======================================== Vim Variant Analysis Script GHSA-2gmj-rpqf-pxvh / CVE-2026-34714 ======================================== [*] Vulnerable Vim: /data/pruva/runs/2cdc80ca-2247-44e2-91bc-65b96f1563e7/vim-repo/src/vim [*] Fixed Vim: /data/pruva/runs/2cdc80ca-2247-44e2-91bc-65b96f1563e7/vim-fixed/src/vim (if available) [TEST 1] Confirming original tabpanel vulnerability on vulnerable version... <5b96f1563e7/logs/vuln_variant/test1_modeline.txt" <63e7/logs/vuln_variant/test1_modeline.txt" 2L, 42B tabpanel=pwned_value [PASS] tabpanel can be set via modeline without modelineexpr (vulnerable) [TEST 2] Testing autocmd_add sandbox bypass on vulnerable version...  [FAIL] autocmd_add sandbox bypass not working [TEST 3] Testing printheader variant on vulnerable version... <6f1563e7/logs/vuln_variant/test3_printheader.txt" <7/logs/vuln_variant/test3_printheader.txt" 2L, 77B printheader=%!autocmd_add([{'event' [PASS] printheader can be set via modeline without modelineexpr (variant confirmed) [TEST 4] Verifying tabpanel fix on fixed version... <5b96f1563e7/logs/vuln_variant/test4_modeline.txt" <63e7/logs/vuln_variant/test4_modeline.txt" 2L, 74B Error detected while processing modelines: line 2: E992: Not allowed in a modeline when 'modelineexpr' is off: tabpanel=%!autocmd_ add([{'event' tabpanel= [PASS] tabpanel now correctly requires modelineexpr (fix working) [TEST 5] Verifying autocmd_add sandbox fix on fixed version... Error detected while processing command line: E48: Not allowed in sandbox [PASS] autocmd_add now blocked in sandbox (fix working) [TEST 6] Testing printheader variant on FIXED version... <6f1563e7/logs/vuln_variant/test3_printheader.txt" <7/logs/vuln_variant/test3_printheader.txt" 2L, 77B printheader=%!autocmd_add([{'event' [VARIANT CONFIRMED] printheader can STILL be set via modeline on fixed version! This is a valid variant - printheader lacks P_MLE protection [TEST 7] Verifying titlestring correctly requires modelineexpr... <6f1563e7/logs/vuln_variant/test7_titlestring.txt" <7/logs/vuln_variant/test7_titlestring.txt" 2L, 77B Error detected while processing modelines: line 2: E992: Not allowed in a modeline when 'modelineexpr' is off: titlestring=%!autoc md_add([{'event' titlestring= [INFO] titlestring behavior: titlestring= ======================================== VARIANT ANALYSIS SUMMARY ======================================== Original Vulnerability (tabpanel): - Can be set via modeline without modelineexpr: YES (vulnerable) - Fixed in 9.2.0272: YES (P_MLE added) Sandbox Escape (autocmd_add): - Works in sandbox: YES (vulnerable) - Fixed in 9.2.0272: YES (check_secure added) Variant Found (printheader): - Can be set via modeline without modelineexpr: YES - Fixed in 9.2.0272: NO (still vulnerable) - Severity: Lower (requires :hardcopy to trigger) Recommendations: - Add P_MLE flag to printheader option - Audit all expression-evaluating options for missing P_MLE