RHEL-112005 CVE-2025-53905 vim: Vim path traversial

Resolves: RHEL-112005
2025-09-17 14:41:32 +02:00 · 2025-09-17 14:41:32 +02:00 · 9c9be9bb71
commit 9c9be9bb71
parent 1c67b891cf
2 changed files with 334 additions and 1 deletions
--- a/0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch
+++ b/0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch
@ -0,0 +1,327 @@
+diff -up vim82/runtime/autoload/tar.vim.CVE-2025-53905 vim82/runtime/autoload/tar.vim
+--- vim82/runtime/autoload/tar.vim.CVE-2025-53905	2021-03-22 10:02:41.000000000 +0100
+++ vim82/runtime/autoload/tar.vim	2025-09-10 19:28:55.467111778 +0200
+@@ -37,10 +37,10 @@ set cpo&vim
+ " ---------------------------------------------------------------------
+ "  Default Settings: {{{1
+ if !exists("g:tar_browseoptions")
+- let g:tar_browseoptions= "Ptf"
+ let g:tar_browseoptions= "tf"
+ endif
+ if !exists("g:tar_readoptions")
+- let g:tar_readoptions= "OPxf"
+ let g:tar_readoptions= "Oxf"
+ endif
+ if !exists("g:tar_cmd")
+  let g:tar_cmd= "tar"
+@@ -49,6 +49,7 @@ if !exists("g:tar_writeoptions")
+  let g:tar_writeoptions= "uf"
+ endif
+ if !exists("g:tar_delfile")
+ " Note: not supported on BSD
+  let g:tar_delfile="--delete -f"
+ endif
+ if !exists("g:netrw_cygwin")
+@@ -98,6 +99,9 @@ if !exists("g:tar_shq")
+ " call Decho("g:tar_shq<".g:tar_shq.">")
+ endif
+ 
+let g:tar_secure=' -- '
+let g:tar_leading_pat='^\%([.]\{,2\}/\)\+'
+
+ " ----------------
+ "  Functions: {{{1
+ " ----------------
+@@ -221,6 +225,15 @@ fun! tar#Browse(tarfile)
+    return
+   endif
+ 
+  " remove tar: Removing leading '/' from member names
+  " Note: the message could be localized
+  if search('^tar: ') > 0 || search(g:tar_leading_pat) > 0
+    call append(3,'" Note: Path Traversal Attack detected!')
+    let b:leading_slash = 1
+    " remove the message output
+    sil g/^tar: /d
+  endif
+
+   " set up maps supported for tar
+   setlocal noma nomod ro
+   noremap <silent> <buffer>	<cr>		:call <SID>TarBrowseSelect()<cr>
+@@ -242,12 +255,7 @@ fun! s:TarBrowseSelect()
+   let fname= getline(".")
+ "  call Decho("fname<".fname.">")
+ 
+-  if !exists("g:tar_secure") && fname =~ '^\s*-\|\s\+-'
+-   redraw!
+-   echohl WarningMsg | echo '***warning*** (tar#BrowseSelect) rejecting tarfile member<'.fname.'> because of embedded "-"'
+-"   call Dret('tar#BrowseSelect : rejecting tarfile member<'.fname.'> because of embedded "-"')
+-   return
+-  endif
+  let ls= get(b:, 'leading_slash', 0)
+ 
+   " sanity check
+   if fname =~ '^"'
+@@ -270,7 +278,8 @@ fun! s:TarBrowseSelect()
+    wincmd _
+   endif
+   let s:tblfile_{winnr()}= curfile
+-  call tar#Read("tarfile:".tarfile.'::'.fname,1)
+  let b:leading_slash= ls
+  call tar#Read("tarfile:".tarfile.'::'.fname)
+   filetype detect
+   set nomod
+   exe 'com! -buffer -nargs=? -complete=file TarDiff	:call tar#Diff(<q-args>,"'.fnameescape(fname).'")'
+@@ -281,8 +290,8 @@ endfun
+ 
+ " ---------------------------------------------------------------------
+ " tar#Read: {{{2
+-fun! tar#Read(fname,mode)
+-"  call Dfunc("tar#Read(fname<".a:fname.">,mode=".a:mode.")")
+fun! tar#Read(fname)
+"  call Dfunc("tar#Read(fname<".a:fname.">)")
+   let repkeep= &report
+   set report=10
+   let tarfile = substitute(a:fname,'tarfile:\(.\{-}\)::.*$','\1','')
+@@ -294,6 +303,8 @@ fun! tar#Read(fname,mode)
+ "  call Decho("tarfile<".tarfile.">")
+ "  call Decho("fname<".fname.">")
+ 
+  let curdir= getcwd()
+  let b:curdir= curdir
+   if  fname =~ '\.bz2$' && executable("bzcat")
+    let decmp= "|bzcat"
+    let doro = 1
+@@ -317,16 +328,11 @@ fun! tar#Read(fname,mode)
+    endif
+   endif
+ 
+-  if exists("g:tar_secure")
+-   let tar_secure= " -- "
+-  else
+-   let tar_secure= " "
+-  endif
+ 
+   if tarfile =~# '\.bz2$'
+-   exe "sil! r! bzip2 -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp
+   exe "sil! r! bzip2 -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp
+   elseif tarfile =~# '\.\(gz\)$'
+-   exe "sil! r! gzip -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp
+   exe "sil! r! gzip -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp
+ 
+   elseif tarfile =~# '\(\.tgz\|\.tbz\|\.txz\)'
+    if has("unix") && executable("file")
+@@ -335,28 +341,31 @@ fun! tar#Read(fname,mode)
+     let filekind= ""
+    endif
+    if filekind =~ "bzip2"
+-    exe "sil! r! bzip2 -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp
+    exe "sil! r! bzip2 -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp
+    elseif filekind =~ "XZ"
+-    exe "sil! r! xz -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp
+    exe "sil! r! xz -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp
+    elseif filekind =~ "Zstandard"
+-    exe "sil! r! zstd --decompress --stdout -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp
+    exe "sil! r! zstd --decompress --stdout -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp
+    else
+-    exe "sil! r! gzip -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp
+    exe "sil! r! gzip -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp
+    endif
+ 
+   elseif tarfile =~# '\.lrp$'
+-   exe "sil! r! cat -- ".shellescape(tarfile,1)." | gzip -d -c - | ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp
+   exe "sil! r! cat -- ".shellescape(tarfile,1)." | gzip -d -c - | ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp
+   elseif tarfile =~# '\.lzma$'
+-   exe "sil! r! lzma -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp
+   exe "sil! r! lzma -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp
+   elseif tarfile =~# '\.\(xz\|txz\)$'
+-   exe "sil! r! xz --decompress --stdout -- ".shellescape(tarfile,1)." | ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp
+   exe "sil! r! xz --decompress --stdout -- ".shellescape(tarfile,1)." | ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp
+   else
+    if tarfile =~ '^\s*-'
+     " A file name starting with a dash is taken as an option.  Prepend ./ to avoid that.
+     let tarfile = substitute(tarfile, '-', './-', '')
+    endif
+-"   call Decho("8: exe silent r! ".g:tar_cmd." -".g:tar_readoptions.tar_secure.shellescape(tarfile,1)." ".shellescape(fname,1).decmp)
+-   exe "silent r! ".g:tar_cmd." -".g:tar_readoptions.shellescape(tarfile,1)." ".tar_secure.shellescape(fname,1).decmp
+"   call Decho("8: exe silent r! ".g:tar_cmd." -".g:tar_readoptions.g:tar_secure.shellescape(tarfile,1)." ".shellescape(fname,1).decmp)
+   exe "silent r! ".g:tar_cmd." -".g:tar_readoptions.shellescape(tarfile,1)." ".g:tar_secure.shellescape(fname,1).decmp
+  endif
+  if get(b:, 'leading_slash', 0)
+    sil g/^tar: /d
+   endif
+ 
+   if doro
+@@ -365,13 +374,14 @@ fun! tar#Read(fname,mode)
+   endif
+ 
+   let b:tarfile= a:fname
+-  exe "file tarfile::".fnameescape(fname)
+ 
+   " cleanup
+   keepj sil! 0d
+   set nomod
+ 
+   let &report= repkeep
+  exe "lcd ".fnameescape(curdir)
+  silent exe "file tarfile::". fname->fnameescape()
+ "  call Dret("tar#Read : b:tarfile<".b:tarfile.">")
+ endfun
+ 
+@@ -382,13 +392,6 @@ fun! tar#Write(fname)
+   let repkeep= &report
+   set report=10
+ 
+-  if !exists("g:tar_secure") && a:fname =~ '^\s*-\|\s\+-'
+-   redraw!
+-   echohl WarningMsg | echo '***warning*** (tar#Write) rejecting tarfile member<'.a:fname.'> because of embedded "-"'
+-"   call Dret('tar#Write : rejecting tarfile member<'.fname.'> because of embedded "-"')
+-   return
+-  endif
+-
+   " sanity checks
+   if !executable(g:tar_cmd)
+    redraw!
+@@ -439,6 +442,13 @@ fun! tar#Write(fname)
+   let tarfile = substitute(b:tarfile,'tarfile:\(.\{-}\)::.*$','\1','')
+   let fname   = substitute(b:tarfile,'tarfile:.\{-}::\(.*\)$','\1','')
+ 
+  if get(b:, 'leading_slash', 0)
+   redraw!
+   echohl Error | echo "***error*** (tar#Write) sorry, not attempting to update ".tarfile." with ".fname | echohl None
+   let &report= repkeep
+   return
+  endif
+
+   " handle compressed archives
+   if tarfile =~# '\.bz2'
+    call system("bzip2 -d -- ".shellescape(tarfile,0))
+@@ -497,19 +507,15 @@ fun! tar#Write(fname)
+    endif
+ "   call Decho("tarfile<".tarfile."> fname<".fname.">")
+  
+-   if exists("g:tar_secure")
+-    let tar_secure= " -- "
+-   else
+-    let tar_secure= " "
+-   endif
+-   exe "w! ".fnameescape(fname)
+   " don't overwrite a file forcefully
+   exe "w ".fnameescape(fname)
+    if has("win32unix") && executable("cygpath")
+     let tarfile = substitute(system("cygpath ".shellescape(tarfile,0)),'\n','','e')
+    endif
+  
+    " delete old file from tarfile
+ "   call Decho("system(".g:tar_cmd." ".g:tar_delfile." ".shellescape(tarfile,0)." -- ".shellescape(fname,0).")")
+-   call system(g:tar_cmd." ".g:tar_delfile." ".shellescape(tarfile,0).tar_secure.shellescape(fname,0))
+   call system(g:tar_cmd." ".g:tar_delfile." ".shellescape(tarfile,0).g:tar_secure.shellescape(fname,0))
+    if v:shell_error != 0
+     redraw!
+ "    call Decho("***error*** (tar#Write) sorry, unable to update ".fnameescape(tarfile)." with ".fnameescape(fname))
+@@ -517,8 +523,8 @@ fun! tar#Write(fname)
+    else
+  
+     " update tarfile with new file 
+-"    call Decho(g:tar_cmd." -".g:tar_writeoptions." ".shellescape(tarfile,0).tar_secure.shellescape(fname,0))
+-    call system(g:tar_cmd." -".g:tar_writeoptions." ".shellescape(tarfile,0).tar_secure.shellescape(fname,0))
+"    call Decho(g:tar_cmd." -".g:tar_writeoptions." ".shellescape(tarfile,0).g:tar_secure.shellescape(fname,0))
+    call system(g:tar_cmd." -".g:tar_writeoptions." ".shellescape(tarfile,0).g:tar_secure.shellescape(fname,0))
+     if v:shell_error != 0
+      redraw!
+ "     call Decho("***error*** (tar#Write) sorry, unable to update ".fnameescape(tarfile)." with ".fnameescape(fname))
+@@ -568,6 +574,7 @@ fun! tar#Diff(userfname,fname)
+   if a:userfname != ""
+    let fname= a:userfname
+   endif
+  exe "lcd ".fnameescape(b:tmpdir). '/_ZIPVIM_'
+   if filereadable(fname)
+    " sets current file (from tarball) for diff'ing
+    " splits window vertically
+@@ -594,13 +601,6 @@ fun! tar#Extract()
+   let fname= getline(".")
+ "  call Decho("fname<".fname.">")
+ 
+-  if !exists("g:tar_secure") && fname =~ '^\s*-\|\s\+-'
+-   redraw!
+-   echohl WarningMsg | echo '***warning*** (tar#BrowseSelect) rejecting tarfile member<'.fname.'> because of embedded "-"'
+-"   call Dret('tar#BrowseSelect : rejecting tarfile member<'.fname.'> because of embedded "-"')
+-   return
+-  endif
+-
+   " sanity check
+   if fname =~ '^"'
+    let &report= repkeep
+@@ -621,7 +621,7 @@ fun! tar#Extract()
+     echohl Error | echo "***error*** ".extractcmd." ".tarbase.".tar ".fname.": failed!" | echohl NONE
+ "    call Decho("***error*** ".extractcmd." ".tarbase.".tar ".fname.": failed!")
+    else
+-    echo "***note*** successfully extracted ".fname
+    echo "***note*** successfully extracted ". fname
+    endif
+ 
+   elseif filereadable(tarbase.".tgz")
+diff -up vim82/runtime/doc/pi_tar.txt.CVE-2025-53905 vim82/runtime/doc/pi_tar.txt
+--- vim82/runtime/doc/pi_tar.txt.CVE-2025-53905	2021-03-22 10:02:41.000000000 +0100
+++ vim82/runtime/doc/pi_tar.txt	2025-09-10 19:30:36.070085946 +0200
+@@ -61,7 +61,7 @@ Copyright 2005-2017:					*tar-copyright*
+ 	the file mentioned in the tarball.  If the current directory is not
+ 	correct for that path, :TarDiff will fail to find the associated file.
+ 
+-	If the [filename] is given, that that filename (and path) will be used
+	If the [filename] is given, that filename (and path) will be used
+ 	to specify the associated file.
+ 
+ 
+@@ -86,18 +86,6 @@ Copyright 2005-2017:					*tar-copyright*
+    *g:tar_readoptions*    "OPxf"  used to extract a file from a tarball
+    *g:tar_cmd*            "tar"   the name of the tar program
+    *g:tar_nomax*            0     if true, file window will not be maximized
+-   *g:tar_secure*         undef   if exists:
+-					"--"s will be used to prevent unwanted
+-					option expansion in tar commands.
+-					Please be sure that your tar command
+-					accepts "--"; Posix compliant tar
+-					utilities do accept them.
+-				  if not exists:
+-				  	The tar plugin will reject any tar
+-					files or member files that begin with
+-					"-"
+-				  Not all tar's support the "--" which is why
+-				  it isn't default.
+    *g:tar_writeoptions*   "uf"    used to update/replace a file
+ 
+ 
+diff -up vim82/runtime/doc/tags.CVE-2025-53905 vim82/runtime/doc/tags
+--- vim82/runtime/doc/tags.CVE-2025-53905	2021-03-22 10:02:41.000000000 +0100
+++ vim82/runtime/doc/tags	2025-09-10 19:31:03.339666639 +0200
+@@ -6900,7 +6900,6 @@ g:tar_copycmd	pi_tar.txt	/*g:tar_copycmd
+ g:tar_extractcmd	pi_tar.txt	/*g:tar_extractcmd*
+ g:tar_nomax	pi_tar.txt	/*g:tar_nomax*
+ g:tar_readoptions	pi_tar.txt	/*g:tar_readoptions*
+-g:tar_secure	pi_tar.txt	/*g:tar_secure*
+ g:tar_writeoptions	pi_tar.txt	/*g:tar_writeoptions*
+ g:terminal_ansi_colors	terminal.txt	/*g:terminal_ansi_colors*
+ g:tex_comment_nospell	syntax.txt	/*g:tex_comment_nospell*
+diff -up vim82/runtime/plugin/tarPlugin.vim.CVE-2025-53905 vim82/runtime/plugin/tarPlugin.vim
+--- vim82/runtime/plugin/tarPlugin.vim.CVE-2025-53905	2021-03-22 10:02:42.000000000 +0100
+++ vim82/runtime/plugin/tarPlugin.vim	2025-09-10 19:25:22.726912254 +0200
+@@ -22,14 +22,14 @@ set cpo&vim
+ "  Public Interface: {{{1
+ augroup tar
+   au!
+-  au BufReadCmd   tarfile::*	call tar#Read(expand("<amatch>"), 1)
+-  au FileReadCmd  tarfile::*	call tar#Read(expand("<amatch>"), 0)
+  au BufReadCmd   tarfile::*	call tar#Read(expand("<amatch>"))
+  au FileReadCmd  tarfile::*	call tar#Read(expand("<amatch>"))
+   au BufWriteCmd  tarfile::*	call tar#Write(expand("<amatch>"))
+   au FileWriteCmd tarfile::*	call tar#Write(expand("<amatch>"))
+ 
+   if has("unix")
+-   au BufReadCmd   tarfile::*/*	call tar#Read(expand("<amatch>"), 1)
+-   au FileReadCmd  tarfile::*/*	call tar#Read(expand("<amatch>"), 0)
+   au BufReadCmd   tarfile::*/*	call tar#Read(expand("<amatch>"))
+   au FileReadCmd  tarfile::*/*	call tar#Read(expand("<amatch>"))
+    au BufWriteCmd  tarfile::*/*	call tar#Write(expand("<amatch>"))
+    au FileWriteCmd tarfile::*/*	call tar#Write(expand("<amatch>"))
+   endif
--- a/vim.spec
+++ b/vim.spec
@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 22%{?dist}
+Release: 23%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@ -147,6 +147,8 @@ Patch3054: 0001-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
 # https://github.com/vim/vim/commit/d979d64fa2
 # https://github.com/vim/vim/commit/e2528ae111
 Patch3055: vim-CVE-2023-4752.patch
+# RHEL-112005 CVE-2025-53905 vim: Vim path traversial
+Patch3056: 0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -389,6 +391,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3053 -p1 -b .cve47024
 %patch -P 3054 -p1 -b .cve2021-3903
 %patch -P 3055 -p1 -b .CVE-2023-4752
+%patch -P 3056 -p1 -b .CVE-2025-53905

 %build
 cd src
@ -946,6 +949,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif

 %changelog
+* Wed Sep 17 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-23
+- RHEL-112005 CVE-2025-53905 vim: Vim path traversial
+
 * Tue Feb 25 2025 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-22
 - RHEL-2159 vim: Heap Use After Free in function ins_compl_get_exp in vim/vim