mirror of
https://git.yoctoproject.org/poky
synced 2026-04-13 14:02:21 +02:00
vim: Fix CVE-2026-25749
Pick patch from [1] also mentioned in [2]
[1] 0714b15940
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-25749
(From OE-Core rev: ee5c47fdfed865ef7ddc18054cb6cebdb7b0e4cb)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Hitendra Prajapati
committed by
Paul Barker
Paul Barker
parent
5071393867
commit
7e09c83dd8
64
meta/recipes-support/vim/files/CVE-2026-25749.patch
Normal file
64
meta/recipes-support/vim/files/CVE-2026-25749.patch
Normal file
@@ -0,0 +1,64 @@
|
||||
From e0065a61a42bdff9c75aa18104f8ff546938395f Mon Sep 17 00:00:00 2001
|
||||
From: Christian Brabandt <cb@256bit.org>
|
||||
Date: Thu, 5 Feb 2026 18:51:54 +0000
|
||||
Subject: [PATCH] patch 9.1.2132: [security]: buffer-overflow in 'helpfile'
|
||||
option handling
|
||||
|
||||
Problem: [security]: buffer-overflow in 'helpfile' option handling by
|
||||
using strcpy without bound checks (Rahul Hoysala)
|
||||
Solution: Limit strncpy to the length of the buffer (MAXPATHL)
|
||||
|
||||
Github Advisory:
|
||||
https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43
|
||||
|
||||
CVE: CVE-2026-25749
|
||||
Upstream-Status: Backport [https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9]
|
||||
|
||||
Backport Changes:
|
||||
- Excluded changes to src/version.c and runtime/doc/version9.txt
|
||||
from this backport. This file only tracks upstream version increments.
|
||||
We are applying a security fix, not a version upgrade. These changes
|
||||
were skipped to maintain current package versioning and avoid merge conflicts.
|
||||
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
(cherry picked from commit 0714b15940b245108e6e9d7aa2260dd849a26fa9)
|
||||
Signed-off-by: Anil Dongare <adongare@cisco.com>
|
||||
---
|
||||
src/tag.c | 2 +-
|
||||
src/testdir/test_help.vim | 9 +++++++++
|
||||
2 files changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tag.c b/src/tag.c
|
||||
index 6912e8743..a32bbb245 100644
|
||||
--- a/src/tag.c
|
||||
+++ b/src/tag.c
|
||||
@@ -3348,7 +3348,7 @@ get_tagfname(
|
||||
if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
|
||||
return FAIL;
|
||||
++tnp->tn_hf_idx;
|
||||
- STRCPY(buf, p_hf);
|
||||
+ vim_strncpy(buf, p_hf, MAXPATHL - 1);
|
||||
STRCPY(gettail(buf), "tags");
|
||||
#ifdef BACKSLASH_IN_FILENAME
|
||||
slash_adjust(buf);
|
||||
diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
|
||||
index dac153d86..f9e4686bb 100644
|
||||
--- a/src/testdir/test_help.vim
|
||||
+++ b/src/testdir/test_help.vim
|
||||
@@ -222,4 +222,13 @@ func Test_helptag_navigation()
|
||||
endfunc
|
||||
|
||||
|
||||
+" This caused a buffer overflow
|
||||
+func Test_helpfile_overflow()
|
||||
+ let _helpfile = &helpfile
|
||||
+ let &helpfile = repeat('A', 5000)
|
||||
+ help
|
||||
+ helpclose
|
||||
+ let &helpfile = _helpfile
|
||||
+endfunc
|
||||
+
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
||||
--
|
||||
2.43.7
|
||||
|
||||
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
|
||||
file://0001-src-Makefile-improve-reproducibility.patch \
|
||||
file://no-path-adjust.patch \
|
||||
file://CVE-2026-33412.patch \
|
||||
file://CVE-2026-25749.patch \
|
||||
"
|
||||
|
||||
PV .= ".1683"
|
||||
|
||||
Reference in New Issue
Block a user