UbuntuUpdates.org

Package "vim-motif"

Name: vim-motif

Description:

Vi IMproved - enhanced vi editor - with Motif GUI

Latest version: 2:9.1.2141-1ubuntu4.6
Release: resolute (26.04)
Level: security
Repository: universe
Head package: vim
Homepage: https://www.vim.org/

Links


Download "vim-motif"


Other versions of "vim-motif" in Resolute

Repository Area Version
base universe 2:9.1.2141-1ubuntu4
updates universe 2:9.1.2141-1ubuntu4.6

Changelog

Version: 2:9.1.2141-1ubuntu4.6 2026-07-04 16:07:27 UTC

  vim (2:9.1.2141-1ubuntu4.6) resolute-security; urgency=medium

  * SECURITY UPDATE: Out-of-bounds write.
    - debian/patches/CVE-2026-55693.patch: only descend while
      depth < MAXWLEN - 1 in src/spellfile.c.
    - debian/patches/CVE-2026-55892.patch: only descend while
      depth < MAXWLEN - 1 in src/spell.c.
    - CVE-2026-55693
    - CVE-2026-55892
  * SECURITY UPDATE: Code injection in local file deletion.
    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape
      file name in runtime/pack/dist/opt/netrw/autoload/netrw.vim.
    - CVE-2026-55895
  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.
    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space
      before function call in src/crypt.c.
    - CVE-2026-57452
  * SECURITY UPDATE: Powershell code execution in zip.vim.
    - debian/patches/CVE-2026-57453.patch: Escape powershell code in
      runtime/autoload/zip.vim.
    - CVE-2026-57453
  * SECURITY UPDATE: Out-of-bounds write with soundfold().
    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate
      buffer in src/spell.c.
    - CVE-2026-57455
  * SECURITY UPDATE: Code execution with python complete.
    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings
      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.
    - CVE-2026-57456

 -- Kyle Kernick <email address hidden> Tue, 30 Jun 2026 11:00:04 -0600

Source diff to previous version
CVE-2026-55693 Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields
CVE-2026-55892 Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iterat
CVE-2026-55895 Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the ne
CVE-2026-57452 Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xch
CVE-2026-57453 Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell
CVE-2026-57455 Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word
CVE-2026-57456 Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy

Version: 2:9.1.2141-1ubuntu4.5 2026-06-18 18:07:40 UTC

  vim (2:9.1.2141-1ubuntu4.5) resolute-security; urgency=medium

  * debian/patches/0005-skip-autocmd-test-failing-on-arm64.patch
    - Skip tests failing on arm64

 -- Kyle Kernick <email address hidden> Wed, 17 Jun 2026 09:37:36 -0600

Source diff to previous version

Version: 2:9.1.2141-1ubuntu4.3 2026-06-09 20:07:34 UTC

  vim (2:9.1.2141-1ubuntu4.3) resolute-security; urgency=medium

  * SECURITY UPDATE: Command injection in tar plugin.
    - debian/patches/CVE-2026-46483.patch: Use the correct shell-escape in
      runtime/autoload/tar.vim.
    - CVE-2026-46483
  * SECURITY UPDATE: Code injection via mf command.
    - debian/patches/CVE-2026-43961.patch: Avoid string concatenation for
      filter commands in runtime/pack/dist/opt/netrw/autoload/netrw.vim.
    - CVE-2026-43961

 -- Kyle Kernick <email address hidden> Tue, 02 Jun 2026 15:57:23 -0600

Source diff to previous version
CVE-2026-46483 Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/ta

Version: 2:9.1.2141-1ubuntu4.2 2026-05-25 19:07:30 UTC

  vim (2:9.1.2141-1ubuntu4.2) resolute-security; urgency=medium

  * SECURITY UPDATE: Command injection in netrw plugin.
    - debian/patches/CVE-2026-42307.patch: Escape file names and harden regex
      patterns in runtime/pack/dist/opt/netrw/autoload/netrw.vim
    - CVE-2026-42307
  * SECURITY UPDATE: Shell execution in completion.
    - debian/patches/CVE-2026-44656.patch: Skip path entries containing
      backticks and add P_SECURE option in src/findfile.c and src/optiondefs.h
    - CVE-2026-44656
  * SECURITY UPDATE: Heap overflow in spellfile.
    - debian/patches/CVE-2026-45130.patch: Enforce a maximum compound length
      in src/spellfile.c
    - CVE-2026-45130

 -- Kyle Kernick <email address hidden> Wed, 20 May 2026 13:11:32 -0600

Source diff to previous version
CVE-2026-42307 Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin
CVE-2026-44656 Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line
CVE-2026-45130 Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when

Version: 2:9.1.2141-1ubuntu4.1 2026-05-07 19:07:51 UTC

  vim (2:9.1.2141-1ubuntu4.1) resolute-security; urgency=medium

  * SECURITY UPDATE: Path Traversal in zip.vim
    - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before
      writing in runtime/autoload/zip.vim
    - CVE-2026-35177
  * SECURITY UPDATE: Command Injection in netbeans
    - debian/patches/CVE-2026-39881.patch: Validate typename, fg, and bg
      before passing to coloncmd in src/netbeans.c
    - CVE-2026-39881
  * SECURITY UPDATE: Command injection via backtick expansion in tag files
    - debian/patches/CVE-2026-41411.patch: Disallow backticks before attempting
      to expand filenames
    - CVE-2026-41411

 -- Federico Quattrin <email address hidden> Wed, 06 May 2026 13:49:47 -0300

CVE-2026-35177 Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary f
CVE-2026-39881 Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious
CVE-2026-41411 Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resol



About   -   Send Feedback to @ubuntu_updates