mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-29 09:32:11 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
7e09c83dd879007742cc6f804dcd66ea32c42386
poky/meta/recipes-support/vim/files/CVE-2026-25749.patch
Hitendra Prajapati 7e09c83dd8 vim: Fix CVE-2026-25749 
Pick patch from [1] also mentioned in [2]

[1] 0714b15940
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-25749

(From OE-Core rev: ee5c47fdfed865ef7ddc18054cb6cebdb7b0e4cb)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-04-10 11:53:18 +01:00

65 lines
2.1 KiB
Diff
Raw Blame History

From e0065a61a42bdff9c75aa18104f8ff546938395f Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Thu, 5 Feb 2026 18:51:54 +0000
Subject: [PATCH] patch 9.1.2132: [security]: buffer-overflow in 'helpfile'
option handling
Problem: [security]: buffer-overflow in 'helpfile' option handling by
using strcpy without bound checks (Rahul Hoysala)
Solution: Limit strncpy to the length of the buffer (MAXPATHL)
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43
CVE: CVE-2026-25749
Upstream-Status: Backport [https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9]
Backport Changes:
- Excluded changes to src/version.c and runtime/doc/version9.txt
from this backport. This file only tracks upstream version increments.
We are applying a security fix, not a version upgrade. These changes
were skipped to maintain current package versioning and avoid merge conflicts.
Signed-off-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 0714b15940b245108e6e9d7aa2260dd849a26fa9)
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
src/tag.c | 2 +-
src/testdir/test_help.vim | 9 +++++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/tag.c b/src/tag.c
index 6912e8743..a32bbb245 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -3348,7 +3348,7 @@ get_tagfname(
if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
return FAIL;
++tnp->tn_hf_idx;
- STRCPY(buf, p_hf);
+ vim_strncpy(buf, p_hf, MAXPATHL - 1);
STRCPY(gettail(buf), "tags");
#ifdef BACKSLASH_IN_FILENAME
slash_adjust(buf);
diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
index dac153d86..f9e4686bb 100644
--- a/src/testdir/test_help.vim
+++ b/src/testdir/test_help.vim
@@ -222,4 +222,13 @@ func Test_helptag_navigation()
endfunc
+" This caused a buffer overflow
+func Test_helpfile_overflow()
+ let _helpfile = &helpfile
+ let &helpfile = repeat('A', 5000)
+ help
+ helpclose
+ let &helpfile = _helpfile
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
--
2.43.7
Reference in New Issue View Git Blame Copy Permalink