From 645ed6597d1ea896c712cd7ddbb6edee79577e9a Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Thu, 19 Mar 2026 19:58:05 +0000 Subject: [PATCH] patch 9.2.0202: [security]: command injection via newline in glob() Problem: The glob() function on Unix-like systems does not escape newline characters when expanding wildcards. A maliciously crafted string containing '\n' can be used as a command separator to execute arbitrary shell commands via mch_expand_wildcards(). This depends on the user's 'shell' setting. Solution: Add the newline character ('\n') to the SHELL_SPECIAL definition to ensure it is properly escaped before being passed to the shell (pyllyukko). closes: #19746 Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c Signed-off-by: pyllyukko Signed-off-by: Christian Brabandt CVE: CVE-2026-33412 Upstream-Status: Backport [https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a] Signed-off-by: Hitendra Prajapati --- src/os_unix.c | 2 +- src/version.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/os_unix.c b/src/os_unix.c index cf195e62e1..d767956b1a 100644 --- a/src/os_unix.c +++ b/src/os_unix.c @@ -7106,7 +7106,7 @@ mch_expandpath( # define SEEK_END 2 #endif -#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|" +# define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|\n" int mch_expand_wildcards( diff --git a/src/version.c b/src/version.c index 4f3912aedd..712a3e637c 100644 --- a/src/version.c +++ b/src/version.c @@ -724,6 +724,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1684, /**/ 1683, /**/ -- 2.50.1