9.txt | 5 +++ + src/netbeans.c | 2 +- + src/testdir/test_netbeans.py | 4 ++- + src/testdir/test_netbeans.vim | 57 +++++++++++++++++++++++++++++++++++ + 4 files changed, 66 insertions(+), 2 deletions(-) + +diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt +index b82071757..b32400f17 100644 +--- a/runtime/doc/version9.txt ++++ b/runtime/doc/version9.txt +@@ -41899,4 +41899,9 @@ features, but does not include runtime file changes (syntax, indent, ftplugin, + documentation, etc.) + + ++Patch 9.1.2148 ++Problem: [security]: Buffer overflow in netbeans special_keys() handling ++Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of ++ bounds. ++ + vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable +diff --git a/src/netbeans.c b/src/netbeans.c +index 4f5378512..8a341a20b 100644 +--- a/src/netbeans.c ++++ b/src/netbeans.c +@@ -2302,7 +2302,7 @@ special_keys(char_u *args) + if ((sep = strchr(tok, '-')) != NULL) + { + *sep = NUL; +- while (*tok) ++ while (*tok && i + 2 < KEYBUFLEN) + { + switch (*tok) + { +diff --git a/src/testdir/test_netbeans.py b/src/testdir/test_netbeans.py +index 0d6b09680..585886fb4 100644 +--- a/src/testdir/test_netbeans.py ++++ b/src/testdir/test_netbeans.py +@@ -112,7 +112,9 @@ class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler): + 'startAtomic_Test' : '0:startAtomic!94\n', + 'endAtomic_Test' : '0:endAtomic!95\n', + 'AnnoScale_Test' : "".join(['2:defineAnnoType!60 ' + str(i) + ' "s' + str(i) + '" "x" "=>" blue none\n' for i in range(2, 26)]), +- 'detach_Test' : '2:close!96\n1:close!97\nDETACH\n' ++ 'detach_Test' : '2:close!96\n1:close!97\nDETACH\n', ++ 'specialKeys_overflow_Test' : '0:specialKeys!200 "' + 'A'*80 + '-X"\n' ++ + } + # execute the specified test + if cmd not in testmap: +diff --git a/src/testdir/test_netbeans.vim b/src/testdir/test_netbeans.vim +index d3d5e8baf..d1be5066e 100644 +--- a/src/testdir/test_netbeans.vim ++++ b/src/testdir/test_netbeans.vim +@@ -958,6 +958,58 @@ func Nb_bwipe_buffer(port) + sleep 10m + endfunc + ++func Nb_specialKeys_overflow(port) ++ call delete("Xnetbeans") ++ call writefile([], "Xnetbeans") ++ ++ " Last line number in the Xnetbeans file. Used to verify the result of the ++ " communication with the netbeans server ++ let g:last = 0 ++ ++ " Establish the connection with the netbeans server ++ exe 'nbstart :localhost:' .. a:port .. ':bunny' ++ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') ++ let l = ReadXnetbeans() ++ call assert_equal(['AUTH bunny', ++ \ '0:version=0 "2.5"', ++ \ '0:startupDone=0'], l[-3:]) ++ let g:last += 3 ++ ++ " Open the command buffer to communicate with the server ++ split Xcmdbuf ++ let cmdbufnr = bufnr() ++ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') ++ let l = ReadXnetbeans() ++ call assert_equal('0:fileOpened=0 "Xcmdbuf" T F', ++ \ substitute(l[-3], '".*/', '"', '')) ++ call assert_equal('send: 1:putBufferNumber!15 "Xcmdbuf"', ++ \ substitute(l[-2], '".*/', '"', '')) ++ call assert_equal('1:startDocumentListen!16', l[-1]) ++ let g:last += 3 ++ ++ " Keep the command buffer loaded for communication ++ hide ++ ++ sleep 1m ++ ++ " Open the command buffer to communicate with the server ++ split Xcmdbuf ++ let cmdbufnr = bufnr() ++ call appendbufline(cmdbufnr, '$', 'specialKeys_overflow_Test') ++ call WaitFor('len(ReadXnetbeans()) >= (g:last + 6)') ++ call WaitForAssert({-> assert_match('send: 0:specialKeys!200 "A\{80}-X"', ++ \ ReadXnetbeans()[-1])}) ++ ++ " Verify that specialKeys test, still works after the previous junk ++ call appendbufline(cmdbufnr, '$', 'specialKeys_Test') ++ call WaitFor('len(ReadXnetbeans()) >= (g:last + 1)') ++ call WaitForAssert({-> assert_match('^send: 0:specialKeys!91 "F12 F13 C-F13"$', ++ \ ReadXnetbeans()[-1])}) ++ let g:last += 1 ++ ++ sleep 10m ++endfunc ++ + " This test used to reference a buffer after it was freed leading to an ASAN + " error. + func Test_nb_bwipe_buffer() +@@ -967,4 +1019,9 @@ func Test_nb_bwipe_buffer() + nbclose + endfunc + ++" Verify that the specialKeys argument does not overflow ++func Test_nb_specialKeys_overflow() ++ call s:run_server('Nb_specialKeys_overflow') ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.43.7 diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 044117a57f..792a46faf7 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ file://CVE-2026-25749.patch \ + file://CVE-2026-26269.patch \ " PV .= ".1683" -- 2.44.1 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [OE-core] [Whinlatter] [PATCH V3] vim: Fix CVE-2026-26269 2026-03-16 13:59 ` [OE-core] [Whinlatter] [PATCH V3] " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-19 23:54 ` Yoann Congal 2026-03-30 18:28 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 1 reply; 19+ messages in thread From: Yoann Congal @ 2026-03-19 23:54 UTC (permalink / raw) To: adongare, openembedded-core; +Cc: xe-linux-external, to On Mon Mar 16, 2026 at 2:59 PM CET, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Anil Dongare <adongare@cisco.com> > > Pick patch from [1] also mentioned in [2] > [1] https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970 > [2] https://nvd.nist.gov/vuln/detail/CVE-2026-26269 > > Signed-off-by: Anil Dongare <adongare@cisco.com> > --- > .../vim/files/CVE-2026-26269.patch | 149 ++++++++++++++++++ > meta/recipes-support/vim/vim.inc | 1 + > 2 files changed, 150 insertions(+) > create mode 100644 meta/recipes-support/vim/files/CVE-2026-26269.patch > > diff --git a/meta/recipes-support/vim/files/CVE-2026-26269.patch b/meta/recipes-support/vim/files/CVE-2026-26269.patch > new file mode 100644 > index 0000000000..d0796ef77e > --- /dev/null > +++ b/meta/recipes-support/vim/files/CVE-2026-26269.patch > @@ -0,0 +1,149 @@ > +From b4fb08c06ee37e38c257d800347b062b78fed141 Mon Sep 17 00:00:00 2001 > +From: Christian Brabandt <cb@256bit.org> > +Date: Fri, 13 Feb 2026 10:27:12 +0100 > +Subject: [PATCH] patch 9.1.2148: [security]: Buffer overflow in netbeans > + interface > + > +Problem: [security]: Buffer overflow in netbeans special_keys() handling > +Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of > + bounds. > + > +Github Advisory: > +https://github.com/vim/vim/security/advisories/GHSA-9w5c-hwr9-hc68 > + > +CVE: CVE-2026-26269 > +Upstream-Status: Backport [https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970] > + > +Backport Changes: > +- Excluded changes to src/version.c from this backport. This file only tracks > + upstream version increments. We are applying a security fix, not a version > + upgrade. These changes were skipped to maintain current package versioning > + and avoid merge conflicts. > + > +Signed-off-by: Christian Brabandt <cb@256bit.org> > +(cherry picked from commit c5f312aad8e4179e437f81ad39a860cd0ef11970) > +Signed-off-by: Anil Dongare <adongare@cisco.com> > +--- > + runtime/doc/version9.txt | 5 +++ > + src/netbeans.c | 2 +- > + src/testdir/test_netbeans.py | 4 ++- > + src/testdir/test_netbeans.vim | 57 +++++++++++++++++++++++++++++++++++ > + 4 files changed, 66 insertions(+), 2 deletions(-) > + > +diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt > +index b82071757..b32400f17 100644 > +--- a/runtime/doc/version9.txt > ++++ b/runtime/doc/version9.txt > +@@ -41899,4 +41899,9 @@ features, but does not include runtime file changes (syntax, indent, ftplugin, > + documentation, etc.) > + > + > ++Patch 9.1.2148 > ++Problem: [security]: Buffer overflow in netbeans special_keys() handling > ++Solution: Limit writing to max KEYBUFLEN bytes to prevent writing out of > ++ bounds. > ++ > + vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable > +diff --git a/src/netbeans.c b/src/netbeans.c > +index 4f5378512..8a341a20b 100644 > +--- a/src/netbeans.c > ++++ b/src/netbeans.c > +@@ -2302,7 +2302,7 @@ special_keys(char_u *args) > + if ((sep = strchr(tok, '-')) != NULL) Hello, This patch has a weird format. The context lines starts with tabs and not a single space as usual. While it seems like it passes tests, I'm afraid it will break something down the line and I'd rather not take this like this. Can you please check? Thanks! > + { > + *sep = NUL; > +- while (*tok) > ++ while (*tok && i + 2 < KEYBUFLEN) > + { > + switch (*tok) > + { > +diff --git a/src/testdir/test_netbeans.py b/src/testdir/test_netbeans.py > +index 0d6b09680..585886fb4 100644 > +--- a/src/testdir/test_netbeans.py > ++++ b/src/testdir/test_netbeans.py > +@@ -112,7 +112,9 @@ class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler): > + 'startAtomic_Test' : '0:startAtomic!94\n', > + 'endAtomic_Test' : '0:endAtomic!95\n', > + 'AnnoScale_Test' : "".join(['2:defineAnnoType!60 ' + str(i) + ' "s' + str(i) + '" "x" "=>" blue none\n' for i in range(2, 26)]), > +- 'detach_Test' : '2:close!96\n1:close!97\nDETACH\n' > ++ 'detach_Test' : '2:close!96\n1:close!97\nDETACH\n', > ++ 'specialKeys_overflow_Test' : '0:specialKeys!200 "' + 'A'*80 + '-X"\n' > ++ > + } > + # execute the specified test > + if cmd not in testmap: > +diff --git a/src/testdir/test_netbeans.vim b/src/testdir/test_netbeans.vim > +index d3d5e8baf..d1be5066e 100644 > +--- a/src/testdir/test_netbeans.vim > ++++ b/src/testdir/test_netbeans.vim > +@@ -958,6 +958,58 @@ func Nb_bwipe_buffer(port) > + sleep 10m > + endfunc > + > ++func Nb_specialKeys_overflow(port) > ++ call delete("Xnetbeans") > ++ call writefile([], "Xnetbeans") > ++ > ++ " Last line number in the Xnetbeans file. Used to verify the result of the > ++ " communication with the netbeans server > ++ let g:last = 0 > ++ > ++ " Establish the connection with the netbeans server > ++ exe 'nbstart :localhost:' .. a:port .. ':bunny' > ++ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') > ++ let l = ReadXnetbeans() > ++ call assert_equal(['AUTH bunny', > ++ \ '0:version=0 "2.5"', > ++ \ '0:startupDone=0'], l[-3:]) > ++ let g:last += 3 > ++ > ++ " Open the command buffer to communicate with the server > ++ split Xcmdbuf > ++ let cmdbufnr = bufnr() > ++ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') > ++ let l = ReadXnetbeans() > ++ call assert_equal('0:fileOpened=0 "Xcmdbuf" T F', > ++ \ substitute(l[-3], '".*/', '"', '')) > ++ call assert_equal('send: 1:putBufferNumber!15 "Xcmdbuf"', > ++ \ substitute(l[-2], '".*/', '"', '')) > ++ call assert_equal('1:startDocumentListen!16', l[-1]) > ++ let g:last += 3 > ++ > ++ " Keep the command buffer loaded for communication > ++ hide > ++ > ++ sleep 1m > ++ > ++ " Open the command buffer to communicate with the server > ++ split Xcmdbuf > ++ let cmdbufnr = bufnr() > ++ call appendbufline(cmdbufnr, '$', 'specialKeys_overflow_Test') > ++ call WaitFor('len(ReadXnetbeans()) >= (g:last + 6)') > ++ call WaitForAssert({-> assert_match('send: 0:specialKeys!200 "A\{80}-X"', > ++ \ ReadXnetbeans()[-1])}) > ++ > ++ " Verify that specialKeys test, still works after the previous junk > ++ call appendbufline(cmdbufnr, '$', 'specialKeys_Test') > ++ call WaitFor('len(ReadXnetbeans()) >= (g:last + 1)') > ++ call WaitForAssert({-> assert_match('^send: 0:specialKeys!91 "F12 F13 C-F13"$', > ++ \ ReadXnetbeans()[-1])}) > ++ let g:last += 1 > ++ > ++ sleep 10m > ++endfunc > ++ > + " This test used to reference a buffer after it was freed leading to an ASAN > + " error. > + func Test_nb_bwipe_buffer() > +@@ -967,4 +1019,9 @@ func Test_nb_bwipe_buffer() > + nbclose > + endfunc > + > ++" Verify that the specialKeys argument does not overflow > ++func Test_nb_specialKeys_overflow() > ++ call s:run_server('Nb_specialKeys_overflow') > ++endfunc > ++ > + " vim: shiftwidth=2 sts=2 expandtab > +-- > +2.43.7 > diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc > index 044117a57f..792a46faf7 100644 > --- a/meta/recipes-support/vim/vim.inc > +++ b/meta/recipes-support/vim/vim.inc > @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} > file://0001-src-Makefile-improve-reproducibility.patch \ > file://no-path-adjust.patch \ > file://CVE-2026-25749.patch \ > + file://CVE-2026-26269.patch \ > " > > PV .= ".1683" -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [Whinlatter] [PATCH V3] vim: Fix CVE-2026-26269 2026-03-19 23:54 ` Yoann Congal @ 2026-03-30 18:28 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-30 20:54 ` [OE-core] " Yoann Congal 0 siblings, 1 reply; 19+ messages in thread From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-30 18:28 UTC (permalink / raw) To: openembedded-core [-- Attachment #1: Type: text/plain, Size: 556 bytes --] Hi Yoann, Thanks again for the review. Similar to the previous patch, I have verified the code and confirmed that the format matches the upstream repository exactly. The context lines starting with tabs in this patch reflect the original indentation used in the upstream src/netbeans.c source file for that specific block. I kept the tabs identical to the upstream commit to prevent any whitespace mismatch or indentation errors when applying the patch. Please let me know if you would still prefer me to convert these to spaces! Thanks, Anil [-- Attachment #2: Type: text/html, Size: 780 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [OE-core] [Whinlatter] [PATCH V3] vim: Fix CVE-2026-26269 2026-03-30 18:28 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-03-30 20:54 ` Yoann Congal 0 siblings, 0 replies; 19+ messages in thread From: Yoann Congal @ 2026-03-30 20:54 UTC (permalink / raw) To: adongare, openembedded-core On Mon Mar 30, 2026 at 8:28 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > Hi Yoann, > > Thanks again for the review. Similar to the previous patch, I have verified the code and confirmed that the format matches the upstream repository exactly. > > The context lines starting with tabs in this patch reflect the original indentation used in the upstream src/netbeans.c source file for that specific block. I kept the tabs identical to the upstream commit to prevent any whitespace mismatch or indentation errors when applying the patch. > > Please let me know if you would still prefer me to convert these to spaces! > > Thanks, Anil I answered about the format there: https://lists.openembedded.org/g/openembedded-core/message/234256 This is the same issue here. Regards, -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2026-03-31 11:18 UTC | newest] Thread overview: 19+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-03-09 7:02 [OE-core] [Whinlatter] [PATCH 1/2] vim v9.1.1683: Fix CVE-2026-25749 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-09 7:02 ` [OE-core] [Whinlatter] [PATCH 2/2] vim v9.1.1683: Fix CVE-2026-26269 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-10 23:56 ` [OE-core] [Whinlatter] [PATCH 1/2] vim v9.1.1683: Fix CVE-2026-25749 Yoann Congal 2026-03-11 9:13 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-11 9:45 ` [OE-core] [scarthgap] [PATCH V2 1/2] vim: " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-11 9:45 ` [OE-core] [scarthgap] [PATCH V2 2/2] vim: Fix CVE-2026-26269 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-19 23:52 ` [OE-core] [scarthgap] [PATCH V2 1/2] vim: Fix CVE-2026-25749 Yoann Congal 2026-03-30 18:21 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-30 20:52 ` [OE-core] " Yoann Congal 2026-03-31 8:54 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-31 11:18 ` [OE-core] " Yoann Congal 2026-03-11 9:51 ` [OE-core] [Whinlatter] " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-11 9:51 ` [OE-core] [Whinlatter] [PATCH V2 2/2] vim: Fix CVE-2026-26269 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-11 11:24 ` Yoann Congal 2026-03-16 12:35 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-16 13:59 ` [OE-core] [Whinlatter] [PATCH V3] " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-19 23:54 ` Yoann Congal 2026-03-30 18:28 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-03-30 20:54 ` [OE-core] " Yoann Congal
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox