From dd98a569aab92a28fa63d5c1a7a200b1a82143d0 Mon Sep 17 00:00:00 2001 From: wjiang Date: Wed, 19 Mar 2025 14:50:17 +0800 Subject: [PATCH] fix CVE-2025-29768 (cherry picked from commit 15a73f79e90767672e6a3109ca7570965487332a) --- backport-CVE-2025-29768.patch | 44 ++++++++ ...untime-Fix-for-FreeBSD-unzip-command.patch | 63 +++++++++++ ...rectly-extract-file-from-zip-browser.patch | 45 ++++++++ backport-runtime-escape-on-Unix-as-well.patch | 57 ++++++++++ ...zip-plugin-has-problems-with-special.patch | 100 ++++++++++++++++++ vim.spec | 13 ++- 6 files changed, 321 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-29768.patch create mode 100644 backport-runtime-Fix-for-FreeBSD-unzip-command.patch create mode 100644 backport-runtime-correctly-extract-file-from-zip-browser.patch create mode 100644 backport-runtime-escape-on-Unix-as-well.patch create mode 100644 backport-runtime-zip-plugin-has-problems-with-special.patch diff --git a/backport-CVE-2025-29768.patch b/backport-CVE-2025-29768.patch new file mode 100644 index 0000000..927d569 --- /dev/null +++ b/backport-CVE-2025-29768.patch @@ -0,0 +1,44 @@ +From f209dcd3defb95bae21b2740910e6aa7bb940531 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Wed, 12 Mar 2025 22:04:01 +0100 +Subject: [PATCH] patch 9.1.1198: [security]: potential data loss with zip.vim + +Problem: [security]: potential data loss with zip.vim and special + crafted zip files (RyotaK) +Solution: use glob '[-]' to protect filenames starting with '-' + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf + +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +index 4a53fc5f28656..dae4ddeb9921e 100644 +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -8,6 +8,7 @@ + " 2024 Aug 04 by Vim Project: escape '[' in name of file to be extracted + " 2024 Aug 05 by Vim Project: workaround for the FreeBSD's unzip + " 2024 Aug 18 by Vim Project: correctly handle special globbing chars ++" 2025 Mar 11 by Vim Project: handle filenames with leading '-' correctly + " License: Vim License (see vim's :help license) + " Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1 + " Permission is hereby granted to use and distribute this code, +@@ -414,6 +415,11 @@ fun! zip#Extract() + return + endif + let target = fname->substitute('\[', '[[]', 'g') ++ " unzip 6.0 does not support -- to denote end-of-arguments ++ " unzip 6.1 (2010) apparently supports, it, but hasn't been released ++ " so the workaround is to use glob '[-]' so that it won't be considered an argument ++ " else, it would be possible to use 'unzip -o '-d/tmp' to extract the whole archive ++ let target = target->substitute('^-', '[&]', '') + if &shell =~ 'cmd' && (has("win32") || has("win64")) + let target = target + \ ->substitute('[?*]', '[&]', 'g') +-- +2.43.0 + diff --git a/backport-runtime-Fix-for-FreeBSD-unzip-command.patch b/backport-runtime-Fix-for-FreeBSD-unzip-command.patch new file mode 100644 index 0000000..6682fe1 --- /dev/null +++ b/backport-runtime-Fix-for-FreeBSD-unzip-command.patch @@ -0,0 +1,63 @@ +From f0e9b72c8fdd47b9b410a11edf7479953cb2aed9 Mon Sep 17 00:00:00 2001 +From: Damien <141588647+xrandomname@users.noreply.github.com> +Date: Mon, 5 Aug 2024 20:21:18 +0200 +Subject: [PATCH] runtime(zip): Fix for FreeBSD's unzip command + +Problem: Cannot browse zipfiles with the unzip program found + on FreeBSD. +Solution: Adjust command arguments. + +Unzip found on FreeBSD complain about missing argument with the +zipinfo modifier '-Z -1'. Joining arguments seems to work +for both implementations. + +Also change `:sil!` to `:sil` so that error messages are properly +reported (per review of Christian Brabandt). + +related: #15411 + +Signed-off-by: Damien <141588647+xrandomname@users.noreply.github.com> +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +index e8973e3c80cc8a..8876ef08e60500 100644 +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -1,11 +1,12 @@ + " zip.vim: Handles browsing zipfiles + " AUTOLOAD PORTION +-" Date: Jul 23, 2024 ++" Date: Aug 05, 2024 + " Version: 33 + " Maintainer: Charles E Campbell + " Last Change: + " 2024 Jul 23 by Vim Project: fix 'x' command + " 2024 Aug 04 by Vim Project: escape '[' in name of file to be extracted ++" 2024 Aug 05 by Vim Project: workaround for the FreeBSD's unzip + " License: Vim License (see vim's :help license) + " Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1 + " Permission is hereby granted to use and distribute this code, +@@ -138,7 +139,7 @@ fun! zip#Browse(zipfile) + keepj $ + + " call Decho("exe silent r! ".g:zip_unzipcmd." -l -- ".s:Escape(a:zipfile,1)) +- exe "keepj sil! r! ".g:zip_unzipcmd." -Z -1 -- ".s:Escape(a:zipfile,1) ++ exe $"keepj sil r! {g:zip_unzipcmd} -Z1 -- {s:Escape(a:zipfile, 1)}" + if v:shell_error != 0 + redraw! + echohl WarningMsg | echo "***warning*** (zip#Browse) ".fnameescape(a:zipfile)." is not a zip file" | echohl None +@@ -246,7 +247,7 @@ fun! zip#Read(fname,mode) + let temp = tempname() + " call Decho("using temp file<".temp.">") + let fn = expand('%:p') +- exe "sil! !".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fnameescape(fname),1).' > '.temp ++ exe "sil !".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fname,1).' > '.temp + " call Decho("exe sil! !".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fnameescape(fname),1).' > '.temp) + sil exe 'keepalt file '.temp + sil keepj e! +-- +2.43.0 + diff --git a/backport-runtime-correctly-extract-file-from-zip-browser.patch b/backport-runtime-correctly-extract-file-from-zip-browser.patch new file mode 100644 index 0000000..185e3e5 --- /dev/null +++ b/backport-runtime-correctly-extract-file-from-zip-browser.patch @@ -0,0 +1,45 @@ +From 38ce71c1c323716cc4b130dbb3e8837a8b9a710b Mon Sep 17 00:00:00 2001 +From: Damien <141588647+xrandomname@users.noreply.github.com> +Date: Tue, 23 Jul 2024 19:56:54 +0200 +Subject: [PATCH] runtime(zip): correctly extract file from zip browser + +Problem: Enter 'x' in zip browser fail with E121 +Solution: Fix typo in zip#Extract() + +closes: #15321 + +Signed-off-by: Damien <141588647+xrandomname@users.noreply.github.com> +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +index d0e706e83ac24..34bcad3368d13 100644 +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -1,8 +1,10 @@ + " zip.vim: Handles browsing zipfiles + " AUTOLOAD PORTION +-" Date: Mar 12, 2023 ++" Date: Jul 23, 2024 + " Version: 33 + " Maintainer: Charles E Campbell ++" Last Change: ++" 2024 Jul 23 by Vim Project: fix 'x' command + " License: Vim License (see vim's :help license) + " Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1 + " Permission is hereby granted to use and distribute this code, +@@ -401,8 +403,7 @@ fun! zip#Extract() + endif + + " extract the file mentioned under the cursor +-" call Decho("system(".g:zip_extractcmd." ".shellescape(b:zipfile)." ".shellescape(shell).")") +- call system(g:zip_extractcmd." ".shellescape(b:zipfile)." ".shellescape(shell)) ++ call system($"{g:zip_extractcmd} {shellescape(b:zipfile)} {shellescape(fname)}") + " call Decho("zipfile<".b:zipfile.">") + if v:shell_error != 0 + echohl Error | echo "***error*** ".g:zip_extractcmd." ".b:zipfile." ".fname.": failed!" | echohl NONE +-- +2.43.0 + diff --git a/backport-runtime-escape-on-Unix-as-well.patch b/backport-runtime-escape-on-Unix-as-well.patch new file mode 100644 index 0000000..5ca374d --- /dev/null +++ b/backport-runtime-escape-on-Unix-as-well.patch @@ -0,0 +1,57 @@ +From c5bdd66558b14f04424a22d9714a9b7d0c277dac Mon Sep 17 00:00:00 2001 +From: zeertzjq +Date: Sun, 4 Aug 2024 18:35:50 +0200 +Subject: [PATCH] runtime(zip): escape '[' on Unix as well + +Problem: After 6f1cbfc9ab483a09877e153ad130164875c40b1d fnameescape() + is no longer called on the name of the file to be extracted. + However, while spaces indeed don't need to be escaped, unzip + treats '[' as a wildcard character, so it need to be escaped. +Solution: Escape '[' on both MS-Windows and Unix. + +From the docs it seems '*' and '?' also need escaping, but they seem to +actually work without escaping. + +fixes: neovim/neovim#29977 +closes: #15427 + +Signed-off-by: zeertzjq +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +index f77d729f036557..e8973e3c80cc8a 100644 +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -5,6 +5,7 @@ + " Maintainer: Charles E Campbell + " Last Change: + " 2024 Jul 23 by Vim Project: fix 'x' command ++" 2024 Aug 04 by Vim Project: escape '[' in name of file to be extracted + " License: Vim License (see vim's :help license) + " Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1 + " Permission is hereby granted to use and distribute this code, +@@ -225,8 +226,8 @@ fun! zip#Read(fname,mode) + else + let zipfile = substitute(a:fname,'^.\{-}zipfile://\(.\{-}\)::[^\\].*$','\1','') + let fname = substitute(a:fname,'^.\{-}zipfile://.\{-}::\([^\\].*\)$','\1','') +- let fname = substitute(fname, '[', '[[]', 'g') + endif ++ let fname = substitute(fname, '[', '[[]', 'g') + " call Decho("zipfile<".zipfile.">") + " call Decho("fname <".fname.">") + " sanity check +@@ -240,7 +241,7 @@ fun! zip#Read(fname,mode) + endif + + " the following code does much the same thing as +- " exe "keepj sil! r! ".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fnameescape(fname),1) ++ " exe "keepj sil! r! ".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fname,1) + " but allows zipfile://... entries in quickfix lists + let temp = tempname() + " call Decho("using temp file<".temp.">") +-- +2.43.0 + diff --git a/backport-runtime-zip-plugin-has-problems-with-special.patch b/backport-runtime-zip-plugin-has-problems-with-special.patch new file mode 100644 index 0000000..91e3419 --- /dev/null +++ b/backport-runtime-zip-plugin-has-problems-with-special.patch @@ -0,0 +1,100 @@ +From 7790ea0c680a9f951a86066e5940ec16b2333c9a Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Tue, 20 Aug 2024 22:41:52 +0200 +Subject: [PATCH] patch 9.1.0686: zip-plugin has problems with special + characters + +Problem: zip-plugin has problems with special characters + (user202729) +Solution: escape '*?[\' on Unix and handle those chars + a bit differently on MS-Windows, add a test, check + before overwriting files + +runtime(zip): small fixes for zip plugin + +This does the following: +- verify the unzip plugin is executable when loading the autoload plugin +- handle extracting file names with '[*?\' in its name correctly by + escaping those characters for the unzip command (and handle those + characters a bit differently on MS-Windows, since the quoting is different) +- verify, that the extract plugin is not overwriting a file (could cause + a hang, because unzip asking for confirmation) +- add a test zip file which contains those special file names + +fixes: #15505 +closes: #15519 + +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 27 ++++++++++++++++++++++++--- + 1 file changed, 24 insertions(+), 3 deletions(-) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +index 31fb32779f86d8..a7a7e579a2f319 100644 +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -1,12 +1,13 @@ + " zip.vim: Handles browsing zipfiles + " AUTOLOAD PORTION +-" Date: Aug 05, 2024 ++" Date: Aug 18, 2024 + " Version: 33 + " Maintainer: Charles E Campbell + " Last Change: + " 2024 Jul 23 by Vim Project: fix 'x' command + " 2024 Aug 04 by Vim Project: escape '[' in name of file to be extracted + " 2024 Aug 05 by Vim Project: workaround for the FreeBSD's unzip ++" 2024 Aug 18 by Vim Project: correctly handle special globbing chars + " License: Vim License (see vim's :help license) + " Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1 + " Permission is hereby granted to use and distribute this code, +@@ -61,6 +62,11 @@ if !exists("g:zip_extractcmd") + let g:zip_extractcmd= g:zip_unzipcmd + endif + ++" sanity checks ++ if !executable(g:zip_unzipcmd) ++ echohl Error | echo "***error*** (zip#Browse) unzip not available on your system" | echohl None ++ finish ++ endif + if !dist#vim#IsSafeExecutable('zip', g:zip_unzipcmd) + echoerr "Warning: NOT executing " .. g:zip_unzipcmd .. " from current directory!" + finish +@@ -228,7 +234,7 @@ fun! zip#Read(fname,mode) + let zipfile = substitute(a:fname,'^.\{-}zipfile://\(.\{-}\)::[^\\].*$','\1','') + let fname = substitute(a:fname,'^.\{-}zipfile://.\{-}::\([^\\].*\)$','\1','') + endif +- let fname = substitute(fname, '[', '[[]', 'g') ++ let fname = fname->substitute('[', '[[]', 'g')->escape('?*\\') + " call Decho("zipfile<".zipfile.">") + " call Decho("fname <".fname.">") + " sanity check +@@ -403,9 +409,24 @@ fun! zip#Extract() + " call Dret("zip#Extract") + return + endif ++ if filereadable(fname) ++ echohl Error | echo "***error*** (zip#Extract) <".fname."> already exists in directory, not overwriting!" | echohl None ++ return ++ endif ++ let target = fname->substitute('\[', '[[]', 'g') ++ if &shell =~ 'cmd' && (has("win32") || has("win64")) ++ let target = target ++ \ ->substitute('[?*]', '[&]', 'g') ++ \ ->substitute('[\\]', '?', 'g') ++ \ ->shellescape() ++ " there cannot be a file name with '\' in its name, unzip replaces it by _ ++ let fname = fname->substitute('[\\?*]', '_', 'g') ++ else ++ let target = target->escape('*?\\')->shellescape() ++ endif + + " extract the file mentioned under the cursor +- call system($"{g:zip_extractcmd} {shellescape(b:zipfile)} {shellescape(fname)}") ++ call system($"{g:zip_extractcmd} -o {shellescape(b:zipfile)} {target}") + " call Decho("zipfile<".b:zipfile.">") + if v:shell_error != 0 + echohl Error | echo "***error*** ".g:zip_extractcmd." ".b:zipfile." ".fname.": failed!" | echohl NONE +-- +2.43.0 + diff --git a/vim.spec b/vim.spec index f0d472d..b1ba3d8 100644 --- a/vim.spec +++ b/vim.spec @@ -14,7 +14,7 @@ Name: vim Epoch: 2 Version: %{baseversion}.%{patchlevel} -Release: 17 +Release: 18 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -58,6 +58,11 @@ Patch6023: backport-CVE-2025-22134.patch Patch6024: backport-CVE-2025-24014.patch Patch6025: backport-CVE-2025-1215.patch Patch6026: backport-CVE-2025-26603.patch +Patch6027: backport-runtime-correctly-extract-file-from-zip-browser.patch +Patch6028: backport-runtime-escape-on-Unix-as-well.patch +Patch6029: backport-runtime-Fix-for-FreeBSD-unzip-command.patch +Patch6030: backport-runtime-zip-plugin-has-problems-with-special.patch +Patch6031: backport-CVE-2025-29768.patch Patch9000: bugfix-rm-modify-info-version.patch Patch9001: fix-CVE-2024-47814.patch @@ -466,6 +471,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests." %{_mandir}/man1/evim.* %changelog +* Tue Mar 18 2025 wangjiang - 2:9.0.2092-18 +- Type:CVE +- ID:CVE-2025-29768 +- SUG:NA +- DESC:fix CVE-2025-29768 + * Tue Feb 18 2025 wangjiang - 2:9.0.2092-17 - Type:CVE - ID:CVE-2025-1215 CVE-2025-26603 -- Gitee