35239 – vim new security issue CVE-2026-33412

Bug 35239 - vim new security issue CVE-2026-33412

Summary: vim new security issue CVE-2026-33412

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-03-20 09:13 CET by Nicolas Salguero
Modified:	2026-03-24 18:54 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	vim-9.2.140-1.mga9.src.rpm
CVE:	CVE-2026-33412
Status comment:

Flags:	herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-20 09:13:02 CET

References:
https://www.openwall.com/lists/oss-security/2026/03/19/10
https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c

Nicolas Salguero 2026-03-20 09:14:01 CET

Status comment: (none) => Fixed upstream in 9.2.202
Whiteboard: (none) => MGA9TOO
Flags: (none) => affects_mga9+
CVE: (none) => CVE-2026-33412
Source RPM: (none) => vim-9.2.140-1.mga10.src.rpm, vim-9.2.140-1.mga9.src.rpm

Comment 1 Marja Van Waes 2026-03-20 09:31:37 CET

Assigning to our registered vim maintainer.

CC: (none) => marja11
Assignee: bugsquad => thierry.vignaud

Comment 2 Nicolas Salguero 2026-03-20 09:38:09 CET

For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated packages fix a security vulnerability:

Command injection via newline in glob() affects Vim < 9.2.0202. (CVE-2026-33412)

References:
https://www.openwall.com/lists/oss-security/2026/03/19/10
https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
========================

Updated packages in core/updates_testing:
========================
vim-X11-9.2.209-1.mga9
vim-common-9.2.209-1.mga9
vim-enhanced-9.2.209-1.mga9
vim-minimal-9.2.209-1.mga9

from SRPM:
vim-9.2.209-1.mga9.src.rpm

Version: Cauldron => 9
Flags: affects_mga9+ => (none)
Status comment: Fixed upstream in 9.2.202 => (none)
Source RPM: vim-9.2.140-1.mga10.src.rpm, vim-9.2.140-1.mga9.src.rpm => vim-9.2.140-1.mga9.src.rpm
Assignee: thierry.vignaud => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)

Comment 3 Herman Viaene 2026-03-20 17:38:51 CET

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Tested by  using the a, dd, i, x :wq commands. Checked with more, all works OK.

Flags: (none) => test_passed_mga9_64+
Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

katnatek 2026-03-20 19:24:56 CET

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2026-03-22 21:55:45 CET

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2026-03-24 18:54:27 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0062.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.