Skip to content

vim: Fix CVE-2026-39881, CVE-2026-35177, CVE-2026-34982#18

Closed
deepin-ci-robot wants to merge 1 commit into
masterfrom
fix/cve-batch-2026-0415
Closed

vim: Fix CVE-2026-39881, CVE-2026-35177, CVE-2026-34982#18
deepin-ci-robot wants to merge 1 commit into
masterfrom
fix/cve-batch-2026-0415

Conversation

@deepin-ci-robot

@deepin-ci-robot deepin-ci-robot commented Apr 15, 2026

Copy link
Copy Markdown
Contributor

Security Update

This PR fixes 3 security vulnerabilities in vim:

CVE-2026-39881

  • Issue: Command injection in netbeans interface
  • Fixed in: v9.2.0316
  • Advisory: GHSA-mr87-rhgv-7pw6

CVE-2026-35177

  • Issue: Path traversal bypass in zip.vim plugin
  • Fixed in: v9.2.0280
  • Advisory: GHSA-jc86-w7vm-8p24

CVE-2026-34982

  • Issue: Modeline sandbox bypass (already fixed in master)
  • Fixed in: v9.2.0276
  • Advisory: GHSA-8h6p-m6gr-mpw9

Changes

  • Added patch for CVE-2026-39881 (netbeans command injection)
  • Added patch for CVE-2026-35177 (zip.vim path traversal)
  • Updated debian/changelog with security fixes

Testing

  • Build verification recommended
  • All patches apply cleanly with quilt

Upstream References

@deepin-ci-robot @hudeng-go
vim: Fix CVE-2026-39881 and CVE-2026-35177
0a4aaaa 
- patch 9.2.0316: [security]: command injection in netbeans interface
  Fixes: CVE-2026-39881 (GHSA-mr87-rhgv-7pw6)
- patch 9.2.0280: [security]: path traversal issue in zip.vim
  Fixes: CVE-2026-35177 (GHSA-jc86-w7vm-8p24)

Upstream: vim/vim@7ab76a8
Upstream: vim/vim@7088926
@deepin-ci-robot

deepin-ci-robot commented Apr 15, 2026

Copy link
Copy Markdown
Contributor Author

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign zeno-sole for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@deepin-ci-robot

deepin-ci-robot commented Apr 15, 2026

Copy link
Copy Markdown
Contributor Author

/hold
因为该quilt包的上游版本号变更,详情见: deepin-community/infra-settings#134

@github-actions

github-actions Bot commented Apr 15, 2026

Copy link
Copy Markdown

TAG Bot

TAG: 2%9.2.0218-1deepin4
EXISTED: no
DISTRIBUTION: unstable

UTsweetyfish
UTsweetyfish requested changes Apr 17, 2026
View reviewed changes

@UTsweetyfish UTsweetyfish left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

d/changelog +9 -7,778 is not acceptable.

@hudeng-go hudeng-go closed this May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@UTsweetyfish UTsweetyfish UTsweetyfish requested changes

@justforlxz justforlxz Awaiting requested review from justforlxz

@myml myml Awaiting requested review from myml

Assignees

No one assigned

Labels

do-not-merge/hold generated-by-ai

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@deepin-ci-robot @UTsweetyfish @hudeng-go