diff options
| author | Adam Weinberger <adamw@FreeBSD.org> | 2025-03-13 00:59:01 +0000 |
|---|---|---|
| committer | Adam Weinberger <adamw@FreeBSD.org> | 2025-03-13 01:02:13 +0000 |
| commit | 11f6bb7d5e38f59a22a8a05ff68d629b7839a099 (patch) | |
| tree | 90ee771d16319e3bcff54564e074775fbff72c2e | |
| parent | 904414083c983838ca6acad0ffac8d47a8cdbfa7 (diff) | |
editors/vim: Update to 9.1.1198 (security)
potential data loss with zip.vim and special crafted zip files
Date: 12.03.2025
Severity: Medium
CVE: CVE-2025-29768
CWE: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
Summary
potential data loss with zip.vim and special crafted zip files
Description
Vim is distributed with the zip.vim plugin, that allows easy editing and
viewing of zip archives.
To view and extract zip files, vim uses the unzip(1) command, usually
provided by Info-ZIP, latest version on Debian is 6.0 from April 2009.
If an attacker creates an archive which contains a file -d/tmp, and a Vim
user views such a file and tries to extract such filename from
the archive, Vim will essentially run the following unzip command:
unzip -o <archive.zip> member-filename
However, since the member-filename is called -d/tmp, this is seen by
the unzip command as an additional argument and it therefore happily
extracts the whole archive into the mentioned directory, overwriting existing
files because of the -o.
Unfortunately, the latest released unzip version does not support --
as and end-of-argument marker, so we cannot use this to mark the
beginning of the member-files for unzip. Well, apparently there exists
some 6.10 beta release, that hasn't made it to an official release
yet which supports the use of the -- marker since 2010 (but this isn't
widely known).
Therefore, Vim will try to work-around it by using the [-] glob when a
filename starts with a - to protect unzip from parsing the filename as
an argument, which is just an ugly work-around.
Impact
Impact is moderate because a user must be made to view such an archive
with Vim and then press 'x' to extract such a strange filename.
The Vim project would like to thank @Ry0taK (GMO Flatt Security Inc) and
@takumi-san-ai for reporting this issue.
MFH: 2025Q1
Security: GHSA-693p-m996-3rmf
(cherry picked from commit f1e4dac294a4de0cd9dcf6d85d0573a70e2bc2cd)
| -rw-r--r-- | editors/vim/Makefile | 2 | ||||
| -rw-r--r-- | editors/vim/distinfo | 6 |
2 files changed, 4 insertions, 4 deletions
diff --git a/editors/vim/Makefile b/editors/vim/Makefile index 5a792383d5c5..5db2e15ad8c9 100644 --- a/editors/vim/Makefile +++ b/editors/vim/Makefile @@ -1,5 +1,5 @@ PORTNAME= vim -PORTVERSION= 9.1.1166 +PORTVERSION= 9.1.1199 DISTVERSIONPREFIX= v CATEGORIES= editors diff --git a/editors/vim/distinfo b/editors/vim/distinfo index 42237eeb2869..0722d41f5266 100644 --- a/editors/vim/distinfo +++ b/editors/vim/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1740975157 -SHA256 (vim-vim-v9.1.1166_GH0.tar.gz) = 18543682cffe511407ef6a61af6df842d60232fad58c7c02544ae5860107e6be -SIZE (vim-vim-v9.1.1166_GH0.tar.gz) = 18510701 +TIMESTAMP = 1741827711 +SHA256 (vim-vim-v9.1.1199_GH0.tar.gz) = fc71b4cd30e55cd02c3f4147ea9c678e53fefc3f016eab368881bada72d18d4b +SIZE (vim-vim-v9.1.1199_GH0.tar.gz) = 18543175 |