From 448ae03067c85a48c9c73517fb9f7046be3ed200 Mon Sep 17 00:00:00 2001 From: RHEL Packaging Agent Date: Wed, 3 Jun 2026 10:56:51 +0000 Subject: [PATCH] patch 9.2.0479: [security]: runtime(tar): command injection in tar plugin Problem: [security]: runtime(tar): command injection in tar plugin (Christopher Lusk) Solution: Use the correct shellescape(args, 1) form for a :! command Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w Signed-off-by: Christian Brabandt --- runtime/autoload/tar.vim | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim index e320b9a..b60e94a 100644 --- a/runtime/autoload/tar.vim +++ b/runtime/autoload/tar.vim @@ -588,9 +588,9 @@ fun! tar#Vimuntar(...) " if necessary, decompress the tarball; then, extract it if tartail =~ '\.tgz' if executable("gunzip") - silent exe "!gunzip ".shellescape(tartail) + silent exe "!gunzip ".shellescape(tartail, 1) elseif executable("gzip") - silent exe "!gzip -d ".shellescape(tartail) + silent exe "!gzip -d ".shellescape(tartail, 1) else echoerr "unable to decompress<".tartail."> on this sytem" if simplify(curdir) != simplify(tarhome) -- 2.52.0