[CLSA-2026:1782294876] Fix CVE(s): CVE-2026-52858, CVE-2026-52860
Type:
security
Severity:
Important
Release date:
2026-06-24 09:54:56 UTC
Description:
* SECURITY UPDATE: arbitrary code execution in the python and python3 omni-completion plugins: Completer.evalsource() executed import and from statements harvested from the current buffer through Python's import machinery, and because the buffer's directory is on sys.path, opening a hostile .py file alongside a sibling package ran attacker controlled code on omni-completion. - debian/patches/CVE-2026-52858.patch: skip execution of buffer level import/from statements unless the user opts in by setting g:pythoncomplete_allow_import, and re-import the vim module inside evalsource() so the opt-in is honoured, in runtime/autoload/python3complete.vim and runtime/autoload/pythoncomplete.vim; matches upstream patches 9.2.0561 and 9.2.0568. - CVE-2026-52858 * SECURITY UPDATE: arbitrary code execution in the python and python3 omni-completion plugins: the completion code reconstructed function and class definitions from the current buffer and ran them through exec(), and because Python evaluates parameter default values, parameter annotations and class base expressions at definition time, a hostile buffer could execute attacker controlled expressions via crafted def/class headers; the g:pythoncomplete_allow_import mitigation did not cover this path. - debian/patches/CVE-2026-52860.patch: strip default values and annotations from reconstructed function parameter lists and whitelist class base lists to dotted names before the generated source reaches exec(), in runtime/autoload/python3complete.vim and runtime/autoload/pythoncomplete.vim; matches upstream patch 9.2.0597. - CVE-2026-52860
Updated packages:
  • vim_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
    sha:bc1eee927f6f18adb12582c2bf81807bb222049f
  • vim-athena_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
    sha:35be1670bd3172b2a7270fa5ccdb113f8f4c44b3
  • vim-athena-py2_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
    sha:bf8a12edcb555e1aa98e45ec288edcc55a8c0ec6
  • vim-common_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
    sha:23736c2d3477635c65dd5d700fea34587e217e64
  • vim-doc_7.4.1689-3ubuntu1.5+tuxcare.els69_all.deb
    sha:7044c40bece1d35283bb2e046355c4f5db5ea850
  • vim-gnome_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
    sha:1caf590eaaad4baba94f190fbb25b7b3f5613e80
  • vim-gnome-py2_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
    sha:ba94189c5cc7881eac7489e07c7ec1aed5f751cb
  • vim-gtk_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
    sha:b290639cd35b962aac30b77b19e9822b7282571b
  • vim-gtk-py2_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
    sha:e5fceb17e8ad424dbf3070d04071acd7a170eae2
  • vim-gtk3_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
    sha:67baaaab58b31e44aebe14e9521fc02ccb8749e3
  • vim-gtk3-py2_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
    sha:9ac95b4920a69b569474ecee1695aae2b61abbb4
  • vim-gui-common_7.4.1689-3ubuntu1.5+tuxcare.els69_all.deb
    sha:8778d17663fceade94c0c846f59d6ad57b507197
  • vim-nox_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
    sha:e94c734757caa7f34e66e797695a3a7ff3fe1036
  • vim-nox-py2_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
    sha:9214960a23a18cda24f8403b4ac4ccc6574a0d48
  • vim-runtime_7.4.1689-3ubuntu1.5+tuxcare.els69_all.deb
    sha:9a4ff5dedd1f0046fcb838b68afff4955db55c7a
  • vim-tiny_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
    sha:b3506ccef4658d2ad2fb51315a0c2239ff4bfeef
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.