RHEL-112007 CVE-2025-53906 vim: Vim path traversial

Resolves: RHEL-112007
2025-09-17 17:06:51 +02:00 · 2025-09-17 17:06:51 +02:00 · f9ed7bf51c
commit f9ed7bf51c
parent 2d35eb4a78
2 changed files with 76 additions and 1 deletions
--- a/0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch
+++ b/0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch
@ -0,0 +1,70 @@
+diff -up vim82/runtime/autoload/zip.vim.CVE-2025-53906 vim82/runtime/autoload/zip.vim
+--- vim82/runtime/autoload/zip.vim.CVE-2025-53906	2021-03-22 10:02:41.000000000 +0100
+++ vim82/runtime/autoload/zip.vim	2025-09-10 19:33:11.491115978 +0200
+@@ -251,6 +251,7 @@ fun! zip#Write(fname)
+ "  call Dfunc("zip#Write(fname<".a:fname.">) zipfile_".winnr()."<".s:zipfile_{winnr()}.">")
+   let repkeep= &report
+   set report=10
+  let need_rename = 0
+ 
+   " sanity checks
+   if !executable(substitute(g:zip_zipcmd,'\s\+.*$','',''))
+@@ -261,14 +262,6 @@ fun! zip#Write(fname)
+ "   call Dret("zip#Write")
+    return
+   endif
+-  if !exists("*mkdir")
+-   redraw!
+-   echohl Error | echo "***error*** (zip#Write) sorry, mkdir() doesn't work on your system" | echohl None
+-"   call inputsave()|call input("Press <cr> to continue")|call inputrestore()
+-   let &report= repkeep
+-"   call Dret("zip#Write")
+-   return
+-  endif
+ 
+   let curdir= getcwd()
+   let tmpdir= tempname()
+@@ -302,6 +295,11 @@ fun! zip#Write(fname)
+    let zipfile = substitute(a:fname,'^.\{-}zipfile:\(.\{-}\)::[^\\].*$','\1','')
+    let fname   = substitute(a:fname,'^.\{-}zipfile:.\{-}::\([^\\].*\)$','\1','')
+   endif
+  if fname =~ '^[.]\{1,2}/'
+    call system(g:zip_zipcmd." -d ".s:Escape(fnamemodify(zipfile,":p"),0)." ".s:Escape(fname,0))
+    let fname = substitute(fname, '^\([.]\{1,2}/\)\+', '', 'g')
+    let need_rename = 1
+  endif
+ "  call Decho("zipfile<".zipfile.">")
+ "  call Decho("fname  <".fname.">")
+ 
+@@ -318,7 +316,7 @@ fun! zip#Write(fname)
+   endif
+ "  call Decho("zipfile<".zipfile."> fname<".fname.">")
+ 
+-  exe "w! ".fnameescape(fname)
+  exe "w ".fnameescape(fname)
+   if has("win32unix") && executable("cygpath")
+    let zipfile = substitute(system("cygpath ".s:Escape(zipfile,0)),'\n','','e')
+   endif
+@@ -348,6 +346,10 @@ fun! zip#Write(fname)
+    let &binary = binkeep
+    q!
+    unlet s:zipfile_{winnr()}
+  elseif need_rename
+    sil exe 'keepalt file '.fnameescape("zipfile://".zipfile.'::'.fname)
+    redraw!
+    echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, dropping relative path" | echohl None
+   endif
+   
+   " cleanup and restore current directory
+@@ -383,6 +385,11 @@ fun! zip#Extract()
+    let &report= repkeep
+ "   call Dret("zip#Extract")
+    return
+  elseif fname =~ '^[.]\?[.]/'
+    redraw!
+    echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!" | echohl None
+    let &report= repkeep
+    return
+   endif
+ 
+   " extract the file mentioned under the cursor
--- a/vim.spec
+++ b/vim.spec
@ -114,6 +114,9 @@ Patch3039: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
 Patch3040: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
 # RHEL-112003 CVE-2025-53905 vim: Vim path traversial
 Patch3041: 0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch
+# RHEL-112007 CVE-2025-53906 vim: Vim path traversal
+Patch3042: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch
+

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -332,6 +335,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3039 -p1 -b .cve1897
 %patch3040 -p1 -b .cve1927
 %patch -P 3041 -p1 -b .CVE-2025-53905
+%patch -P 3042 -p1 -b .CVE-2025-53906

 %build
 %if 0%{?rhel} > 7
@ -852,6 +856,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %changelog
 * Wed Sep 17 2025 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-21
 - RHEL-112003 CVE-2025-53905 vim: Vim path traversial
+- RHEL-112007 CVE-2025-53906 vim: Vim path traversal

 * Tue Jun 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-20
 - fix issue reported by covscan
@ -861,7 +866,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 - CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
 - CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c

-* Tue May 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-20
+* Sat May 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-20
 - CVE-2022-1621 vim: heap buffer overflow
 - CVE-2022-1629 vim: buffer over-read