git: 11f6bb7d5e38 - 2025Q1 - editors/vim: Update to 9.1.1198 (security)
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 13 Mar 2025 01:02:23 UTC
The branch 2025Q1 has been updated by adamw:
URL: https://cgit.FreeBSD.org/ports/commit/?id=11f6bb7d5e38f59a22a8a05ff68d629b7839a099
commit 11f6bb7d5e38f59a22a8a05ff68d629b7839a099
Author: Adam Weinberger <adamw@FreeBSD.org>
AuthorDate: 2025-03-13 00:59:01 +0000
Commit: Adam Weinberger <adamw@FreeBSD.org>
CommitDate: 2025-03-13 01:02:13 +0000
editors/vim: Update to 9.1.1198 (security)
potential data loss with zip.vim and special crafted zip files
Date: 12.03.2025
Severity: Medium
CVE: CVE-2025-29768
CWE: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
Summary
potential data loss with zip.vim and special crafted zip files
Description
Vim is distributed with the zip.vim plugin, that allows easy editing and
viewing of zip archives.
To view and extract zip files, vim uses the unzip(1) command, usually
provided by Info-ZIP, latest version on Debian is 6.0 from April 2009.
If an attacker creates an archive which contains a file -d/tmp, and a Vim
user views such a file and tries to extract such filename from
the archive, Vim will essentially run the following unzip command:
unzip -o <archive.zip> member-filename
However, since the member-filename is called -d/tmp, this is seen by
the unzip command as an additional argument and it therefore happily
extracts the whole archive into the mentioned directory, overwriting existing
files because of the -o.
Unfortunately, the latest released unzip version does not support --
as and end-of-argument marker, so we cannot use this to mark the
beginning of the member-files for unzip. Well, apparently there exists
some 6.10 beta release, that hasn't made it to an official release
yet which supports the use of the -- marker since 2010 (but this isn't
widely known).
Therefore, Vim will try to work-around it by using the [-] glob when a
filename starts with a - to protect unzip from parsing the filename as
an argument, which is just an ugly work-around.
Impact
Impact is moderate because a user must be made to view such an archive
with Vim and then press 'x' to extract such a strange filename.
The Vim project would like to thank @Ry0taK (GMO Flatt Security Inc) and
@takumi-san-ai for reporting this issue.
MFH: 2025Q1
Security: GHSA-693p-m996-3rmf
(cherry picked from commit f1e4dac294a4de0cd9dcf6d85d0573a70e2bc2cd)
---
editors/vim/Makefile | 2 +-
editors/vim/distinfo | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/editors/vim/Makefile b/editors/vim/Makefile
index 5a792383d5c5..5db2e15ad8c9 100644
--- a/editors/vim/Makefile
+++ b/editors/vim/Makefile
@@ -1,5 +1,5 @@
PORTNAME= vim
-PORTVERSION= 9.1.1166
+PORTVERSION= 9.1.1199
DISTVERSIONPREFIX= v
CATEGORIES= editors
diff --git a/editors/vim/distinfo b/editors/vim/distinfo
index 42237eeb2869..0722d41f5266 100644
--- a/editors/vim/distinfo
+++ b/editors/vim/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1740975157
-SHA256 (vim-vim-v9.1.1166_GH0.tar.gz) = 18543682cffe511407ef6a61af6df842d60232fad58c7c02544ae5860107e6be
-SIZE (vim-vim-v9.1.1166_GH0.tar.gz) = 18510701
+TIMESTAMP = 1741827711
+SHA256 (vim-vim-v9.1.1199_GH0.tar.gz) = fc71b4cd30e55cd02c3f4147ea9c678e53fefc3f016eab368881bada72d18d4b
+SIZE (vim-vim-v9.1.1199_GH0.tar.gz) = 18543175