CVE-2026-35177 vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass

Resolves: RHEL-170124
2026-05-20 15:34:41 +02:00 · 2026-05-20 15:34:41 +02:00 · 38f3e85ee0
commit 38f3e85ee0
parent 0df914ea49
4 changed files with 160 additions and 1 deletions
--- a/0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch
+++ b/0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch
@ -0,0 +1,48 @@
+From 7088926316d8d4a7572a242d0765e99adfc8b083 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Wed, 1 Apr 2026 16:23:49 +0000
+Subject: [PATCH] patch 9.2.0280: [security]: path traversal issue in zip.vim
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Problem:  [security]: path traversal issue in zip.vim
+Solution: Detect more such attacks and warn the user.
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/autoload/zip.vim | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim
+--- a/runtime/autoload/zip.vim
+++ b/runtime/autoload/zip.vim
+@@ -278,6 +278,13 @@ fun! zip#Write(fname)
+    return
+   endif
+ 
+  if simplify(a:fname) =~ '\.\.[/\\]'
+    redraw!
+    echohl Error | echo "***error*** (zip#Write) Path Traversal Attack detected, not writing!" | echohl None
+    let &report= repkeep
+    return
+  endif
+
+   let curdir= getcwd()
+   let tmpdir= tempname()
+ "  call Decho("orig tempname<".tmpdir.">")
+@@ -400,7 +407,7 @@ fun! zip#Extract()
+    let &report= repkeep
+ "   call Dret("zip#Extract")
+    return
+-  elseif fname =~ '^[.]\?[.]/'
+  elseif fname =~ '^[.]\?[.]/' || simplify(fname) =~ '\.\.[/\\]'
+     redraw!
+     echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!" | echohl None
+     let &report= repkeep
+-- 
+2.49.0
+
--- a/0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch
+++ b/0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch
@ -0,0 +1,51 @@
+From 46f530e517bd1b59acc2eb0d2aa76d02e54ca9fe Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 5 Apr 2026 15:58:00 +0000
+Subject: [PATCH] patch 9.2.0299: runtime(zip): may write using absolute paths
+
+Problem:  runtime(zip): may write using absolute paths
+          (syndicate)
+Solution: Detect this case and abort on Unix, warn in the documentation
+          about possible issues
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/autoload/zip.vim  | 8 ++++++++
+ runtime/doc/pi_zip.txt    | 4 ++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim
+--- a/runtime/autoload/zip.vim
+++ b/runtime/autoload/zip.vim
+@@ -313,6 +313,14 @@ fun! zip#Write(fname)
+   if has("unix")
+    let zipfile = substitute(a:fname,'zipfile://\(.\{-}\)::[^\\].*$','\1','')
+    let fname   = substitute(a:fname,'zipfile://.\{-}::\([^\\].*\)$','\1','')
+   " fname should not start with a leading slash to avoid writing anywhere into the system
+   if fname =~ '^/'
+     redraw!
+     echohl Error | echo "***error*** (zip#Write) Path Traversal Attack detected, not writing!" | echohl None
+     call s:ChgDir(curdir,s:WARNING,"(zip#Write) unable to return to ".curdir."!")
+     let &report= repkeep
+     return
+   endif
+   else
+    let zipfile = substitute(a:fname,'^.\{-}zipfile://\(.\{-}\)::[^\\].*$','\1','')
+    let fname   = substitute(a:fname,'^.\{-}zipfile://.\{-}::\([^\\].*\)$','\1','')
+diff --git a/runtime/doc/pi_zip.txt b/runtime/doc/pi_zip.txt
+--- a/runtime/doc/pi_zip.txt
+++ b/runtime/doc/pi_zip.txt
+@@ -32,6 +32,10 @@
+    the desired file, then hit the <return> key.  After editing, one may
+    also write to the file.  Currently, one may not make a new file in
+    zip archives via the plugin.
+
+   The zip plugin tries to detect some common path traversal attack
+   patterns, but it may not catch all possible cases. Please be very
+   careful when using this plugin with untrusted input.
+
+    COMMANDS~
+ 								*zip-x*
+--
+2.49.0
+
--- a/0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch
+++ b/0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch
@ -0,0 +1,45 @@
+From 351a16c88f56aeeca5e06095624dd701b264b2a9 Mon Sep 17 00:00:00 2001
+From: q1uf3ng <q1uf3ng@protone.me>
+Date: Wed, 15 Apr 2026 04:03:02 +0000
+Subject: [PATCH] runtime(zip): block absolute paths in zip#Extract
+
+zip#Extract(): add absolute path checks for both Unix and Windows,
+matching the existing checks in zip#Write().
+
+closes: #19976
+
+Signed-off-by: q1uf3ng <glna9@protonmail.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/autoload/zip.vim | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim
+--- a/runtime/autoload/zip.vim
+++ b/runtime/autoload/zip.vim
+@@ -421,6 +421,22 @@ fun! zip#Extract()
+     let &report= repkeep
+     return
+   endif
+  " block absolute paths
+  if has("unix")
+    if fname =~ '^/'
+      redraw!
+      echohl Error | echo "***error*** (zip#Extract) Path Traversal Attack detected, not extracting!" | echohl None
+      let &report= repkeep
+      return
+    endif
+  else
+    if fname =~ '^\%(\a:[\\/]\|[\\/]\)'
+      redraw!
+      echohl Error | echo "***error*** (zip#Extract) Path Traversal Attack detected, not extracting!" | echohl None
+      let &report= repkeep
+      return
+    endif
+  endif
+ 
+   " extract the file mentioned under the cursor
+ "  call Decho("system(".g:zip_extractcmd." ".shellescape(b:zipfile)." ".shellescape(shell).")")
+-- 
+2.49.0
+
--- a/vim.spec
+++ b/vim.spec
@ -51,7 +51,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 10%{?dist}
+Release: 11%{?dist}
 Epoch: 2
 # swift.vim contains Apache 2.0 with runtime library exception:
 # which is taken as Apache-2.0 WITH Swift-exception - reported to legal as https://gitlab.com/fedora/legal/fedora-license-data/-/issues/188
@ -129,6 +129,14 @@ Patch3015: 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch
 # RHEL: https://redhat.atlassian.net/browse/RHEL-159617
 # Upstream: https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a
 Patch3016: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch
+# RHEL-170124 CVE-2026-35177 vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass
+# https://redhat.atlassian.net/browse/RHEL-170124
+# https://github.com/vim/vim/commit/7088926316d8
+# https://github.com/vim/vim/commit/46f530e517bd
+# https://github.com/vim/vim/commit/351a16c88f56
+Patch3017: 0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch
+Patch3018: 0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch
+Patch3019: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch


 # uses autoconf in spec file
@ -463,6 +471,9 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3014 -p1 -b .validateportnum
 %patch -P 3015 -p1 -b .CVE-2026-28421
 %patch -P 3016 -p1 -b .CVE-2026-33412
+%patch -P 3017 -p1 -b .zip-path-traversal
+%patch -P 3018 -p1 -b .zip-abs-write
+%patch -P 3019 -p1 -b .zip-abs-extract

 %build
 cd src
@ -1093,6 +1104,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags


 %changelog
+* Wed May 20 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-11
+- RHEL-170124 CVE-2026-35177 vim: Vim zip.vim plugin: Arbitrary file overwrite
+  via path traversal bypass
+
 * Mon Apr 13 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-10
 - Resolves: RHEL-159617 vim: Vim: Arbitrary code execution via command injection
  in glob() function