[ubuntu/resolute-proposed] vim 2:9.1.2141-1ubuntu2 (Accepted)

Bruce Cable bruce.cable at canonical.com
Tue Mar 17 12:54:16 UTC 2026 

vim (2:9.1.2141-1ubuntu2) resolute; urgency=medium

  * SECURITY UPDATE: Buffer Overflow
    - debian/patches/CVE-2026-26269.patch: Limit writing to max KEYBUFLEN
      bytes to prevent writing out of bounds.
    - debian/patches/CVE-2026-28420.patch: Use VTERM_MAX_CHARS_PER_CELL * 4
      for ga_grow() to ensure sufficient space. Add a boundary check to the
      character loop to prevent index out-of-bounds access.
    - debian/patches/CVE-2026-28422.patch: Update the size check to account
      for the byte length of the fill character (using MB_CHAR2LEN).
    - CVE-2026-26269
    - CVE-2026-28420
    - CVE-2026-28422
  * SECURITY UPDATE: Command Injection
    - debian/patches/CVE-2026-28417.patch: Implement stricter RFC1123
      hostname and IP validation. Use shellescape() for the provided
      hostname and port.
    - debian/patches/fix-test_plugin_netrw-tests.patch: Add missing
      function TestNetrwCaptureRemotePath
    - CVE-2026-28417
  * SECURITY UPDATE: Out of Bounds Read
    - debian/patches/CVE-2026-28418.patch: Check for end of buffer
      and return early.
    - CVE-2026-28418
  * SECURITY UPDATE: Buffer Underflow
    - debian/patches/CVE-2026-28419.patch: Add a check to ensure the
      delimiter (p_7f) is not at the start of the buffer (lbuf) before
      attempting to isolate the tag name.
    - CVE-2026-28419
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-28421.patch: Add bounds checks on
      pe_page_count and pe_bnum against mf_blocknr_max before descending
      into the block tree, and validate pe_old_lnum >= 1 and
      pe_line_count > 0 before calling readfile().
    - CVE-2026-28421

Date: Tue, 10 Mar 2026 19:44:16 +1100
Changed-By: Bruce Cable <bruce.cable at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/vim/2:9.1.2141-1ubuntu2
-------------- next part --------------
Format: 1.8
Date: Tue, 10 Mar 2026 19:44:16 +1100
Source: vim
Built-For-Profiles: derivative.ubuntu noudeb
Architecture: source
Version: 2:9.1.2141-1ubuntu2
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Bruce Cable <bruce.cable at canonical.com>
Changes:
 vim (2:9.1.2141-1ubuntu2) resolute; urgency=medium
 .
   * SECURITY UPDATE: Buffer Overflow
     - debian/patches/CVE-2026-26269.patch: Limit writing to max KEYBUFLEN
       bytes to prevent writing out of bounds.
     - debian/patches/CVE-2026-28420.patch: Use VTERM_MAX_CHARS_PER_CELL * 4
       for ga_grow() to ensure sufficient space. Add a boundary check to the
       character loop to prevent index out-of-bounds access.
     - debian/patches/CVE-2026-28422.patch: Update the size check to account
       for the byte length of the fill character (using MB_CHAR2LEN).
     - CVE-2026-26269
     - CVE-2026-28420
     - CVE-2026-28422
   * SECURITY UPDATE: Command Injection
     - debian/patches/CVE-2026-28417.patch: Implement stricter RFC1123
       hostname and IP validation. Use shellescape() for the provided
       hostname and port.
     - debian/patches/fix-test_plugin_netrw-tests.patch: Add missing
       function TestNetrwCaptureRemotePath
     - CVE-2026-28417
   * SECURITY UPDATE: Out of Bounds Read
     - debian/patches/CVE-2026-28418.patch: Check for end of buffer
       and return early.
     - CVE-2026-28418
   * SECURITY UPDATE: Buffer Underflow
     - debian/patches/CVE-2026-28419.patch: Add a check to ensure the
       delimiter (p_7f) is not at the start of the buffer (lbuf) before
       attempting to isolate the tag name.
     - CVE-2026-28419
   * SECURITY UPDATE: Denial of Service
     - debian/patches/CVE-2026-28421.patch: Add bounds checks on
       pe_page_count and pe_bnum against mf_blocknr_max before descending
       into the block tree, and validate pe_old_lnum >= 1 and
       pe_line_count > 0 before calling readfile().
     - CVE-2026-28421
Checksums-Sha1:
 4756438c678d1443ffe15dffb4faf1fa1156295c 3037 vim_9.1.2141-1ubuntu2.dsc
 a642736dd2d2714c4c60535e158cc49a7fdae9a9 214660 vim_9.1.2141-1ubuntu2.debian.tar.xz
 6cf0cfaf3d101452fa43e6eb7917d8e0587b142f 17256 vim_9.1.2141-1ubuntu2_source.buildinfo
Checksums-Sha256:
 3e0a3b0b7c3cba17e5fae8e410a20f492952d141ba7023cde3fb8962a5e91018 3037 vim_9.1.2141-1ubuntu2.dsc
 d3aea84fa8443cb51d16249836d46d536902f7f5ba2e9d4619d3f710b7c92755 214660 vim_9.1.2141-1ubuntu2.debian.tar.xz
 6b255b05976edb763fe51be062a524f03d027ef3e9d77a090f5dbcbb4e794bcd 17256 vim_9.1.2141-1ubuntu2_source.buildinfo
Files:
 ab3602eb2333e0d7d86175aaf9e2a35c 3037 editors optional vim_9.1.2141-1ubuntu2.dsc
 e3bfd87be5a338fc9659410425e57e6b 214660 editors optional vim_9.1.2141-1ubuntu2.debian.tar.xz
 5b8fad00638255c096ded000e237e2e0 17256 editors optional vim_9.1.2141-1ubuntu2_source.buildinfo
Original-Maintainer: Debian Vim Maintainers <team+vim at tracker.debian.org>

More information about the Resolute-changes mailing list