diff options
| author | Adam Weinberger <adamw@FreeBSD.org> | 2025-03-13 00:59:01 +0000 |
|---|---|---|
| committer | Adam Weinberger <adamw@FreeBSD.org> | 2025-03-13 00:59:01 +0000 |
| commit | f1e4dac294a4de0cd9dcf6d85d0573a70e2bc2cd (patch) | |
| tree | 5838dcb13aa70418a3a644acd0acfeb04e01b9b4 | |
| parent | 0ba3161fed90efaeea26438d6fb7815a262f392f (diff) | |
editors/vim: Update to 9.1.1198 (security)
potential data loss with zip.vim and special crafted zip files
Date: 12.03.2025
Severity: Medium
CVE: CVE-2025-29768
CWE: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
Summary
potential data loss with zip.vim and special crafted zip files
Description
Vim is distributed with the zip.vim plugin, that allows easy editing and
viewing of zip archives.
To view and extract zip files, vim uses the unzip(1) command, usually
provided by Info-ZIP, latest version on Debian is 6.0 from April 2009.
If an attacker creates an archive which contains a file -d/tmp, and a Vim
user views such a file and tries to extract such filename from
the archive, Vim will essentially run the following unzip command:
unzip -o <archive.zip> member-filename
However, since the member-filename is called -d/tmp, this is seen by
the unzip command as an additional argument and it therefore happily
extracts the whole archive into the mentioned directory, overwriting existing
files because of the -o.
Unfortunately, the latest released unzip version does not support --
as and end-of-argument marker, so we cannot use this to mark the
beginning of the member-files for unzip. Well, apparently there exists
some 6.10 beta release, that hasn't made it to an official release
yet which supports the use of the -- marker since 2010 (but this isn't
widely known).
Therefore, Vim will try to work-around it by using the [-] glob when a
filename starts with a - to protect unzip from parsing the filename as
an argument, which is just an ugly work-around.
Impact
Impact is moderate because a user must be made to view such an archive
with Vim and then press 'x' to extract such a strange filename.
The Vim project would like to thank @Ry0taK (GMO Flatt Security Inc) and
@takumi-san-ai for reporting this issue.
MFH: 2025Q1
Security: GHSA-693p-m996-3rmf
| -rw-r--r-- | editors/vim/Makefile | 2 | ||||
| -rw-r--r-- | editors/vim/distinfo | 6 |
2 files changed, 4 insertions, 4 deletions
diff --git a/editors/vim/Makefile b/editors/vim/Makefile index 5a792383d5c5..5db2e15ad8c9 100644 --- a/editors/vim/Makefile +++ b/editors/vim/Makefile @@ -1,5 +1,5 @@ PORTNAME= vim -PORTVERSION= 9.1.1166 +PORTVERSION= 9.1.1199 DISTVERSIONPREFIX= v CATEGORIES= editors diff --git a/editors/vim/distinfo b/editors/vim/distinfo index a0e434fc5d32..80766698bf2d 100644 --- a/editors/vim/distinfo +++ b/editors/vim/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1740973693 -SHA256 (vim-vim-v9.1.1166_GH0.tar.gz) = 18543682cffe511407ef6a61af6df842d60232fad58c7c02544ae5860107e6be -SIZE (vim-vim-v9.1.1166_GH0.tar.gz) = 18510701 +TIMESTAMP = 1741827177 +SHA256 (vim-vim-v9.1.1199_GH0.tar.gz) = fc71b4cd30e55cd02c3f4147ea9c678e53fefc3f016eab368881bada72d18d4b +SIZE (vim-vim-v9.1.1199_GH0.tar.gz) = 18543175 |