#1135706 neovim: vulnerable to security bug fixed in Vim 9.2.0331, among others

Package:
neovim
Source:
neovim
Description:
heavily refactored vim fork
Submitter:
brian m. carlson
Date:
2026-06-14 01:07:03 UTC
Severity:
normal
Tags:
#1135706#5
Date:
2026-05-04 23:33:31 UTC
From:
To:
Neovim 0.12.2 has included several security patches from Vim that are
unpatched in the version in unstable.  For instance, there is a buffer
overflow fixed in Vim 9.2.0331 that still causes Neovim to crash.

If you place the below contents in `vimrc` and run `nvim -u vimrc`,
Neovim crashes with `*** buffer overflow detected ***: terminated`.
Obviously this is a serious security bug.  While this particular
variant is detected, it's not necessarily the case that every variant
will be detected, so patching this appropriately is important.

Since spell files are frequently downloaded from the Internet (and I
believe both Vim and Neovim contain functionality to do so), this allows
a malicious provider of spell files to create a buffer overflow, which
could allow arbitrary code execution.

Could you either upload Neovim 0.12.2 or backport the appropriate
security patches from newer versions of Neovim?

vimrc:
----
func s:abc()

  let aff_lines = ['SET ISO8859-1', 'SFX A Y 1',
        \ 'SFX A 0 s ' .. repeat(nr2char(0xff), 491)]
  call writefile(aff_lines, 'Xbof.aff', 'D')
  call writefile(['1', 'word/A'], 'Xbof.dic', 'D')
  " Must not crash; ignore any conversion/regex errors.
  try
    mkspell! Xbof.spl Xbof
  catch
  endtry
  defer delete('Xbof.spl')

  let long = repeat(nr2char(0xff), 200)
  let aff2_lines = ['SET ISO8859-1', 'SFX A Y 1',
        \ 'SFX A 0 ' .. long .. ' .']
  call writefile(aff2_lines, 'Xbof2.aff', 'D')
  call writefile(['1', long .. '/A'], 'Xbof2.dic', 'D')
  try
    mkspell! Xbof2.spl Xbof2
  catch
  endtry
  defer delete('Xbof2.spl')

endfunc

call s:abc()
----

These contents were derived from the test in Vim patch 9.2.0331.
#1135706#10
Date:
2026-05-05 01:01:17 UTC
From:
To:
I'm working on the tree-sitter transition that is required to upgrade to
neovim 0.12.x.

Cheers,
#1135706#17
Date:
2026-06-07 21:44:04 UTC
From:
To:
Hello James,

Seems the time of removing neovim from Debian repo is soon, I don't
have much knowlege how to dig into issue and fix them. Other issue is
from lua-penlight
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138537 which going
to autoremove sooner than neovim. How can I do anything in assistance
in this matter?

Regards,
Sally

On Mon, 4 May 2026 21:01:17 -0400 James McCoy <jamessan@debian.org> wrote:
are
buffer
to
#1135706#22
Date:
2026-06-08 02:49:07 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
neovim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1135706@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated neovim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 07 Jun 2026 22:22:25 -0400
Source: neovim
Architecture: source
Version: 0.12.2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Vim Maintainers <team+vim@tracker.debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Closes: 1132614 1135706
Changes:
 neovim (0.12.2-1) experimental; urgency=medium
 .
   * Update to new upstream version 0.12.2. (Closes: #1132614)
     + Includes various security fixes, backported from Vim (Closes: #1135706)
   * Bump tree-sitter parser versions to match upstream
   * Enable building with luajit on loong64, powerpc, ppc64el, and riscv64
   * Switch from $BUSTED_ARGS to $TEST_ARGS run running tests
   * Add git as a test dependency
   * Skip test which does not expect certain Lua 5.2 functions to be present in LuaJIT
   * Bump tree-sitter Build-Depends to 0.26
   * Remove shell-script-fails-syntax-check override
   * Declare compliance with Policy 4.7.4
   * Backport patches to fix test failures
     + fix(test): only test for unibilium if a valid compilation string exists
     + vim-patch:9.2.0395: tests: Test_backupskip() may read from $HOME (#39417)
Checksums-Sha1:
 4f05731a297701b5cf8aef09a2c82228a3c6012b 3150 neovim_0.12.2-1.dsc
 eac5f0bd8c6a18d68e2a22142904953bdf552ede 9461232 neovim_0.12.2.orig.tar.xz
 1309d4776bda3e9df88b746a15eaa7db9c75004e 28976 neovim_0.12.2-1.debian.tar.xz
 a788978b396f01927559dc48398c9090a783a85a 27188420 neovim_0.12.2-1.git.tar.xz
 69f4bedcd5fce7a3134a1c615b1267114f85f1c0 17488 neovim_0.12.2-1_source.buildinfo
Checksums-Sha256:
 9d229359faef36e638a748f21307b166f80f06dc351ef9efc6c648cc0701a630 3150 neovim_0.12.2-1.dsc
 5536740ef0b3000033949e04f01f758230f61435900c93372b0b24a1a63406c0 9461232 neovim_0.12.2.orig.tar.xz
 97eef3194a5cb6959d33e9d622c66ac52803eb0fb669dc26acec38e3e4b1d35e 28976 neovim_0.12.2-1.debian.tar.xz
 ded84b943739896b87def210c76b1c851e83d45ba8bd64fbf97904cbdfaf1da9 27188420 neovim_0.12.2-1.git.tar.xz
 5c69478b3820a38064cc54832a69730f5ed2e756ab3c975bfabd53128e46c603 17488 neovim_0.12.2-1_source.buildinfo
Files:
 09d9ac1324743f01a7e8530f85ec1551 3150 editors optional neovim_0.12.2-1.dsc
 48311f70b1ae833dd249d8c7df971279 9461232 editors optional neovim_0.12.2.orig.tar.xz
 5c36aadec63ba21ecce935184030c66f 28976 editors optional neovim_0.12.2-1.debian.tar.xz
 492b998dc6f4ae56dd769a9495b98a06 27188420 editors None neovim_0.12.2-1.git.tar.xz
 6aaa7568cd77cc9092f56abea783f42e 17488 editors optional neovim_0.12.2-1_source.buildinfo
Git-Tag-Info: tag=d2c17ca0e07e4f0adaefe46e096de121655aee2e fp=91bfbf4d6956bd5df7b72d23dfe691ae331ba3db
Git-Tag-Tagger: James McCoy <jamessan@debian.org>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmomKN8ACgkQYG0ITkaD
wHltexAAnlkJdBjZIp3aw9Vwq5v4xrvTO1HwjLKJj2gWuZ9l7sP9/8yCtylxymFK
E6vVuV2KgXEqaP9JysgrCUBDYB+BmHJDgjvFNdO8aMtMf0HQCHWh92dM4S/Jyo85
nFeA4GfgXRZgnefBk5p1rAp6K71F/qUMTGeBpxTEUPCmMeLGaPS14OiYj3oZ27FO
EuMij47+BBZoe69OgTfCdTTbPMOePGcpi/RRCdTZi10jgg0sNY1+FT8OtNDubFPI
syDDgjpQoTWxfy0ZAn5t0Azl43/n940Q6LKBS5D1CgsmRXwNpV1t5pKR9PWSyD3i
K7WkaeZqzU8Mri3OwB8NkhNR8U7LBAcw9Anm5sx9ZVP7+9dCzRd87IbLOGLD2A06
d9YZa/f978JykFan6dEMe3QZ4ZcAAqMhUcB/hEgIj6/ussna4MFZWEcfB5isY90+
7lZ1wVfc6CQAhQUWLeDFg7mgPOIKDXytEd7hVuiQDaa1TS09BLf3LzMQ33eXpIBH
9JZBsKNji6T+0LzNRNIikRcvwsdyoCXabirO21ULIMHVGkzt5SnKEwgiuKBYMDA0
Hg2tMDPFy0nlBNV3e91JGIqGG7zWxTyddEUpZNhRBkEORDlWRy8uGR9miTNh83iY
bTWE7bvQcekGYKuAqqytsmtRZ6Cme/Gx3nPR5UxJU+Q2SvNONgo=
=j8JC
-----END PGP SIGNATURE-----
#1135706#27
Date:
2026-06-14 01:05:44 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
neovim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1135706@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated neovim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 13 Jun 2026 20:10:46 -0400
Source: neovim
Architecture: source
Version: 0.12.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Vim Maintainers <team+vim@tracker.debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Closes: 1132614 1135706
Changes:
 neovim (0.12.3-1) unstable; urgency=medium
 .
   * Upload to unstable
   * Update to new upstream version 0.12.3.
   * Backport patch to fix skipping upstream tests
     + fix(test): support multiple --filter-out
 .
 neovim (0.12.2-2) experimental; urgency=medium
 .
   * Remove loong64 from LuaJIT architectures, since luajit crashes during neovim build
   * Remove lua-inspect test dependency
   * Remove lua-busted test dependency
   * Install bash and zsh completions for nvim
   * Backport upstream patch to fix ppc64el test failure
     + fix(unittest): preprocess failure when __typeof declarations present #40145
 .
 neovim (0.12.2-1) experimental; urgency=medium
 .
   * Update to new upstream version 0.12.2. (Closes: #1132614)
     + Includes various security fixes, backported from Vim (Closes: #1135706)
   * Bump tree-sitter parser versions to match upstream
   * Enable building with luajit on loong64, powerpc, ppc64el, and riscv64
   * Switch from $BUSTED_ARGS to $TEST_ARGS run running tests
   * Add git as a test dependency
   * Skip test which does not expect certain Lua 5.2 functions to be present in LuaJIT
   * Bump tree-sitter Build-Depends to 0.26
   * Remove shell-script-fails-syntax-check override
   * Declare compliance with Policy 4.7.4
   * Backport patches to fix test failures
     + fix(test): only test for unibilium if a valid compilation string exists
     + vim-patch:9.2.0395: tests: Test_backupskip() may read from $HOME (#39417)
Checksums-Sha1:
 7a1cd9be8f511381db279d6de4ae321daa9c544e 3118 neovim_0.12.3-1.dsc
 c6e29c10db65668373a2bc57ac45295f7f879bc0 9473188 neovim_0.12.3.orig.tar.xz
 7f34c81ed65f41b762a2d4ab918337ccd4513a86 28444 neovim_0.12.3-1.debian.tar.xz
 e59e8a8e335204bfbe30be002f1ca592398d382b 29207864 neovim_0.12.3-1.git.tar.xz
 e474140bfad50d95b11e93924cb8283952a13279 17488 neovim_0.12.3-1_source.buildinfo
Checksums-Sha256:
 7e7aad0d28a951c63220f9485ea411b26b6504917a1ad4d01d5e583ecf6baa89 3118 neovim_0.12.3-1.dsc
 7c67e0244a94e8b7ba27acda9ca91a1d1a33123ef2ab8838010e5398fd7bd861 9473188 neovim_0.12.3.orig.tar.xz
 1f929eef288521ff933adffe21fc5180cf6537f0745babbd4cf95085ddb85f56 28444 neovim_0.12.3-1.debian.tar.xz
 f4925e72d3b4e46a59a321abcc655b57a61da01967aaf9d4db7ae5b0651009b1 29207864 neovim_0.12.3-1.git.tar.xz
 6b903051161f06b217849db66ebd20b7eb7bd224631c6557027f98fa2bacd6ea 17488 neovim_0.12.3-1_source.buildinfo
Files:
 f0972d7b45501c0e5ea2cbf51edae0d6 3118 editors optional neovim_0.12.3-1.dsc
 ba1621e33c6fe4b3584819fa166e9820 9473188 editors optional neovim_0.12.3.orig.tar.xz
 af1d6c155fc4a08be6e1d352673856e1 28444 editors optional neovim_0.12.3-1.debian.tar.xz
 a70c1f4094ebde4a85293a06605f9b1b 29207864 editors None neovim_0.12.3-1.git.tar.xz
 75e76efde5bafde31790791bbbf21bdc 17488 editors optional neovim_0.12.3-1_source.buildinfo
Git-Tag-Info: tag=c27f3f366a480ec305bcc9d6aa45f6f3012e7ad6 fp=91bfbf4d6956bd5df7b72d23dfe691ae331ba3db
Git-Tag-Tagger: James McCoy <jamessan@debian.org>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmot+VcACgkQYG0ITkaD
wHkjChAAsE/0jXJscW/F1N94T31MThg0JBlryvvhElQhvf/q9v1B5kH287zIP73B
rdiocN2SJ82PVojhd/6VHWqvmDKtrD86Ndx542pUp2CJ9RHGIzCAAU2Oei6m/6Ki
xsdWWjiSOMvSVMmLjIDr9Od+8HiQDrZ1dM0Snza/QXGJZQYGy8yGD34oGC94jjPh
Lev1n1WC2Fp3Jj1ht/63liVy4iz255A9vEoATQpan+G/Sp2qpkV04OP/E9Yv9tHe
tsWdN3j5CUmxwVj1HJ4IsmhW9/nY4Z6rJHdAAYg5iCqkZjHztKVjyTRYm4tFdaL6
Ol2gc3nVtdPLONG1PPLUEmP+ecQcXycMJEiLeofoalLAO1zHH90IkiArSYPid+Xl
8CD68sp4XVNlRX0oTKAIDYwFqSc7rnb7YfkcSuL61c4m/sRjVnw0/DFTTYX3d1cL
VkESK6XQ6dCDEwo+4jXjgWDPZiltksDrbX+GRhfB5LaFMVN2IShLMu5z8WzlEBfC
eBF2DdeQGQMDh2KgkcdTsfAvyIlGBrg5mk9b34xnuKzR2I1uLup7Pow/sjzY8hWj
dP8Z5mGzbuw2iwttjHNACpD87ZJPdeF4LFFC32mo+QVTU0yZepf90ZQ4znvmbKfm
g3GkFuBKp9R819MzyluLSOd4qzIMlCAsypQe+9Fm4HGJ235ca0c=
=nSj6
-----END PGP SIGNATURE-----