mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-08 05:09:24 +00:00
Code Issues Projects Releases Wiki Activity

vim: Fix CVE-2026-28418

Browse Source 
Pick patch from [1] also mentioned in [2]

[1] https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-28418

(From OE-Core rev: 8cadabb525aa1ea57aa0316240ac8f9ec09161d9)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Hitendra Prajapati
2026-04-08 17:01:19 +05:30
committed by Paul Barker
parent 0f1a5cc7a1
commit c1c8289d56
2 changed files with 79 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-support/vim/files/CVE-2026-28418.patch
+78
View File
@@ -0,0 +1,78 @@
From f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Mon, 23 Feb 2026 18:30:11 +0000
Subject: [PATCH] patch 9.2.0074: [security]: Crash with overlong emacs tag
file
Problem: Crash with overlong emacs tag file, because of an OOB buffer
read (ehdgks0627, un3xploitable)
Solution: Check for end of buffer and return early.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j
Signed-off-by: Christian Brabandt <cb@256bit.org>
CVE: CVE-2026-28418
Upstream-Status: Backport [https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/tag.c | 3 +++
src/testdir/test_taglist.vim | 15 +++++++++++++++
src/version.c | 2 ++
3 files changed, 20 insertions(+)
diff --git a/src/tag.c b/src/tag.c
index a32bbb2459..45af67f20d 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -1902,6 +1902,9 @@ emacs_tags_new_filename(findtags_state_T *st)
for (p = st->ebuf; *p && *p != ','; p++)
;
+ // invalid
+ if (*p == NUL)
+ return;
*p = NUL;
// check for an included tags file.
diff --git a/src/testdir/test_taglist.vim b/src/testdir/test_taglist.vim
index 5a946042be..506e64f7ae 100644
--- a/src/testdir/test_taglist.vim
+++ b/src/testdir/test_taglist.vim
@@ -301,4 +301,19 @@ func Test_tag_complete_with_overlong_line()
set tags&
endfunc
+" This used to crash Vim
+func Test_evil_emacs_tagfile()
+ CheckFeature emacs_tags
+ let longline = repeat('a', 515)
+ call writefile([
+ \ "\x0c",
+ \ longline
+ \ ], 'Xtags', 'D')
+ set tags=Xtags
+
+ call assert_fails(':tag a', 'E426:')
+
+ set tags&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 712a3e637c..7d265ab641 100644
--- a/src/version.c
+++ b/src/version.c
@@ -724,6 +724,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1685,
/**/
1684,
/**/
--
2.50.1
meta/recipes-support/vim/vim.inc
+1
View File
@@ -19,6 +19,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
file://CVE-2026-33412.patch \
file://CVE-2026-25749.patch \
file://CVE-2026-26269.patch \
file://CVE-2026-28418.patch \
"
PV .= ".1683"