Skip to content

fix: CVE-2026-46483 and CVE-2026-43961 for vim#23

Open
deepin-ci-robot wants to merge 2 commits into
masterfrom
fix/CVE-2026-46483-multi
Open

fix: CVE-2026-46483 and CVE-2026-43961 for vim#23
deepin-ci-robot wants to merge 2 commits into
masterfrom
fix/CVE-2026-46483-multi

Conversation

@deepin-ci-robot

@deepin-ci-robot deepin-ci-robot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

CVE fixes for vim

This PR fixes 2 CVEs for vim and documents 3 already-fixed CVEs.

Patches applied

CVE Upstream Fix Description
CVE-2026-46483 v9.2.0479 Command injection in tar.vim Vimuntar function
CVE-2026-43961 v9.2.0480 Code injection in netrw filter() calls

Already fixed in current version

CVE Fixed at
CVE-2026-41411 v9.2.0357
CVE-2026-42307 v9.2.0383
CVE-2026-44656 v9.2.0435

Commit history

  • b7f713e6 fix(vim): CVE-2026-46483
  • 55da0d81 fix(vim): CVE-2026-43961

Co-Authored-By: hudeng hudeng@deepin.org

deepin-ci-robot and others added 2 commits June 4, 2026 17:12
@deepin-ci-robot @hudeng-go
fix(vim): CVE-2026-46483
b7f713e 
Fix command injection in tar.vim Vimuntar function by adding
proper shell escaping (shellescape second argument 1).

Upstream: vim/vim@3fb5e58 (v9.2.0479)
Generated-By: deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
@deepin-ci-robot @hudeng-go
fix(vim): CVE-2026-43961
55da0d8 
Fix code injection in netrw filter() calls by replacing string-based
filter expressions with lambda syntax to prevent injection of arbitrary
Vim commands through crafted filenames.

Also documents already-fixed CVEs: CVE-2026-41411, CVE-2026-42307, CVE-2026-44656.

Upstream: vim/vim@8af0f09 (v9.2.0480)
Generated-By: deepseek-v4-flash
Co-Authored-By: hudeng <hudeng@deepin.org>
@deepin-ci-robot deepin-ci-robot added generated-by-ai cve CVE-related issues or PRs labels Jun 4, 2026
@deepin-ci-robot

deepin-ci-robot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor Author

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tsic404 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@deepin-ci-robot

deepin-ci-robot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor Author

/hold
因为该quilt包的上游版本号变更,详情见: deepin-community/infra-settings#134

@github-actions

github-actions Bot commented Jun 4, 2026

Copy link
Copy Markdown

TAG Bot

TAG: 2%9.2.0461-1deepin2
EXISTED: no
DISTRIBUTION: UNRELEASED

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justforlxz justforlxz Awaiting requested review from justforlxz

Assignees

No one assigned

Labels

cve CVE-related issues or PRs do-not-merge/hold generated-by-ai

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@deepin-ci-robot