diff --git a/0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch b/0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch new file mode 100644 index 00000000..708510fe --- /dev/null +++ b/0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch @@ -0,0 +1,48 @@ +From 7088926316d8d4a7572a242d0765e99adfc8b083 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Wed, 1 Apr 2026 16:23:49 +0000 +Subject: [PATCH] patch 9.2.0280: [security]: path traversal issue in zip.vim +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Problem: [security]: path traversal issue in zip.vim +Solution: Detect more such attacks and warn the user. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24 + +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -278,6 +278,13 @@ fun! zip#Write(fname) + return + endif + ++ if simplify(a:fname) =~ '\.\.[/\\]' ++ redraw! ++ echohl Error | echo "***error*** (zip#Write) Path Traversal Attack detected, not writing!" | echohl None ++ let &report= repkeep ++ return ++ endif ++ + let curdir= getcwd() + let tmpdir= tempname() + " call Decho("orig tempname<".tmpdir.">") +@@ -400,7 +407,7 @@ fun! zip#Extract() + let &report= repkeep + " call Dret("zip#Extract") + return +- elseif fname =~ '^[.]\?[.]/' ++ elseif fname =~ '^[.]\?[.]/' || simplify(fname) =~ '\.\.[/\\]' + redraw! + echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!" | echohl None + let &report= repkeep +-- +2.49.0 + diff --git a/0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch b/0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch new file mode 100644 index 00000000..4e56b7bf --- /dev/null +++ b/0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch @@ -0,0 +1,51 @@ +From 46f530e517bd1b59acc2eb0d2aa76d02e54ca9fe Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 5 Apr 2026 15:58:00 +0000 +Subject: [PATCH] patch 9.2.0299: runtime(zip): may write using absolute paths + +Problem: runtime(zip): may write using absolute paths + (syndicate) +Solution: Detect this case and abort on Unix, warn in the documentation + about possible issues + +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 8 ++++++++ + runtime/doc/pi_zip.txt | 4 ++++ + 2 files changed, 12 insertions(+) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -313,6 +313,14 @@ fun! zip#Write(fname) + if has("unix") + let zipfile = substitute(a:fname,'zipfile:\(.\{-}\)::[^\\].*$','\1','') + let fname = substitute(a:fname,'zipfile:.\{-}::\([^\\].*\)$','\1','') ++ " fname should not start with a leading slash to avoid writing anywhere into the system ++ if fname =~ '^/' ++ redraw! ++ echohl Error | echo "***error*** (zip#Write) Path Traversal Attack detected, not writing!" | echohl None ++ call s:ChgDir(curdir,s:WARNING,"(zip#Write) unable to return to ".curdir."!") ++ let &report= repkeep ++ return ++ endif + else + let zipfile = substitute(a:fname,'^.\{-}zipfile:\(.\{-}\)::[^\\].*$','\1','') + let fname = substitute(a:fname,'^.\{-}zipfile:.\{-}::\([^\\].*\)$','\1','') +diff --git a/runtime/doc/pi_zip.txt b/runtime/doc/pi_zip.txt +--- a/runtime/doc/pi_zip.txt ++++ b/runtime/doc/pi_zip.txt +@@ -32,6 +32,10 @@ + the desired file, then hit the key. After editing, one may + also write to the file. Currently, one may not make a new file in + zip archives via the plugin. ++ ++ The zip plugin tries to detect some common path traversal attack ++ patterns, but it may not catch all possible cases. Please be very ++ careful when using this plugin with untrusted input. + + COMMANDS~ + *zip-x* +-- +2.49.0 + diff --git a/0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch b/0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch new file mode 100644 index 00000000..e9065989 --- /dev/null +++ b/0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch @@ -0,0 +1,45 @@ +From 351a16c88f56aeeca5e06095624dd701b264b2a9 Mon Sep 17 00:00:00 2001 +From: q1uf3ng +Date: Wed, 15 Apr 2026 04:03:02 +0000 +Subject: [PATCH] runtime(zip): block absolute paths in zip#Extract + +zip#Extract(): add absolute path checks for both Unix and Windows, +matching the existing checks in zip#Write(). + +closes: #19976 + +Signed-off-by: q1uf3ng +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -421,6 +421,22 @@ fun! zip#Extract() + let &report= repkeep + return + endif ++ " block absolute paths ++ if has("unix") ++ if fname =~ '^/' ++ redraw! ++ echohl Error | echo "***error*** (zip#Extract) Path Traversal Attack detected, not extracting!" | echohl None ++ let &report= repkeep ++ return ++ endif ++ else ++ if fname =~ '^\%(\a:[\\/]\|[\\/]\)' ++ redraw! ++ echohl Error | echo "***error*** (zip#Extract) Path Traversal Attack detected, not extracting!" | echohl None ++ let &report= repkeep ++ return ++ endif ++ endif + + " extract the file mentioned under the cursor + " call Decho("system(".g:zip_extractcmd." ".shellescape(b:zipfile)." ".shellescape(shell).")") +-- +2.49.0 + diff --git a/vim.spec b/vim.spec index 7675110d..5e4753ad 100644 --- a/vim.spec +++ b/vim.spec @@ -27,7 +27,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 28%{?dist} +Release: 29%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: virc @@ -175,6 +175,14 @@ Patch3064: 0001-patch-9.2.0077-security-Crash-when-recovering-a-corr.patch # RHEL: https://redhat.atlassian.net/browse/RHEL-159631 # Upstream: https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a Patch3065: 0001-patch-9.2.0202-security-command-injection-via-newlin.patch +# RHEL-170137 CVE-2026-35177 vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass +# https://redhat.atlassian.net/browse/RHEL-170137 +# https://github.com/vim/vim/commit/7088926316d8 +# https://github.com/vim/vim/commit/46f530e517bd +# https://github.com/vim/vim/commit/351a16c88f56 +Patch3066: 0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch +Patch3067: 0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch +Patch3068: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch # gcc is no longer in buildroot by default @@ -428,6 +436,9 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch -P 3063 -p1 -b .check-page-count %patch -P 3064 -p1 -b .CVE-2026-28421 %patch -P 3065 -p1 -b .CVE-2026-33412 +%patch -P 3066 -p1 -b .CVE-2026-35177-zip-path-traversal +%patch -P 3067 -p1 -b .CVE-2026-35177-zip-absolute-write +%patch -P 3068 -p1 -b .CVE-2026-35177-zip-absolute-extract %build cd src @@ -980,6 +991,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Wed May 20 2026 Zdenek Dohnal - 2:8.2.2637-29 +- CVE-2026-35177 vim: Vim zip.vim plugin: Arbitrary file overwrite via path + traversal bypass + * Mon Apr 13 2026 Zdenek Dohnal - 2:8.2.2637-28 - Resolves: RHEL-159631 vim: Vim: Arbitrary code execution via command injection in glob() function