Re: [OE-core] [scarthgap] [PATCH V2 1/2] vim: Fix CVE-2026-25749

Thu, 19 Mar 2026 16:52:50 -0700 

On Wed Mar 11, 2026 at 10:45 AM CET, Anil Dongare -X (adongare - E INFOCHIPS 
PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <[email protected]>
>
> Pick patch from [1] also mentioned in [2]
> [1] https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9
> [2] https://nvd.nist.gov/vuln/detail/CVE-2026-25749
>
> Signed-off-by: Anil Dongare <[email protected]>
> ---
>  .../vim/files/CVE-2026-25749.patch            | 63 +++++++++++++++++++
>  meta/recipes-support/vim/vim.inc              |  1 +
>  2 files changed, 64 insertions(+)
>  create mode 100644 meta/recipes-support/vim/files/CVE-2026-25749.patch
>
> diff --git a/meta/recipes-support/vim/files/CVE-2026-25749.patch 
> b/meta/recipes-support/vim/files/CVE-2026-25749.patch
> new file mode 100644
> index 0000000000..4236464c99
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2026-25749.patch
> @@ -0,0 +1,63 @@
> +From 04c5e03c2c638e6c82c250f7b612eab29fe7d9ba Mon Sep 17 00:00:00 2001
> +From: Christian Brabandt <[email protected]>
> +Date: Thu, 5 Feb 2026 18:51:54 +0000
> +Subject: [PATCH] patch 9.1.2132: [security]: buffer-overflow in 'helpfile'
> + option handling
> +
> +Problem:  [security]: buffer-overflow in 'helpfile' option handling by
> +          using strcpy without bound checks (Rahul Hoysala)
> +Solution: Limit strncpy to the length of the buffer (MAXPATHL)
> +
> +Github Advisory:
> +https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43
> +
> +CVE: CVE-2026-25749
> +Upstream-Status: Backport 
> [https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9]
> +
> +Backport Changes:
> +- Excluded changes to src/version.c and runtime/doc/version9.txt
> +  from this backport. This file only tracks upstream version increments.
> +  We are applying a security fix, not a version upgrade. These changes
> +  were skipped to maintain current package versioning and avoid merge 
> conflicts.
> +
> +Signed-off-by: Christian Brabandt <[email protected]>
> +(cherry picked from commit 0714b15940b245108e6e9d7aa2260dd849a26fa9)
> +Signed-off-by: Anil Dongare <[email protected]>
> +---
> + src/tag.c                 | 2 +-
> + src/testdir/test_help.vim | 9 +++++++++
> + 2 files changed, 10 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/tag.c b/src/tag.c
> +index 6912e8743..a32bbb245 100644
> +--- a/src/tag.c
> ++++ b/src/tag.c
> +@@ -3348,7 +3348,7 @@ get_tagfname(
> +         if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)

Hello,

This patch has a weird format. The context lines starts with tabs and
not a single space as usual. While it seems like it passes tests, I'm
afraid it will break something down the line and I'd rather not take
this like this.

Can you please check?

Thanks!

> +             return FAIL;
> +         ++tnp->tn_hf_idx;
> +-        STRCPY(buf, p_hf);
> ++        vim_strncpy(buf, p_hf, MAXPATHL - 1);
> +         STRCPY(gettail(buf), "tags");
> + #ifdef BACKSLASH_IN_FILENAME
> +         slash_adjust(buf);
> +diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
> +index dac153d86..f9e4686bb 100644
> +--- a/src/testdir/test_help.vim
> ++++ b/src/testdir/test_help.vim
> +@@ -222,4 +222,13 @@ func Test_helptag_navigation()
> + endfunc
> +
> +
> ++" This caused a buffer overflow
> ++func Test_helpfile_overflow()
> ++  let _helpfile = &helpfile
> ++  let &helpfile = repeat('A', 5000)
> ++  help
> ++  helpclose
> ++  let &helpfile = _helpfile
> ++endfunc
> ++
> + " vim: shiftwidth=2 sts=2 expandtab
> +--
> +2.43.7
> diff --git a/meta/recipes-support/vim/vim.inc 
> b/meta/recipes-support/vim/vim.inc
> index c730f1d0cf..044117a57f 100644
> --- a/meta/recipes-support/vim/vim.inc
> +++ b/meta/recipes-support/vim/vim.inc
> @@ -16,6 +16,7 @@ SRC_URI = 
> "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV}
>             file://disable_acl_header_check.patch \
>             file://0001-src-Makefile-improve-reproducibility.patch \
>             file://no-path-adjust.patch \
> +           file://CVE-2026-25749.patch \
>             "
>  
>  PV .= ".1683"


-- 
Yoann Congal
Smile ECS


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#233557): 
https://lists.openembedded.org/g/openembedded-core/message/233557
Mute This Topic: https://lists.openembedded.org/mt/118257283/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
  • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Yoann Congal via lists.openembedded.org
      • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
        • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
          • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
          • ... Yoann Congal via lists.openembedded.org
        • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
          • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
            • ... Yoann Congal via lists.openembedded.org
              • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
                • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
                • ... Yoann Congal via lists.openembedded.org

Reply via email to