import UBI vim-8.0.1763-23.el8_10

SOURCES/0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch

@@ -0,0 +1,48 @@
+From 7088926316d8d4a7572a242d0765e99adfc8b083 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Wed, 1 Apr 2026 16:23:49 +0000
+Subject: [PATCH] patch 9.2.0280: [security]: path traversal issue in zip.vim
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Problem:  [security]: path traversal issue in zip.vim
+Solution: Detect more such attacks and warn the user.
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/autoload/zip.vim | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim
+--- a/runtime/autoload/zip.vim
++++ b/runtime/autoload/zip.vim
+@@ -278,6 +278,13 @@ fun! zip#Write(fname)
+    return
+   endif
+ 
++  if simplify(a:fname) =~ '\.\.[/\\]'
++    redraw!
++    echohl Error | echo "***error*** (zip#Write) Path Traversal Attack detected, not writing!" | echohl None
++    let &report= repkeep
++    return
++  endif
++
+   let curdir= getcwd()
+   let tmpdir= tempname()
+ "  call Decho("orig tempname<".tmpdir.">")
+@@ -400,7 +407,7 @@ fun! zip#Extract()
+    let &report= repkeep
+ "   call Dret("zip#Extract")
+    return
+-  elseif fname =~ '^[.]\?[.]/'
++  elseif fname =~ '^[.]\?[.]/' || simplify(fname) =~ '\.\.[/\\]'
+     redraw!
+     echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!" | echohl None
+     let &report= repkeep
+-- 
+2.49.0
+

SOURCES/0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch

@@ -0,0 +1,51 @@
+From 46f530e517bd1b59acc2eb0d2aa76d02e54ca9fe Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 5 Apr 2026 15:58:00 +0000
+Subject: [PATCH] patch 9.2.0299: runtime(zip): may write using absolute paths
+
+Problem:  runtime(zip): may write using absolute paths
+          (syndicate)
+Solution: Detect this case and abort on Unix, warn in the documentation
+          about possible issues
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/autoload/zip.vim  | 8 ++++++++
+ runtime/doc/pi_zip.txt    | 4 ++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim
+--- a/runtime/autoload/zip.vim
++++ b/runtime/autoload/zip.vim
+@@ -313,6 +313,14 @@ fun! zip#Write(fname)
+   if has("unix")
+    let zipfile = substitute(a:fname,'zipfile:\(.\{-}\)::[^\\].*$','\1','')
+    let fname   = substitute(a:fname,'zipfile:.\{-}::\([^\\].*\)$','\1','')
++   " fname should not start with a leading slash to avoid writing anywhere into the system
++   if fname =~ '^/'
++     redraw!
++     echohl Error | echo "***error*** (zip#Write) Path Traversal Attack detected, not writing!" | echohl None
++     call s:ChgDir(curdir,s:WARNING,"(zip#Write) unable to return to ".curdir."!")
++     let &report= repkeep
++     return
++   endif
+   else
+    let zipfile = substitute(a:fname,'^.\{-}zipfile:\(.\{-}\)::[^\\].*$','\1','')
+    let fname   = substitute(a:fname,'^.\{-}zipfile:.\{-}::\([^\\].*\)$','\1','')
+diff --git a/runtime/doc/pi_zip.txt b/runtime/doc/pi_zip.txt
+--- a/runtime/doc/pi_zip.txt
++++ b/runtime/doc/pi_zip.txt
+@@ -32,6 +32,10 @@
+    the desired file, then hit the <return> key.  After editing, one may
+    also write to the file.  Currently, one may not make a new file in
+    zip archives via the plugin.
++
++   The zip plugin tries to detect some common path traversal attack
++   patterns, but it may not catch all possible cases. Please be very
++   careful when using this plugin with untrusted input.
+
+ 								*zip-x*
+    x : may extract a listed file when the cursor is atop it
+--
+2.49.0
+

SOURCES/0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch

@@ -0,0 +1,45 @@
+From 351a16c88f56aeeca5e06095624dd701b264b2a9 Mon Sep 17 00:00:00 2001
+From: q1uf3ng <q1uf3ng@protone.me>
+Date: Wed, 15 Apr 2026 04:03:02 +0000
+Subject: [PATCH] runtime(zip): block absolute paths in zip#Extract
+
+zip#Extract(): add absolute path checks for both Unix and Windows,
+matching the existing checks in zip#Write().
+
+closes: #19976
+
+Signed-off-by: q1uf3ng <glna9@protonmail.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/autoload/zip.vim | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim
+--- a/runtime/autoload/zip.vim
++++ b/runtime/autoload/zip.vim
+@@ -421,6 +421,22 @@ fun! zip#Extract()
+     let &report= repkeep
+     return
+   endif
++  " block absolute paths
++  if has("unix")
++    if fname =~ '^/'
++      redraw!
++      echohl Error | echo "***error*** (zip#Extract) Path Traversal Attack detected, not extracting!" | echohl None
++      let &report= repkeep
++      return
++    endif
++  else
++    if fname =~ '^\%(\a:[\\/]\|[\\/]\)'
++      redraw!
++      echohl Error | echo "***error*** (zip#Extract) Path Traversal Attack detected, not extracting!" | echohl None
++      let &report= repkeep
++      return
++    endif
++  endif
+ 
+   " extract the file mentioned under the cursor
+ "  call Decho("system(".g:zip_extractcmd." ".shellescape(b:zipfile)." ".shellescape(shell).")")
+-- 
+2.49.0
+

SPECS/vim.spec

@@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 22%{?dist}.3
+Release: 23%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@@ -148,6 +148,14 @@ Patch3051: 0001-patch-8.1.1366-using-expressions-in-modeline-is-unsafe.patch
 Patch3052: 0001-patch-8.1.1401-misspelled-mkspellmem.patch
 Patch3053: 0001-patch-9.2.0276-security-modeline-security-bypass.patch
 Patch3054: 0001-patch-9.2.0277-tests-test_modeline.vim-fails.patch
+# RHEL-170126 CVE-2026-35177 vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass
+# https://redhat.atlassian.net/browse/RHEL-170126
+# https://github.com/vim/vim/commit/7088926316d8
+# https://github.com/vim/vim/commit/46f530e517bd
+# https://github.com/vim/vim/commit/351a16c88f56
+Patch3055: 0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch
+Patch3056: 0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch
+Patch3057: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -383,6 +391,9 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3052 -p1 -b .mkspellmem-fix
 %patch -P 3053 -p1 -b .modeline-bypass
 %patch -P 3054 -p1 -b .modeline-tests
+%patch -P 3055 -p1 -b .zip-path-traversal
+%patch -P 3056 -p1 -b .zip-abs-write
+%patch -P 3057 -p1 -b .zip-abs-extract
 
 %build
 %if 0%{?rhel} > 7
@@ -901,6 +912,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*
 
 %changelog
+* Wed May 20 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-23
+- RHEL-170126 CVE-2026-35177 vim: Vim zip.vim plugin: Arbitrary file overwrite
+  via path traversal bypass
+
 * Fri Apr 17 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-22.3
 - Relates: RHEL-164956 vim: arbitrary command execution via modeline sandbox bypass