Opened 8 weeks ago

Closed 8 weeks ago

Last modified 8 weeks ago

#5760 closed enhancement (fixed)

vim-9.1.1552 (Security update)

Reported by: Bruce Dubbs Owned by: lfs-book
Priority: high Milestone: 12.4
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

Two security vulnerabilities were reported as fixed today:

path traversal issue with tar.vim and special crafted tar archives in Vim < 9.1.1552
====================================================================================
Date: 15.07.2025
Severity: Low
CVE: CVE-2025-53905
CWE: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

### Summary
A path traversal issue in Vim’s tar.vim plugin can allow overwriting of
arbitrary files when opening specially crafted tar archives.

### Description
Vim includes the tar.vim plugin, which enables viewing and editing of files
within tar (and compressed tar) archives.

An attacker can create a tar archive that contains member files with relative
paths (e.g., ../../somefile). If such an archive is opened in Vim, and the user
saves one of these malicious files, Vim may overwrite files outside the
intended working directory.

Exploitation requires several conditions:
- The user opens a specially crafted archive in Vim.
- The user selects and attempts to edit one of the files within the archive.
- Vim writes the file back to disk using :w!.

Only after all these steps are performed would Vim overwrite an existing file
on disk.

**Note**:
- Vim does display the full path to be written, so a careful user may notice
  suspicious behavior.
- Standard tar utilities typically do not extract such paths and will warn or
  skip them. This issue only affects Vim's internal handling, not the tar tool
  itself.


### Proof of Concept
As a Proof of Concept, the following code crafts a malicious archive:
```
echo pwned > pwn; tar --transform='s|^|/etc/ax-|' -cf evil.tar pwn
```
If the file contained in the evil.tar archive is edited through vim, typing
':w' to save it will create /etc/ax-pwn on the host filesystem (provided that
the user has sufficient permissions to write into the /etc directory.

### Impact
Impact is **low** because this exploit requires direct user interaction:

However successfully exploitation can lead to overwritint sensitive files or
placing executable code in privileged locations, depending on the permissions
of the process editing the archive.

The victim must edit such a file using Vim which will reveal the filename
and the file content, a careful user may suspect some strange things going on.
Successful exploitation could results in the ability to execute
arbitrary commands on the underlying operating system.

The Vim project would like to thank @ax for reporting this issue.

The issue has been fixed as of Vim patch v9.1.1552

[Commit](https://github.com/vim/vim/commit/87757c6b0a4b2c1f71c72ea8e1438b8fb116b239)
[Github Advisory](https://github.com/vim/vim/security/advisories/GHSA-74v4-f3x9-ppvr)

and

{{{path traversal issue with zip.vim and special crafted zip archives in Vim < v9.1.1551 ===================================================================================== Date: 15.07.2025 Severity: Low CVE: CVE-2025-53906 CWE: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

### Summary A path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives.

### Description Vim includes the zip.vim plugin, which enables viewing and editing of files within zip archives.

An attacker can create a zip archive that contains member files with relative paths (e.g., ../../somefile). If such an archive is opened in Vim, and the user saves one of these malicious files, Vim may overwrite files outside the intended working directory.

Exploitation requires several conditions:

  • The user opens a specially crafted archive in Vim.
  • The user selects and attempts to edit one of the files within the archive.
  • Vim writes the file back to disk using :w!.

Only after all these steps are performed would Vim overwrite an existing file on disk.

Note:

  • Vim does display the full path to be written, so a careful user may notice suspicious behavior.
  • Standard zip utility typically do not extract such paths and will warn or skip them. This issue only affects Vim's internal handling, not the zip tool itself.

### Proof of Concept As a Proof of Concept, the following code crafts a malicious archive: `python import zipfile import os zip_path='evil.zip' fname='file' arcname='/etc/ax-pwn' arcname='../../../../etc/ax-pwn' with open(fname, 'w') as f:

f.write(f"pwned\n")

with zipfile.ZipFile(zip_path, 'w') as zipf:

zipf.write(fname, arcname)

print(f"Created {zip_path}" ) ` If the file contained in the evil.zip archive is edited through vim, typing ':w' to save it will create /etc/ax-pwn on the host filesystem (provided that the user has sufficient permissions to write into the /etc directory.

### Impact Impact is low because this exploit requires direct user interaction:

However successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive.

The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system.

The Vim project would like to thank @ax for reporting this issue.

The issue has been fixed as of Vim patch v9.1.1551 }}}

Change History (3)

comment:1 by Bruce Dubbs, 8 weeks ago

Resolution: fixed
Status: newclosed

Fixed at commit 8395c1c69b.

comment:2 by Douglas R. Reno, 8 weeks ago

Priority: normalhigh

comment:3 by Douglas R. Reno, 8 weeks ago

SA-12.3-072 issued

Note: See TracTickets for help on using tickets.