diff --git a/SOURCES/0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch b/SOURCES/0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch new file mode 100644 index 00000000..708510fe --- /dev/null +++ b/SOURCES/0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch @@ -0,0 +1,48 @@ +From 7088926316d8d4a7572a242d0765e99adfc8b083 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Wed, 1 Apr 2026 16:23:49 +0000 +Subject: [PATCH] patch 9.2.0280: [security]: path traversal issue in zip.vim +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Problem: [security]: path traversal issue in zip.vim +Solution: Detect more such attacks and warn the user. + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24 + +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -278,6 +278,13 @@ fun! zip#Write(fname) + return + endif + ++ if simplify(a:fname) =~ '\.\.[/\\]' ++ redraw! ++ echohl Error | echo "***error*** (zip#Write) Path Traversal Attack detected, not writing!" | echohl None ++ let &report= repkeep ++ return ++ endif ++ + let curdir= getcwd() + let tmpdir= tempname() + " call Decho("orig tempname<".tmpdir.">") +@@ -400,7 +407,7 @@ fun! zip#Extract() + let &report= repkeep + " call Dret("zip#Extract") + return +- elseif fname =~ '^[.]\?[.]/' ++ elseif fname =~ '^[.]\?[.]/' || simplify(fname) =~ '\.\.[/\\]' + redraw! + echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!" | echohl None + let &report= repkeep +-- +2.49.0 + diff --git a/SOURCES/0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch b/SOURCES/0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch new file mode 100644 index 00000000..b79e48b5 --- /dev/null +++ b/SOURCES/0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch @@ -0,0 +1,51 @@ +From 46f530e517bd1b59acc2eb0d2aa76d02e54ca9fe Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 5 Apr 2026 15:58:00 +0000 +Subject: [PATCH] patch 9.2.0299: runtime(zip): may write using absolute paths + +Problem: runtime(zip): may write using absolute paths + (syndicate) +Solution: Detect this case and abort on Unix, warn in the documentation + about possible issues + +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 8 ++++++++ + runtime/doc/pi_zip.txt | 4 ++++ + 2 files changed, 12 insertions(+) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -313,6 +313,14 @@ fun! zip#Write(fname) + if has("unix") + let zipfile = substitute(a:fname,'zipfile:\(.\{-}\)::[^\\].*$','\1','') + let fname = substitute(a:fname,'zipfile:.\{-}::\([^\\].*\)$','\1','') ++ " fname should not start with a leading slash to avoid writing anywhere into the system ++ if fname =~ '^/' ++ redraw! ++ echohl Error | echo "***error*** (zip#Write) Path Traversal Attack detected, not writing!" | echohl None ++ call s:ChgDir(curdir,s:WARNING,"(zip#Write) unable to return to ".curdir."!") ++ let &report= repkeep ++ return ++ endif + else + let zipfile = substitute(a:fname,'^.\{-}zipfile:\(.\{-}\)::[^\\].*$','\1','') + let fname = substitute(a:fname,'^.\{-}zipfile:.\{-}::\([^\\].*\)$','\1','') +diff --git a/runtime/doc/pi_zip.txt b/runtime/doc/pi_zip.txt +--- a/runtime/doc/pi_zip.txt ++++ b/runtime/doc/pi_zip.txt +@@ -32,6 +32,10 @@ + the desired file, then hit the key. After editing, one may + also write to the file. Currently, one may not make a new file in + zip archives via the plugin. ++ ++ The zip plugin tries to detect some common path traversal attack ++ patterns, but it may not catch all possible cases. Please be very ++ careful when using this plugin with untrusted input. + + *zip-x* + x : may extract a listed file when the cursor is atop it +-- +2.49.0 + diff --git a/SOURCES/0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch b/SOURCES/0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch new file mode 100644 index 00000000..e9065989 --- /dev/null +++ b/SOURCES/0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch @@ -0,0 +1,45 @@ +From 351a16c88f56aeeca5e06095624dd701b264b2a9 Mon Sep 17 00:00:00 2001 +From: q1uf3ng +Date: Wed, 15 Apr 2026 04:03:02 +0000 +Subject: [PATCH] runtime(zip): block absolute paths in zip#Extract + +zip#Extract(): add absolute path checks for both Unix and Windows, +matching the existing checks in zip#Write(). + +closes: #19976 + +Signed-off-by: q1uf3ng +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -421,6 +421,22 @@ fun! zip#Extract() + let &report= repkeep + return + endif ++ " block absolute paths ++ if has("unix") ++ if fname =~ '^/' ++ redraw! ++ echohl Error | echo "***error*** (zip#Extract) Path Traversal Attack detected, not extracting!" | echohl None ++ let &report= repkeep ++ return ++ endif ++ else ++ if fname =~ '^\%(\a:[\\/]\|[\\/]\)' ++ redraw! ++ echohl Error | echo "***error*** (zip#Extract) Path Traversal Attack detected, not extracting!" | echohl None ++ let &report= repkeep ++ return ++ endif ++ endif + + " extract the file mentioned under the cursor + " call Decho("system(".g:zip_extractcmd." ".shellescape(b:zipfile)." ".shellescape(shell).")") +-- +2.49.0 + diff --git a/SPECS/vim.spec b/SPECS/vim.spec index e70d7754..b604426d 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -24,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 22%{?dist}.3 +Release: 23%{?dist} License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -148,6 +148,14 @@ Patch3051: 0001-patch-8.1.1366-using-expressions-in-modeline-is-unsafe.patch Patch3052: 0001-patch-8.1.1401-misspelled-mkspellmem.patch Patch3053: 0001-patch-9.2.0276-security-modeline-security-bypass.patch Patch3054: 0001-patch-9.2.0277-tests-test_modeline.vim-fails.patch +# RHEL-170126 CVE-2026-35177 vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass +# https://redhat.atlassian.net/browse/RHEL-170126 +# https://github.com/vim/vim/commit/7088926316d8 +# https://github.com/vim/vim/commit/46f530e517bd +# https://github.com/vim/vim/commit/351a16c88f56 +Patch3055: 0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch +Patch3056: 0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch +Patch3057: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -383,6 +391,9 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch -P 3052 -p1 -b .mkspellmem-fix %patch -P 3053 -p1 -b .modeline-bypass %patch -P 3054 -p1 -b .modeline-tests +%patch -P 3055 -p1 -b .zip-path-traversal +%patch -P 3056 -p1 -b .zip-abs-write +%patch -P 3057 -p1 -b .zip-abs-extract %build %if 0%{?rhel} > 7 @@ -901,6 +912,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog +* Wed May 20 2026 Zdenek Dohnal - 2:8.0.1763-23 +- RHEL-170126 CVE-2026-35177 vim: Vim zip.vim plugin: Arbitrary file overwrite + via path traversal bypass + * Fri Apr 17 2026 Zdenek Dohnal - 2:8.0.1763-22.3 - Relates: RHEL-164956 vim: arbitrary command execution via modeline sandbox bypass