From e281bf1103078176459b3b36e06471e08ca93373 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Wed, 10 Sep 2025 17:59:40 +0200 Subject: [PATCH] RHEL-113549 CVE-2025-53906 vim: Vim path traversal Resolves: RHEL-113549 --- ...ecurity-path-traversal-issue-in-zip..patch | 70 +++++++++++++++++++ vim.spec | 8 ++- 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch diff --git a/0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch b/0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch new file mode 100644 index 00000000..4a86e0aa --- /dev/null +++ b/0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch @@ -0,0 +1,70 @@ +diff -up vim91/runtime/autoload/zip.vim.zip-cve vim91/runtime/autoload/zip.vim +--- vim91/runtime/autoload/zip.vim.zip-cve 2024-02-09 06:33:54.000000000 +0100 ++++ vim91/runtime/autoload/zip.vim 2025-09-10 17:25:19.916119963 +0200 +@@ -266,6 +266,7 @@ fun! zip#Write(fname) + " call Dfunc("zip#Write(fname<".a:fname.">) zipfile_".winnr()."<".s:zipfile_{winnr()}.">") + let repkeep= &report + set report=10 ++ let need_rename = 0 + + " sanity checks + if !executable(substitute(g:zip_zipcmd,'\s\+.*$','','')) +@@ -276,14 +277,6 @@ fun! zip#Write(fname) + " call Dret("zip#Write") + return + endif +- if !exists("*mkdir") +- redraw! +- echohl Error | echo "***error*** (zip#Write) sorry, mkdir() doesn't work on your system" | echohl None +-" call inputsave()|call input("Press to continue")|call inputrestore() +- let &report= repkeep +-" call Dret("zip#Write") +- return +- endif + + let curdir= getcwd() + let tmpdir= tempname() +@@ -317,6 +310,11 @@ fun! zip#Write(fname) + let zipfile = substitute(a:fname,'^.\{-}zipfile://\(.\{-}\)::[^\\].*$','\1','') + let fname = substitute(a:fname,'^.\{-}zipfile://.\{-}::\([^\\].*\)$','\1','') + endif ++ if fname =~ '^[.]\{1,2}/' ++ call system(g:zip_zipcmd." -d ".s:Escape(fnamemodify(zipfile,":p"),0)." ".s:Escape(fname,0)) ++ let fname = fname->substitute('^\([.]\{1,2}/\)\+', '', 'g') ++ let need_rename = 1 ++ endif + " call Decho("zipfile<".zipfile.">") + " call Decho("fname <".fname.">") + +@@ -333,7 +331,7 @@ fun! zip#Write(fname) + endif + " call Decho("zipfile<".zipfile."> fname<".fname.">") + +- exe "w! ".fnameescape(fname) ++ exe "w ".fnameescape(fname) + if has("win32unix") && executable("cygpath") + let zipfile = substitute(system("cygpath ".s:Escape(zipfile,0)),'\n','','e') + endif +@@ -363,6 +361,10 @@ fun! zip#Write(fname) + let &binary = binkeep + q! + unlet s:zipfile_{winnr()} ++ elseif need_rename ++ exe $"sil keepalt file {fnameescape($"zipfile://{zipfile}::{fname}")}" ++ redraw! ++ echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, dropping relative path" | echohl None + endif + + " cleanup and restore current directory +@@ -398,6 +400,11 @@ fun! zip#Extract() + let &report= repkeep + " call Dret("zip#Extract") + return ++ elseif fname =~ '^[.]\?[.]/' ++ redraw! ++ echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!" | echohl None ++ let &report= repkeep ++ return + endif + + " extract the file mentioned under the cursor diff --git a/vim.spec b/vim.spec index 177a4bc0..39754b69 100644 --- a/vim.spec +++ b/vim.spec @@ -51,7 +51,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 # swift.vim contains Apache 2.0 with runtime library exception: # which is taken as Apache-2.0 WITH Swift-exception - reported to legal as https://gitlab.com/fedora/legal/fedora-license-data/-/issues/188 @@ -106,6 +106,8 @@ Patch3005: vim-8.0-copy-paste.patch # https://github.com/vim/vim/commit/39a94d204 Patch3006: 0001-patch-9.1.0903-potential-overflow-in-spell_soundfold.patch Patch3007: 0001-patch-9.1.0904-Vim9-copy-paste-error-in-class_defini.patch +# RHEL-113549 CVE-2025-53906 vim: Vim path traversal +Patch3008: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch # uses autoconf in spec file @@ -431,6 +433,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch -P 3005 -p1 -b .copypaste %patch -P 3006 -p1 -b .buffer-overflow %patch -P 3007 -p1 -b .typo +%patch -P 3008 -p1 -b .zip-cve %build cd src @@ -1066,6 +1069,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %changelog +* Wed Sep 10 2025 Zdenek Dohnal - 2:9.1.083-6 +- RHEL-113549 CVE-2025-53906 vim: Vim path traversal + * Mon Jan 27 2025 Zdenek Dohnal - 2:9.1.083-5 - rebuilt with new GCC to fix RHEL-74127