RHEL-113549 CVE-2025-53906 vim: Vim path traversal

Resolves: RHEL-113549

0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch

@@ -0,0 +1,70 @@
+diff -up vim91/runtime/autoload/zip.vim.zip-cve vim91/runtime/autoload/zip.vim
+--- vim91/runtime/autoload/zip.vim.zip-cve	2024-02-09 06:33:54.000000000 +0100
++++ vim91/runtime/autoload/zip.vim	2025-09-10 17:25:19.916119963 +0200
+@@ -266,6 +266,7 @@ fun! zip#Write(fname)
+ "  call Dfunc("zip#Write(fname<".a:fname.">) zipfile_".winnr()."<".s:zipfile_{winnr()}.">")
+   let repkeep= &report
+   set report=10
++  let need_rename = 0
+ 
+   " sanity checks
+   if !executable(substitute(g:zip_zipcmd,'\s\+.*$','',''))
+@@ -276,14 +277,6 @@ fun! zip#Write(fname)
+ "   call Dret("zip#Write")
+    return
+   endif
+-  if !exists("*mkdir")
+-   redraw!
+-   echohl Error | echo "***error*** (zip#Write) sorry, mkdir() doesn't work on your system" | echohl None
+-"   call inputsave()|call input("Press <cr> to continue")|call inputrestore()
+-   let &report= repkeep
+-"   call Dret("zip#Write")
+-   return
+-  endif
+ 
+   let curdir= getcwd()
+   let tmpdir= tempname()
+@@ -317,6 +310,11 @@ fun! zip#Write(fname)
+    let zipfile = substitute(a:fname,'^.\{-}zipfile://\(.\{-}\)::[^\\].*$','\1','')
+    let fname   = substitute(a:fname,'^.\{-}zipfile://.\{-}::\([^\\].*\)$','\1','')
+   endif
++  if fname =~ '^[.]\{1,2}/'
++    call system(g:zip_zipcmd." -d ".s:Escape(fnamemodify(zipfile,":p"),0)." ".s:Escape(fname,0))
++    let fname = fname->substitute('^\([.]\{1,2}/\)\+', '', 'g')
++    let need_rename = 1
++  endif
+ "  call Decho("zipfile<".zipfile.">")
+ "  call Decho("fname  <".fname.">")
+ 
+@@ -333,7 +331,7 @@ fun! zip#Write(fname)
+   endif
+ "  call Decho("zipfile<".zipfile."> fname<".fname.">")
+ 
+-  exe "w! ".fnameescape(fname)
++  exe "w ".fnameescape(fname)
+   if has("win32unix") && executable("cygpath")
+    let zipfile = substitute(system("cygpath ".s:Escape(zipfile,0)),'\n','','e')
+   endif
+@@ -363,6 +361,10 @@ fun! zip#Write(fname)
+    let &binary = binkeep
+    q!
+    unlet s:zipfile_{winnr()}
++  elseif need_rename
++    exe $"sil keepalt file {fnameescape($"zipfile://{zipfile}::{fname}")}"
++    redraw!
++    echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, dropping relative path" | echohl None
+   endif
+   
+   " cleanup and restore current directory
+@@ -398,6 +400,11 @@ fun! zip#Extract()
+    let &report= repkeep
+ "   call Dret("zip#Extract")
+    return
++  elseif fname =~ '^[.]\?[.]/'
++    redraw!
++    echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!" | echohl None
++    let &report= repkeep
++    return
+   endif
+ 
+   " extract the file mentioned under the cursor

vim.spec

@@ -51,7 +51,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 5%{?dist}
+Release: 6%{?dist}
 Epoch: 2
 # swift.vim contains Apache 2.0 with runtime library exception:
 # which is taken as Apache-2.0 WITH Swift-exception - reported to legal as https://gitlab.com/fedora/legal/fedora-license-data/-/issues/188
@@ -106,6 +106,8 @@ Patch3005: vim-8.0-copy-paste.patch
 #                https://github.com/vim/vim/commit/39a94d204
 Patch3006: 0001-patch-9.1.0903-potential-overflow-in-spell_soundfold.patch
 Patch3007: 0001-patch-9.1.0904-Vim9-copy-paste-error-in-class_defini.patch
+# RHEL-113549 CVE-2025-53906 vim: Vim path traversal
+Patch3008: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch
 
 
 # uses autoconf in spec file
@@ -431,6 +433,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3005 -p1 -b .copypaste
 %patch -P 3006 -p1 -b .buffer-overflow
 %patch -P 3007 -p1 -b .typo
+%patch -P 3008 -p1 -b .zip-cve
 
 %build
 cd src
@@ -1066,6 +1069,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 
 
 %changelog
+* Wed Sep 10 2025 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-6
+- RHEL-113549 CVE-2025-53906 vim: Vim path traversal
+
 * Mon Jan 27 2025 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-5
 - rebuilt with new GCC to fix RHEL-74127