RHEL-112009 CVE-2025-53906 vim: Vim path traversal

Resolves: RHEL-112009

0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch

@@ -0,0 +1,70 @@
+diff -up vim82/runtime/autoload/zip.vim.CVE-2025-53906 vim82/runtime/autoload/zip.vim
+--- vim82/runtime/autoload/zip.vim.CVE-2025-53906	2021-03-22 10:02:41.000000000 +0100
++++ vim82/runtime/autoload/zip.vim	2025-09-10 19:33:11.491115978 +0200
+@@ -251,6 +251,7 @@ fun! zip#Write(fname)
+ "  call Dfunc("zip#Write(fname<".a:fname.">) zipfile_".winnr()."<".s:zipfile_{winnr()}.">")
+   let repkeep= &report
+   set report=10
++  let need_rename = 0
+ 
+   " sanity checks
+   if !executable(substitute(g:zip_zipcmd,'\s\+.*$','',''))
+@@ -261,14 +262,6 @@ fun! zip#Write(fname)
+ "   call Dret("zip#Write")
+    return
+   endif
+-  if !exists("*mkdir")
+-   redraw!
+-   echohl Error | echo "***error*** (zip#Write) sorry, mkdir() doesn't work on your system" | echohl None
+-"   call inputsave()|call input("Press <cr> to continue")|call inputrestore()
+-   let &report= repkeep
+-"   call Dret("zip#Write")
+-   return
+-  endif
+ 
+   let curdir= getcwd()
+   let tmpdir= tempname()
+@@ -302,6 +295,11 @@ fun! zip#Write(fname)
+    let zipfile = substitute(a:fname,'^.\{-}zipfile:\(.\{-}\)::[^\\].*$','\1','')
+    let fname   = substitute(a:fname,'^.\{-}zipfile:.\{-}::\([^\\].*\)$','\1','')
+   endif
++  if fname =~ '^[.]\{1,2}/'
++    call system(g:zip_zipcmd." -d ".s:Escape(fnamemodify(zipfile,":p"),0)." ".s:Escape(fname,0))
++    let fname = fname->substitute('^\([.]\{1,2}/\)\+', '', 'g')
++    let need_rename = 1
++  endif
+ "  call Decho("zipfile<".zipfile.">")
+ "  call Decho("fname  <".fname.">")
+ 
+@@ -318,7 +316,7 @@ fun! zip#Write(fname)
+   endif
+ "  call Decho("zipfile<".zipfile."> fname<".fname.">")
+ 
+-  exe "w! ".fnameescape(fname)
++  exe "w ".fnameescape(fname)
+   if has("win32unix") && executable("cygpath")
+    let zipfile = substitute(system("cygpath ".s:Escape(zipfile,0)),'\n','','e')
+   endif
+@@ -348,6 +346,10 @@ fun! zip#Write(fname)
+    let &binary = binkeep
+    q!
+    unlet s:zipfile_{winnr()}
++  elseif need_rename
++    exe $"sil keepalt file {fnameescape($"zipfile://{zipfile}::{fname}")}"
++    redraw!
++    echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, dropping relative path" | echohl None
+   endif
+   
+   " cleanup and restore current directory
+@@ -383,6 +385,11 @@ fun! zip#Extract()
+    let &report= repkeep
+ "   call Dret("zip#Extract")
+    return
++  elseif fname =~ '^[.]\?[.]/'
++    redraw!
++    echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!" | echohl None
++    let &report= repkeep
++    return
+   endif
+ 
+   " extract the file mentioned under the cursor

vim.spec

@@ -149,6 +149,9 @@ Patch3054: 0001-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
 Patch3055: vim-CVE-2023-4752.patch
 # RHEL-112005 CVE-2025-53905 vim: Vim path traversial
 Patch3056: 0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch
+# RHEL-112009 CVE-2025-53906 vim: Vim path traversal
+Patch3057: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch
+
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -392,6 +395,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3054 -p1 -b .cve2021-3903
 %patch -P 3055 -p1 -b .CVE-2023-4752
 %patch -P 3056 -p1 -b .CVE-2025-53905
+%patch -P 3057 -p1 -b .CVE-2025-53906
 
 %build
 cd src
@@ -951,6 +955,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %changelog
 * Wed Sep 17 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-23
 - RHEL-112005 CVE-2025-53905 vim: Vim path traversial
+- RHEL-112009 CVE-2025-53906 vim: Vim path traversal
 
 * Tue Feb 25 2025 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-22
 - RHEL-2159 vim: Heap Use After Free in function ins_compl_get_exp in vim/vim