From b7f713e6a66c696a2373029fe3529c27a167b1a6 Mon Sep 17 00:00:00 2001
From: deepin-ci-robot <packages@deepin.org>
Date: Thu, 4 Jun 2026 17:12:29 +0800
Subject: [PATCH 1/2] fix(vim): CVE-2026-46483

Fix command injection in tar.vim Vimuntar function by adding
proper shell escaping (shellescape second argument 1).

Upstream: https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 (v9.2.0479)
Generated-By: deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
---
 debian/changelog                              |  7 ++-
 ...CVE-2026-46483-tar-command-injection.patch | 55 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100644 debian/patches/CVE-2026-46483-tar-command-injection.patch

diff --git a/debian/changelog b/debian/changelog
index 4efc4aeb..0f49938c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,9 @@
-vim (2:9.2.0461-1deepin1) unstable; urgency=medium
+vim (2:9.2.0461-1deepin2) UNRELEASED; urgency=medium
 
-  * Set-NoDisplay-true-for-vim-desktop.patch
+  * Fix CVE-2026-46483: Command injection in tar.vim Vimuntar function
+    - Properly escape shell arguments for external command context
 
- -- Tianyu Chen <sweetyfish@deepin.org>  Thu, 14 May 2026 11:50:36 +0800
+ -- deepin-ci-robot <packages@deepin.org>  Thu, 04 Jun 2026 17:08:00 +0800
 
 vim (2:9.2.0461-1) unstable; urgency=medium
 
diff --git a/debian/patches/CVE-2026-46483-tar-command-injection.patch b/debian/patches/CVE-2026-46483-tar-command-injection.patch
new file mode 100644
index 00000000..0232d3e7
--- /dev/null
+++ b/debian/patches/CVE-2026-46483-tar-command-injection.patch
@@ -0,0 +1,55 @@
+Index: vim/runtime/autoload/tar.vim
+===================================================================
+--- vim.orig/runtime/autoload/tar.vim
++++ vim/runtime/autoload/tar.vim
+@@ -832,9 +832,9 @@ fun! tar#Vimuntar(...)
+   " if necessary, decompress the tarball; then, extract it
+   if tartail =~ '\.tgz'
+    if executable("gunzip")
+-    silent exe "!gunzip ".shellescape(tartail)
++    silent exe "!gunzip ".shellescape(tartail, 1)
+    elseif executable("gzip")
+-    silent exe "!gzip -d ".shellescape(tartail)
++    silent exe "!gzip -d ".shellescape(tartail, 1)
+    else
+     echoerr "unable to decompress<".tartail."> on this system"
+     if simplify(curdir) != simplify(tarhome)
+Index: vim/src/testdir/test_plugin_tar.vim
+===================================================================
+--- vim.orig/src/testdir/test_plugin_tar.vim
++++ vim/src/testdir/test_plugin_tar.vim
+@@ -318,3 +318,22 @@ def g:Test_extract_with_dotted_filename(
+   delete('X.txt')
+   bw!
+ enddef
++
++def g:Test_extract_command_injection()
++  CheckExecutable gunzip
++  CheckExecutable touch
++  var tgz = eval('0z1F8B08087795056A000364756D6D792E74617200EDCE2B12C2300004D01C254' ..
++	'7480269CE534080A8495BD1DBF3996106C3A08A7ACFACD8157B59A7690BFB4A0FC3707C666E357D' ..
++	'E65BC8B5A47CC8A5D61A522EA5B510D3CEBF5ED679197B8CE17CEDB7F9D4C76FBB5F3D000000000' ..
++	'000000000FCD11D32415E2C00280000')
++  var dirname = tempname()
++
++  mkdir(dirname, 'R')
++  var tar = dirname .. "/';%$(touch pwned)'.tgz"
++  writefile(tgz, tar)
++  new
++  exe "e " .. fnameescape(tar)
++  exe ":Vimuntar " .. dirname
++  assert_false(filereadable(dirname .. "/pwned"))
++  bw!
++enddef
+Index: vim/src/version.c
+===================================================================
+--- vim.orig/src/version.c
++++ vim/src/version.c
+@@ -730,6 +730,7 @@ static char *(features[]) =
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+ /**/
++    479,
+     461,
+ /**/
+     460,
diff --git a/debian/patches/series b/debian/patches/series
index 0cce39e1..93002931 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
 debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
 debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
 Set-NoDisplay-true-for-vim-desktop.patch
+CVE-2026-46483-tar-command-injection.patch

From 55da0d81bba1b591fa15412bffe7382c11f51695 Mon Sep 17 00:00:00 2001
From: deepin-ci-robot <packages@deepin.org>
Date: Thu, 4 Jun 2026 17:12:55 +0800
Subject: [PATCH 2/2] fix(vim): CVE-2026-43961

Fix code injection in netrw filter() calls by replacing string-based
filter expressions with lambda syntax to prevent injection of arbitrary
Vim commands through crafted filenames.

Also documents already-fixed CVEs: CVE-2026-41411, CVE-2026-42307, CVE-2026-44656.

Upstream: https://github.com/vim/vim/commit/8af0f098c3a42a28661d0295364e6e0fd7dbc92c (v9.2.0480)
Generated-By: deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
---
 debian/changelog                              |  6 ++
 ...VE-2026-43961-netrw-filter-injection.patch | 68 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 75 insertions(+)
 create mode 100644 debian/patches/CVE-2026-43961-netrw-filter-injection.patch

diff --git a/debian/changelog b/debian/changelog
index 0f49938c..e8334980 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,12 @@ vim (2:9.2.0461-1deepin2) UNRELEASED; urgency=medium
 
   * Fix CVE-2026-46483: Command injection in tar.vim Vimuntar function
     - Properly escape shell arguments for external command context
+  * Fix CVE-2026-43961: Code injection in netrw filter() calls
+    - Replace string-based filter expressions with lambda syntax to
+      prevent injection of arbitrary Vim commands through crafted filenames
+  * CVE-2026-41411: Already fixed in current version (upstream 9.2.0357)
+  * CVE-2026-42307: Already fixed in current version (upstream 9.2.0383)
+  * CVE-2026-44656: Already fixed in current version (upstream 9.2.0435)
 
  -- deepin-ci-robot <packages@deepin.org>  Thu, 04 Jun 2026 17:08:00 +0800
 
diff --git a/debian/patches/CVE-2026-43961-netrw-filter-injection.patch b/debian/patches/CVE-2026-43961-netrw-filter-injection.patch
new file mode 100644
index 00000000..2231eea0
--- /dev/null
+++ b/debian/patches/CVE-2026-43961-netrw-filter-injection.patch
@@ -0,0 +1,68 @@
+Index: vim/runtime/pack/dist/opt/netrw/autoload/netrw.vim
+===================================================================
+--- vim.orig/runtime/pack/dist/opt/netrw/autoload/netrw.vim
++++ vim/runtime/pack/dist/opt/netrw/autoload/netrw.vim
+@@ -5153,7 +5153,7 @@ function s:NetrwMarkFile(islocal,fname)
+ 
+         else
+             " remove filename from buffer's markfilelist
+-            call filter(s:netrwmarkfilelist_{curbufnr},'v:val != a:fname')
++            call filter(s:netrwmarkfilelist_{curbufnr}, {_, v -> v !=# a:fname})
+             if s:netrwmarkfilelist_{curbufnr} == []
+                 " local markfilelist is empty; remove it entirely
+                 call s:NetrwUnmarkList(curbufnr,curdir)
+@@ -5194,7 +5194,7 @@ function s:NetrwMarkFile(islocal,fname)
+             call add(s:netrwmarkfilelist,netrw#fs#ComposePath(b:netrw_curdir,a:fname))
+         else
+             " remove new filename from global markfilelist
+-            call filter(s:netrwmarkfilelist,'v:val != "'.dname.'"')
++            call filter(s:netrwmarkfilelist, {_, v -> v !=# dname})
+             if s:netrwmarkfilelist == []
+                 unlet s:netrwmarkfilelist
+             endif
+@@ -7217,7 +7217,7 @@ function s:NetrwTreeDisplay(dir,depth)
+         " hide given patterns
+         let listhide= split(g:netrw_list_hide,',')
+         for pat in listhide
+-            call filter(w:netrw_treedict[dir],'v:val !~ "'.escape(pat,'\\').'"')
++            call filter(w:netrw_treedict[dir], {_, v -> v !~# pat})
+         endfor
+ 
+     elseif g:netrw_hide == 2
+Index: vim/src/testdir/test_plugin_netrw.vim
+===================================================================
+--- vim.orig/src/testdir/test_plugin_netrw.vim
++++ vim/src/testdir/test_plugin_netrw.vim
+@@ -676,4 +676,19 @@ func Test_netrw_unmark_all()
+   call Test_NetrwUnMarkFile()
+ endfunc
+ 
++func Test_netrw_mf_command_injection()
++  CheckUnix
++  CheckExecutable touch
++  let path = tempname()
++  let fname = 'x" . execute("silent! !touch poc") . "'
++  call mkdir(path, 'R')
++  exe "cd " path
++  call writefile([], fname)
++  Explore .
++  call search('^x')
++  :norm mf
++  :norm mf
++  call assert_false(filereadable('poc'), 'Command injection via mf command')
++endfunc
++
+ " vim:ts=8 sts=2 sw=2 et
+Index: vim/src/version.c
+===================================================================
+--- vim.orig/src/version.c
++++ vim/src/version.c
+@@ -730,6 +730,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+ /**/
++    480,
++/**/
+     479,
+     461,
+ /**/
diff --git a/debian/patches/series b/debian/patches/series
index 93002931..afec3cd4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
 debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
 Set-NoDisplay-true-for-vim-desktop.patch
 CVE-2026-46483-tar-command-injection.patch
+CVE-2026-43961-netrw-filter-injection.patch