diff --git a/meta/recipes-support/vim/files/CVE-2026-28418.patch b/meta/recipes-support/vim/files/CVE-2026-28418.patch new file mode 100644 index 0000000000..3a80ba77f7 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-28418.patch @@ -0,0 +1,78 @@ +From f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Mon, 23 Feb 2026 18:30:11 +0000 +Subject: [PATCH] patch 9.2.0074: [security]: Crash with overlong emacs tag + file + +Problem: Crash with overlong emacs tag file, because of an OOB buffer + read (ehdgks0627, un3xploitable) +Solution: Check for end of buffer and return early. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j + +Signed-off-by: Christian Brabandt + +CVE: CVE-2026-28418 +Upstream-Status: Backport [https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d] +Signed-off-by: Hitendra Prajapati +--- + src/tag.c | 3 +++ + src/testdir/test_taglist.vim | 15 +++++++++++++++ + src/version.c | 2 ++ + 3 files changed, 20 insertions(+) + +diff --git a/src/tag.c b/src/tag.c +index a32bbb2459..45af67f20d 100644 +--- a/src/tag.c ++++ b/src/tag.c +@@ -1902,6 +1902,9 @@ emacs_tags_new_filename(findtags_state_T *st) + + for (p = st->ebuf; *p && *p != ','; p++) + ; ++ // invalid ++ if (*p == NUL) ++ return; + *p = NUL; + + // check for an included tags file. +diff --git a/src/testdir/test_taglist.vim b/src/testdir/test_taglist.vim +index 5a946042be..506e64f7ae 100644 +--- a/src/testdir/test_taglist.vim ++++ b/src/testdir/test_taglist.vim +@@ -301,4 +301,19 @@ func Test_tag_complete_with_overlong_line() + set tags& + endfunc + ++" This used to crash Vim ++func Test_evil_emacs_tagfile() ++ CheckFeature emacs_tags ++ let longline = repeat('a', 515) ++ call writefile([ ++ \ "\x0c", ++ \ longline ++ \ ], 'Xtags', 'D') ++ set tags=Xtags ++ ++ call assert_fails(':tag a', 'E426:') ++ ++ set tags& ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +diff --git a/src/version.c b/src/version.c +index 712a3e637c..7d265ab641 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -724,6 +724,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 1685, + /**/ + 1684, + /**/ +-- +2.50.1 + diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 4553c69c55..37534c696b 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,6 +19,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://CVE-2026-25749.patch \ file://CVE-2026-26269.patch \ file://CVE-2026-33412.patch \ + file://CVE-2026-28418.patch \ " PV .= ".1683"