diff --git a/0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch b/0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch new file mode 100644 index 00000000..b4824368 --- /dev/null +++ b/0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch @@ -0,0 +1,70 @@ +diff -up vim82/runtime/autoload/zip.vim.CVE-2025-53906 vim82/runtime/autoload/zip.vim +--- vim82/runtime/autoload/zip.vim.CVE-2025-53906 2021-03-22 10:02:41.000000000 +0100 ++++ vim82/runtime/autoload/zip.vim 2025-09-10 19:33:11.491115978 +0200 +@@ -251,6 +251,7 @@ fun! zip#Write(fname) + " call Dfunc("zip#Write(fname<".a:fname.">) zipfile_".winnr()."<".s:zipfile_{winnr()}.">") + let repkeep= &report + set report=10 ++ let need_rename = 0 + + " sanity checks + if !executable(substitute(g:zip_zipcmd,'\s\+.*$','','')) +@@ -261,14 +262,6 @@ fun! zip#Write(fname) + " call Dret("zip#Write") + return + endif +- if !exists("*mkdir") +- redraw! +- echohl Error | echo "***error*** (zip#Write) sorry, mkdir() doesn't work on your system" | echohl None +-" call inputsave()|call input("Press to continue")|call inputrestore() +- let &report= repkeep +-" call Dret("zip#Write") +- return +- endif + + let curdir= getcwd() + let tmpdir= tempname() +@@ -302,6 +295,11 @@ fun! zip#Write(fname) + let zipfile = substitute(a:fname,'^.\{-}zipfile:\(.\{-}\)::[^\\].*$','\1','') + let fname = substitute(a:fname,'^.\{-}zipfile:.\{-}::\([^\\].*\)$','\1','') + endif ++ if fname =~ '^[.]\{1,2}/' ++ call system(g:zip_zipcmd." -d ".s:Escape(fnamemodify(zipfile,":p"),0)." ".s:Escape(fname,0)) ++ let fname = substitute(fname, '^\([.]\{1,2}/\)\+', '', 'g') ++ let need_rename = 1 ++ endif + " call Decho("zipfile<".zipfile.">") + " call Decho("fname <".fname.">") + +@@ -318,7 +316,7 @@ fun! zip#Write(fname) + endif + " call Decho("zipfile<".zipfile."> fname<".fname.">") + +- exe "w! ".fnameescape(fname) ++ exe "w ".fnameescape(fname) + if has("win32unix") && executable("cygpath") + let zipfile = substitute(system("cygpath ".s:Escape(zipfile,0)),'\n','','e') + endif +@@ -348,6 +346,10 @@ fun! zip#Write(fname) + let &binary = binkeep + q! + unlet s:zipfile_{winnr()} ++ elseif need_rename ++ sil exe 'keepalt file '.fnameescape("zipfile://".zipfile.'::'.fname) ++ redraw! ++ echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, dropping relative path" | echohl None + endif + + " cleanup and restore current directory +@@ -383,6 +385,11 @@ fun! zip#Extract() + let &report= repkeep + " call Dret("zip#Extract") + return ++ elseif fname =~ '^[.]\?[.]/' ++ redraw! ++ echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!" | echohl None ++ let &report= repkeep ++ return + endif + + " extract the file mentioned under the cursor diff --git a/vim.spec b/vim.spec index 81aa6b40..39b23039 100644 --- a/vim.spec +++ b/vim.spec @@ -114,6 +114,9 @@ Patch3039: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch Patch3040: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch # RHEL-112003 CVE-2025-53905 vim: Vim path traversial Patch3041: 0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch +# RHEL-112007 CVE-2025-53906 vim: Vim path traversal +Patch3042: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch + # gcc is no longer in buildroot by default BuildRequires: gcc @@ -332,6 +335,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3039 -p1 -b .cve1897 %patch3040 -p1 -b .cve1927 %patch -P 3041 -p1 -b .CVE-2025-53905 +%patch -P 3042 -p1 -b .CVE-2025-53906 %build %if 0%{?rhel} > 7 @@ -852,6 +856,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %changelog * Wed Sep 17 2025 Zdenek Dohnal - 2:8.0.1763-21 - RHEL-112003 CVE-2025-53905 vim: Vim path traversial +- RHEL-112007 CVE-2025-53906 vim: Vim path traversal * Tue Jun 14 2022 Zdenek Dohnal - 2:8.0.1763-20 - fix issue reported by covscan @@ -861,7 +866,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags - CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c - CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c -* Tue May 14 2022 Zdenek Dohnal - 2:8.0.1763-20 +* Sat May 14 2022 Zdenek Dohnal - 2:8.0.1763-20 - CVE-2022-1621 vim: heap buffer overflow - CVE-2022-1629 vim: buffer over-read