[CLSA-2026:1782810569] Fix CVE(s): CVE-2026-55693, CVE-2026-55892, CVE-2026-57455, CVE-2026-57456
Type:
security
Severity:
Important
Release date:
2026-06-30 09:09:52 UTC
Description:
* SECURITY UPDATE: out-of-bounds write parsing a crafted spell file: tree_count_words() and sug_filltree() descended the word trie without bounding the recursion depth, so a deeply nested trie wrote past the ends of their MAXWLEN-sized arridx[], curi[] and wordcount[] arrays. - debian/patches/CVE-2026-55693.patch: only descend while depth < MAXWLEN - 1 in both trie walkers, in src/spell.c; matches upstream patch 9.2.0653. - CVE-2026-55693 * SECURITY UPDATE: stack out-of-bounds write in dump_prefixes() when dumping spell prefixes (:spelldump): the word trie was descended without bounding the recursion depth, overflowing the MAXWLEN-sized prefix[], arridx[] and curi[] arrays. - debian/patches/CVE-2026-55892.patch: only descend while depth < MAXWLEN - 1, in src/spell.c; matches upstream patch 9.2.0662. - CVE-2026-55892 * SECURITY UPDATE: out-of-bounds write in soundfold(): the single-byte branch of spell_soundfold_sofo() wrote one result byte per input byte into the MAXWLEN-sized res[] buffer with no bound, so a long word overflowed it. - debian/patches/CVE-2026-57455.patch: stop the translation loop once ri reaches MAXWLEN - 1, in src/spell.c; matches upstream patch 9.2.0698. - CVE-2026-57455 * SECURITY UPDATE: arbitrary code execution in the python and python3 omni-completion plugins: reconstructed class/function definitions ran through exec() embedded buffer-supplied docstrings inside a triple- quoted Python string literal, so a docstring containing a closing triple-quote broke out of the literal and executed attacker code. - debian/patches/CVE-2026-57456.patch: quote docstrings with repr() instead of triple-quoting, in runtime/autoload/python3complete.vim and pythoncomplete.vim; matches upstream patch 9.2.0699. - CVE-2026-57456
Updated packages:
  • vim_7.4.1689-3ubuntu1.5+tuxcare.els70_amd64.deb
    sha:dcc06394be20d1504cbc0e8a1b8c0268ec72de7d
  • vim-athena_7.4.1689-3ubuntu1.5+tuxcare.els70_amd64.deb
    sha:d76b058106e24765f34cde47cbeb2fbc4731aea4
  • vim-athena-py2_7.4.1689-3ubuntu1.5+tuxcare.els70_amd64.deb
    sha:f1916391d0a48949702d7f58b2449914a95e134d
  • vim-common_7.4.1689-3ubuntu1.5+tuxcare.els70_amd64.deb
    sha:0a329e387d81cad9e361ba1f7db0c94f2d92f93d
  • vim-doc_7.4.1689-3ubuntu1.5+tuxcare.els70_all.deb
    sha:2ccd28644b6e5dd53440e9384a4f920012fd8c6e
  • vim-gnome_7.4.1689-3ubuntu1.5+tuxcare.els70_amd64.deb
    sha:12c4dcbd949eda2aa230226198e43cc4ee549380
  • vim-gnome-py2_7.4.1689-3ubuntu1.5+tuxcare.els70_amd64.deb
    sha:b6b0fe9573062903560e74f6967fd6a88e5e687b
  • vim-gtk_7.4.1689-3ubuntu1.5+tuxcare.els70_amd64.deb
    sha:87c2c356e10313b42ca8123138056dc4a461b0ba
  • vim-gtk-py2_7.4.1689-3ubuntu1.5+tuxcare.els70_amd64.deb
    sha:e1d197d7ae581294a84abf42c687855ed7507f8a
  • vim-gtk3_7.4.1689-3ubuntu1.5+tuxcare.els70_amd64.deb
    sha:549d5004d4a9df48a693443f75c575c82857d237
  • vim-gtk3-py2_7.4.1689-3ubuntu1.5+tuxcare.els70_amd64.deb
    sha:655c0527bc3d08782f113870438da259cb4587c5
  • vim-gui-common_7.4.1689-3ubuntu1.5+tuxcare.els70_all.deb
    sha:a8e4d16266866be200f705c691bec5df6680b7e1
  • vim-nox_7.4.1689-3ubuntu1.5+tuxcare.els70_amd64.deb
    sha:0283345e5e0b1508a7e80fa466704f3727f6a358
  • vim-nox-py2_7.4.1689-3ubuntu1.5+tuxcare.els70_amd64.deb
    sha:a18078c0d8e7e5262da014c8e039c1922900b619
  • vim-runtime_7.4.1689-3ubuntu1.5+tuxcare.els70_all.deb
    sha:db361ce266b8e2cf75df786531d5761b3fb73dd4
  • vim-tiny_7.4.1689-3ubuntu1.5+tuxcare.els70_amd64.deb
    sha:42e35b42f853917936dc051a1faa08c98a0c42c1
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.