fix: CVE-2026-46483 and CVE-2026-43961 for vim

debian/changelog

@@ -1,8 +1,15 @@
-vim (2:9.2.0461-1deepin1) unstable; urgency=medium
-
-  * Set-NoDisplay-true-for-vim-desktop.patch
-
- -- Tianyu Chen <sweetyfish@deepin.org>  Thu, 14 May 2026 11:50:36 +0800
+vim (2:9.2.0461-1deepin2) UNRELEASED; urgency=medium
+
+  * Fix CVE-2026-46483: Command injection in tar.vim Vimuntar function
+    - Properly escape shell arguments for external command context
+  * Fix CVE-2026-43961: Code injection in netrw filter() calls
+    - Replace string-based filter expressions with lambda syntax to
+      prevent injection of arbitrary Vim commands through crafted filenames
+  * CVE-2026-41411: Already fixed in current version (upstream 9.2.0357)
+  * CVE-2026-42307: Already fixed in current version (upstream 9.2.0383)
+  * CVE-2026-44656: Already fixed in current version (upstream 9.2.0435)
+
+ -- deepin-ci-robot <packages@deepin.org>  Thu, 04 Jun 2026 17:08:00 +0800
 
 vim (2:9.2.0461-1) unstable; urgency=medium
 

debian/patches/CVE-2026-43961-netrw-filter-injection.patch

@@ -0,0 +1,68 @@
+Index: vim/runtime/pack/dist/opt/netrw/autoload/netrw.vim
+===================================================================
+--- vim.orig/runtime/pack/dist/opt/netrw/autoload/netrw.vim
++++ vim/runtime/pack/dist/opt/netrw/autoload/netrw.vim
+@@ -5153,7 +5153,7 @@ function s:NetrwMarkFile(islocal,fname)
+
+         else
+             " remove filename from buffer's markfilelist
+-            call filter(s:netrwmarkfilelist_{curbufnr},'v:val != a:fname')
++            call filter(s:netrwmarkfilelist_{curbufnr}, {_, v -> v !=# a:fname})
+             if s:netrwmarkfilelist_{curbufnr} == []
+                 " local markfilelist is empty; remove it entirely
+                 call s:NetrwUnmarkList(curbufnr,curdir)
+@@ -5194,7 +5194,7 @@ function s:NetrwMarkFile(islocal,fname)
+             call add(s:netrwmarkfilelist,netrw#fs#ComposePath(b:netrw_curdir,a:fname))
+         else
+             " remove new filename from global markfilelist
+-            call filter(s:netrwmarkfilelist,'v:val != "'.dname.'"')
++            call filter(s:netrwmarkfilelist, {_, v -> v !=# dname})
+             if s:netrwmarkfilelist == []
+                 unlet s:netrwmarkfilelist
+             endif
+@@ -7217,7 +7217,7 @@ function s:NetrwTreeDisplay(dir,depth)
+         " hide given patterns
+         let listhide= split(g:netrw_list_hide,',')
+         for pat in listhide
+-            call filter(w:netrw_treedict[dir],'v:val !~ "'.escape(pat,'\\').'"')
++            call filter(w:netrw_treedict[dir], {_, v -> v !~# pat})
+         endfor
+
+     elseif g:netrw_hide == 2
+Index: vim/src/testdir/test_plugin_netrw.vim
+===================================================================
+--- vim.orig/src/testdir/test_plugin_netrw.vim
++++ vim/src/testdir/test_plugin_netrw.vim
+@@ -676,4 +676,19 @@ func Test_netrw_unmark_all()
+   call Test_NetrwUnMarkFile()
+ endfunc
+
++func Test_netrw_mf_command_injection()
++  CheckUnix
++  CheckExecutable touch
++  let path = tempname()
++  let fname = 'x" . execute("silent! !touch poc") . "'
++  call mkdir(path, 'R')
++  exe "cd " path
++  call writefile([], fname)
++  Explore .
++  call search('^x')
++  :norm mf
++  :norm mf
++  call assert_false(filereadable('poc'), 'Command injection via mf command')
++endfunc
++
+ " vim:ts=8 sts=2 sw=2 et
+Index: vim/src/version.c
+===================================================================
+--- vim.orig/src/version.c
++++ vim/src/version.c
+@@ -730,6 +730,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+ /**/
++    480,
++/**/
+     479,
+     461,
+ /**/

debian/patches/CVE-2026-46483-tar-command-injection.patch

@@ -0,0 +1,55 @@
+Index: vim/runtime/autoload/tar.vim
+===================================================================
+--- vim.orig/runtime/autoload/tar.vim
++++ vim/runtime/autoload/tar.vim
+@@ -832,9 +832,9 @@ fun! tar#Vimuntar(...)
+   " if necessary, decompress the tarball; then, extract it
+   if tartail =~ '\.tgz'
+    if executable("gunzip")
+-    silent exe "!gunzip ".shellescape(tartail)
++    silent exe "!gunzip ".shellescape(tartail, 1)
+    elseif executable("gzip")
+-    silent exe "!gzip -d ".shellescape(tartail)
++    silent exe "!gzip -d ".shellescape(tartail, 1)
+    else
+     echoerr "unable to decompress<".tartail."> on this system"
+     if simplify(curdir) != simplify(tarhome)
+Index: vim/src/testdir/test_plugin_tar.vim
+===================================================================
+--- vim.orig/src/testdir/test_plugin_tar.vim
++++ vim/src/testdir/test_plugin_tar.vim
+@@ -318,3 +318,22 @@ def g:Test_extract_with_dotted_filename(
+   delete('X.txt')
+   bw!
+ enddef
++
++def g:Test_extract_command_injection()
++  CheckExecutable gunzip
++  CheckExecutable touch
++  var tgz = eval('0z1F8B08087795056A000364756D6D792E74617200EDCE2B12C2300004D01C254' ..
++	'7480269CE534080A8495BD1DBF3996106C3A08A7ACFACD8157B59A7690BFB4A0FC3707C666E357D' ..
++	'E65BC8B5A47CC8A5D61A522EA5B510D3CEBF5ED679197B8CE17CEDB7F9D4C76FBB5F3D000000000' ..
++	'000000000FCD11D32415E2C00280000')
++  var dirname = tempname()
++
++  mkdir(dirname, 'R')
++  var tar = dirname .. "/';%$(touch pwned)'.tgz"
++  writefile(tgz, tar)
++  new
++  exe "e " .. fnameescape(tar)
++  exe ":Vimuntar " .. dirname
++  assert_false(filereadable(dirname .. "/pwned"))
++  bw!
++enddef
+Index: vim/src/version.c
+===================================================================
+--- vim.orig/src/version.c
++++ vim/src/version.c
+@@ -730,6 +730,7 @@ static char *(features[]) =
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+ /**/
++    479,
+     461,
+ /**/
+     460,

debian/patches/series

@@ -2,3 +2,5 @@ debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
 debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
 debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
 Set-NoDisplay-true-for-vim-desktop.patch
+CVE-2026-46483-tar-command-injection.patch
+CVE-2026-43961-netrw-filter-injection.patch