35292 – vim new high security issue (CVE not yet assigned)

Bug 35292 - vim new high security issue (CVE not yet assigned)

Summary: vim new high security issue (CVE not yet assigned)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-03-30 14:05 CEST by Nicolas Salguero
Modified:	2026-04-01 01:07 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	vim-9.2.209-1.mga9.src.rpm
CVE:	CVE-2026-34714
Status comment:

Flags:	herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-30 14:05:00 CEST

References:
https://www.openwall.com/lists/oss-security/2026/03/30/3
https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh

Nicolas Salguero 2026-03-30 14:07:56 CEST

Source RPM: (none) => vim-9.2.209-1.mga10.src.rpm, vim-9.2.209-1.mga9.src.rpm
Flags: (none) => affects_mga9+
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2026-03-30 14:28:02 CEST

For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated packages fix a high security vulnerability:

Vim tabpanel modeline escape affects Vim < 9.2.0272.

References:
https://www.openwall.com/lists/oss-security/2026/03/30/3
https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh
========================

Updated packages in core/updates_testing:
========================
vim-X11-9.2.272-1.mga9
vim-common-9.2.272-1.mga9
vim-enhanced-9.2.272-1.mga9
vim-minimal-9.2.272-1.mga9

from SRPM:
vim-9.2.272-1.mga9.src.rpm

Source RPM: vim-9.2.209-1.mga10.src.rpm, vim-9.2.209-1.mga9.src.rpm => vim-9.2.209-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Flags: affects_mga9+ => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

katnatek 2026-03-31 02:47:11 CEST

Keywords: (none) => advisory

Comment 2 Herman Viaene 2026-03-31 15:37:21 CEST

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Fooled around in .txt file with commands a, i, dw, dd and x. All worked OK.

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2026-03-31 18:27:13 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Dan Fandrich 2026-04-01 00:22:18 CEST

The GHSA now provides CVE-2026-34714 for this issue so I've added that to the advisory.

CVE: (none) => CVE-2026-34714
CC: (none) => dan

Comment 5 Mageia Robot 2026-04-01 01:07:58 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0077.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.