Release date:
2026-06-24 09:54:56 UTC
Description:
* SECURITY UPDATE: arbitrary code execution in the python and python3
omni-completion plugins: Completer.evalsource() executed import and
from statements harvested from the current buffer through Python's
import machinery, and because the buffer's directory is on sys.path,
opening a hostile .py file alongside a sibling package ran attacker
controlled code on omni-completion.
- debian/patches/CVE-2026-52858.patch: skip execution of buffer
level import/from statements unless the user opts in by setting
g:pythoncomplete_allow_import, and re-import the vim module inside
evalsource() so the opt-in is honoured, in
runtime/autoload/python3complete.vim and
runtime/autoload/pythoncomplete.vim; matches upstream patches
9.2.0561 and 9.2.0568.
- CVE-2026-52858
* SECURITY UPDATE: arbitrary code execution in the python and python3
omni-completion plugins: the completion code reconstructed function
and class definitions from the current buffer and ran them through
exec(), and because Python evaluates parameter default values,
parameter annotations and class base expressions at definition time,
a hostile buffer could execute attacker controlled expressions via
crafted def/class headers; the g:pythoncomplete_allow_import
mitigation did not cover this path.
- debian/patches/CVE-2026-52860.patch: strip default values and
annotations from reconstructed function parameter lists and
whitelist class base lists to dotted names before the generated
source reaches exec(), in runtime/autoload/python3complete.vim and
runtime/autoload/pythoncomplete.vim; matches upstream patch
9.2.0597.
- CVE-2026-52860
Updated packages:
-
vim_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
sha:bc1eee927f6f18adb12582c2bf81807bb222049f
-
vim-athena_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
sha:35be1670bd3172b2a7270fa5ccdb113f8f4c44b3
-
vim-athena-py2_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
sha:bf8a12edcb555e1aa98e45ec288edcc55a8c0ec6
-
vim-common_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
sha:23736c2d3477635c65dd5d700fea34587e217e64
-
vim-doc_7.4.1689-3ubuntu1.5+tuxcare.els69_all.deb
sha:7044c40bece1d35283bb2e046355c4f5db5ea850
-
vim-gnome_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
sha:1caf590eaaad4baba94f190fbb25b7b3f5613e80
-
vim-gnome-py2_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
sha:ba94189c5cc7881eac7489e07c7ec1aed5f751cb
-
vim-gtk_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
sha:b290639cd35b962aac30b77b19e9822b7282571b
-
vim-gtk-py2_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
sha:e5fceb17e8ad424dbf3070d04071acd7a170eae2
-
vim-gtk3_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
sha:67baaaab58b31e44aebe14e9521fc02ccb8749e3
-
vim-gtk3-py2_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
sha:9ac95b4920a69b569474ecee1695aae2b61abbb4
-
vim-gui-common_7.4.1689-3ubuntu1.5+tuxcare.els69_all.deb
sha:8778d17663fceade94c0c846f59d6ad57b507197
-
vim-nox_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
sha:e94c734757caa7f34e66e797695a3a7ff3fe1036
-
vim-nox-py2_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
sha:9214960a23a18cda24f8403b4ac4ccc6574a0d48
-
vim-runtime_7.4.1689-3ubuntu1.5+tuxcare.els69_all.deb
sha:9a4ff5dedd1f0046fcb838b68afff4955db55c7a
-
vim-tiny_7.4.1689-3ubuntu1.5+tuxcare.els69_amd64.deb
sha:b3506ccef4658d2ad2fb51315a0c2239ff4bfeef
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.