Skip to content

fix(vim): batch fix CVEs for 2026-06#24

Open
hudeng-go wants to merge 8 commits into
masterfrom
fix/cve-batch-2026-0611
Open

fix(vim): batch fix CVEs for 2026-06#24
hudeng-go wants to merge 8 commits into
masterfrom
fix/cve-batch-2026-0611

Conversation

@hudeng-go

@hudeng-go hudeng-go commented Jun 11, 2026

Copy link
Copy Markdown

Security fixes for vim package

This PR fixes multiple CVEs and security issues found in vim.

CVE Fixes (one commit per CVE)

  1. CVE-2026-47162: Code injection in netrw NetrwBookHistSave function (v9.2.0495)
  2. CVE-2026-47167: Code injection in cucumber filetype plugin (v9.2.0496)
  3. CVE-2026-52858: Possible code execution with python3complete (v9.2.0561)
  4. CVE-2026-52860: Possible code execution with python complete (v9.2.0597)

Additional Security Patches

  1. 9.2.0513: Memory safety issues in spellfile.c (recursion limit, length check)
  2. 9.2.0565: Out-of-bounds read in update_snapshot() (terminal emulator)
  3. shellescape: Fix shellescape() calls in getscript/vimball/rust plugins
  4. ccfilter: Fix unbounded strcat/strcpy in ccfilter.c

All patches are created as quilt patches with fuzz=0 and follow the Debian packaging format.

deepin-ci-robot and others added 8 commits June 11, 2026 22:41
@deepin-ci-robot @hudeng-go
fix(vim): CVE-2026-47162
20dc739 
Fix code injection in netrw NetrwBookHistSave function by replacing
string-based concatenation with proper string() quoting to prevent
injection of arbitrary Vim commands through crafted directory names.

Upstream: vim/vim@f08ab2f (v9.2.0495)
Generated-By: deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
@deepin-ci-robot @hudeng-go
fix(vim): CVE-2026-47167
630a77c 
Fix code injection in cucumber filetype plugin by using Ruby's
Regexp.new() with the untrusted pattern instead of evaluating
arbitrary Ruby expressions from crafted feature files.

Upstream: vim/vim@a65a52d (v9.2.0496)
Generated-By: deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
@deepin-ci-robot @hudeng-go
fix(vim): security patch 9.2.0513
d162b85 
Fix memory safety issues in spellfile.c by adding recursion limits,
length checks, and proper memory allocation to prevent stack overflow
and other memory safety issues.

Upstream: vim/vim@25e4e46 (v9.2.0513)
Generated-By: deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
@deepin-ci-robot @hudeng-go
fix(vim): CVE-2026-52858
c8f5300 
Fix possible code execution with python3complete by disabling
execution of import/from statements that could be injected through
crafted Python files.

Upstream: vim/vim@4b85045 (v9.2.0561)
Generated-By: deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
@deepin-ci-robot @hudeng-go
fix(vim): CVE-2026-52860
9163b4f 
Fix possible code execution with python complete by stripping default
expressions and annotations from generated source for pythoncomplete
and python3complete to prevent injection of arbitrary code.

Upstream: vim/vim@c8c6367 (v9.2.0597)
Generated-By: deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
@deepin-ci-robot @hudeng-go
fix(vim): security patch 9.2.0565
7acdda7 
Fix out-of-bounds read in update_snapshot() when a terminal cell fills
all VTERM_MAX_CHARS_PER_CELL slots by bounding the loop with
i < VTERM_MAX_CHARS_PER_CELL.

Upstream: vim/vim@63680c6 (v9.2.0565)
Generated-By: deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
@deepin-ci-robot @hudeng-go
fix(vim): shellescape for getscript/vimball/rust plugins
c2b0835 
Fix shellescape() calls in getscript, vimball and rust plugins by
passing 1 as second argument for :! command context to prevent
potential command injection through crafted filenames.

Upstream: vim/vim@1294861
Generated-By: deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
@deepin-ci-robot @hudeng-go
fix(vim): ccfilter unbounded strcat/strcpy
ea049e5 
Fix buffer overflow in ccfilter.c by replacing unbounded strcat()/
strcpy() calls with snprintf() bounded by LINELENGTH to prevent
overflow from very long diagnostic output.

Upstream: vim/vim@403ba30
Generated-By: deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
@hudeng-go hudeng-go added generated-by-ai cve CVE-related issues or PRs labels Jun 11, 2026
@github-actions

github-actions Bot commented Jun 11, 2026

Copy link
Copy Markdown

TAG Bot

TAG: 2%9.2.0461-1deepin2
EXISTED: no
DISTRIBUTION: unstable

@deepin-ci-robot deepin-ci-robot requested review from BLumia and myml June 11, 2026 14:49
@deepin-ci-robot

deepin-ci-robot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from hudeng-go. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@deepin-ci-robot

deepin-ci-robot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

/hold
因为该quilt包的上游版本号变更,详情见: deepin-community/infra-settings#134

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BLumia BLumia Awaiting requested review from BLumia

@myml myml Awaiting requested review from myml

Assignees

No one assigned

Labels

cve CVE-related issues or PRs do-not-merge/hold generated-by-ai

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hudeng-go @deepin-ci-robot