From 5d3f48e7f47e7fb567445c6a6341697b013f8777 Mon Sep 17 00:00:00 2001 From: sa-buc Date: Wed, 20 Aug 2025 16:53:29 +0800 Subject: [PATCH] fix cve --- 0017-fix-CVE-2025-22134.patch | 52 ++++++++ 0018-fix-CVE-2025-26603.patch | 63 +++++++++ 0019-fix-CVE-2025-1215.patch | 125 ++++++++++++++++++ 0020-fix-CVE-2025-29768.patch | 44 ++++++ ...untime-Fix-for-FreeBSD-unzip-command.patch | 64 +++++++++ ...rectly-extract-file-from-zip-browser.patch | 45 +++++++ backport-runtime-escape-on-Unix-as-well.patch | 57 ++++++++ ...zip-plugin-has-problems-with-special.patch | 108 +++++++++++++++ vim.spec | 22 ++- 9 files changed, 578 insertions(+), 2 deletions(-) create mode 100644 0017-fix-CVE-2025-22134.patch create mode 100644 0018-fix-CVE-2025-26603.patch create mode 100644 0019-fix-CVE-2025-1215.patch create mode 100644 0020-fix-CVE-2025-29768.patch create mode 100644 backport-runtime-Fix-for-FreeBSD-unzip-command.patch create mode 100644 backport-runtime-correctly-extract-file-from-zip-browser.patch create mode 100644 backport-runtime-escape-on-Unix-as-well.patch create mode 100644 backport-runtime-zip-plugin-has-problems-with-special.patch diff --git a/0017-fix-CVE-2025-22134.patch b/0017-fix-CVE-2025-22134.patch new file mode 100644 index 0000000..eb02aa3 --- /dev/null +++ b/0017-fix-CVE-2025-22134.patch @@ -0,0 +1,52 @@ +From da2ab40f95b23cf3a2c1aab112feb7f83f1aaa8d Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sat, 11 Jan 2025 15:25:00 +0100 +Subject: [PATCH] patch 9.1.1003: [security]: heap-buffer-overflow with visual + mode + +Problem: [security]: heap-buffer-overflow with visual mode when + using :all, causing Vim trying to access beyond end-of-line + (gandalf) +Solution: Reset visual mode on :all, validate position in gchar_pos() + and charwise_block_prep() + +This fixes CVE-2025-22134 + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8 + +Co-authored-by: zeertzjq +Signed-off-by: Christian Brabandt +--- + src/testdir/test_visual.vim | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index 290641e..e6169fa 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -1587,4 +1587,22 @@ func Test_Visual_r_CTRL_C() + bw! + endfu + ++" the following caused a Heap-Overflow, because Vim was accessing outside of a ++" line end ++func Test_visual_pos_buffer_heap_overflow() ++ set virtualedit=all ++ args Xa Xb ++ all ++ call setline(1, ['', '', '']) ++ call cursor(3, 1) ++ wincmd w ++ call setline(1, 'foobar') ++ normal! $lv0 ++ all ++ call setreg('"', 'baz') ++ normal! [P ++ set virtualedit= ++ bw! Xa Xb ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.47.3 diff --git a/0018-fix-CVE-2025-26603.patch b/0018-fix-CVE-2025-26603.patch new file mode 100644 index 0000000..53d6551 --- /dev/null +++ b/0018-fix-CVE-2025-26603.patch @@ -0,0 +1,63 @@ +From c0f0e2380e5954f4a52a131bf6b8499838ad1dae Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sun, 16 Feb 2025 16:06:38 +0100 +Subject: [PATCH] patch 9.1.1115: [security]: use-after-free in str_to_reg() + +Problem: [security]: use-after-free in str_to_reg() + (fizz-is-on-the-way) +Solution: when redirecting the :display command, check that one + does not output to the register being displayed + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v + +Signed-off-by: Christian Brabandt +--- + src/register.c | 3 ++- + src/testdir/test_registers.vim | 20 ++++++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/src/register.c b/src/register.c +index 0df05054ca7229..a9630f8ef5db93 100644 +--- a/src/register.c ++++ b/src/register.c +@@ -2405,7 +2405,8 @@ ex_display(exarg_T *eap) + + #ifdef FEAT_EVAL + if (name == MB_TOLOWER(redir_reg) +- || (redir_reg == '"' && yb == y_previous)) ++ || (vim_strchr((char_u *)"\"*+", redir_reg) != NULL && ++ (yb == y_previous || yb == &y_regs[0]))) + continue; // do not list register being written to, the + // pointer can be freed + #endif +diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim +index 1177c2395d3f09..13127022666e04 100644 +--- a/src/testdir/test_registers.vim ++++ b/src/testdir/test_registers.vim +@@ -929,4 +929,24 @@ func Test_register_y_append_reset() + bwipe! + endfunc + ++" This caused use-after-free ++func Test_register_redir_display() ++ " don't touch the clipboard, so only perform this, when the clipboard is not working ++ if has("clipboard_working") ++ throw "Skipped: skip touching the clipboard register!" ++ endif ++ let @"='' ++ redir @+> ++ disp +" ++ redir END ++ call assert_equal("\nType Name Content", getreg('+')) ++ let a = [getreg('1'), getregtype('1')] ++ let @1='register 1' ++ redir @+ ++ disp 1 ++ redir END ++ call assert_equal("register 1", getreg('1')) ++ call setreg(1, a[0], a[1]) ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab + diff --git a/0019-fix-CVE-2025-1215.patch b/0019-fix-CVE-2025-1215.patch new file mode 100644 index 0000000..fd1f3c3 --- /dev/null +++ b/0019-fix-CVE-2025-1215.patch @@ -0,0 +1,125 @@ +From c5654b84480822817bb7b69ebc97c174c91185e9 Mon Sep 17 00:00:00 2001 +From: Hirohito Higashi +Date: Mon, 10 Feb 2025 20:55:17 +0100 +Subject: [PATCH] patch 9.1.1097: --log with non-existent path causes a crash + +Problem: --log with non-existent path causes a crash + (Ekkosun) +Solution: split initialization phase and init the execution stack + earlier (Hirohito Higashi) + +fixes: #16606 +closes: #16610 + +Signed-off-by: Hirohito Higashi +Signed-off-by: Christian Brabandt +--- + src/main.c | 21 +++++++++++++++++---- + src/message_test.c | 3 ++- + src/proto/main.pro | 3 ++- + src/testdir/test_startup.vim | 7 +++++++ + 4 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/src/main.c b/src/main.c +index ecc61f4d0be886..f603a52a52e09d 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -144,6 +144,11 @@ main + atexit(vim_mem_profile_dump); + #endif + ++ /* ++ * Various initialisations #1 shared with tests. ++ */ ++ common_init_1(); ++ + #if defined(STARTUPTIME) || defined(FEAT_JOB_CHANNEL) + // Need to find "--startuptime" and "--log" before actually parsing + // arguments. +@@ -185,9 +190,9 @@ main + #endif + + /* +- * Various initialisations shared with tests. ++ * Various initialisations #2 shared with tests. + */ +- common_init(¶ms); ++ common_init_2(¶ms); + + #ifdef VIMDLL + // Check if the current executable file is for the GUI subsystem. +@@ -900,10 +905,10 @@ vim_main2(void) + } + + /* +- * Initialisation shared by main() and some tests. ++ * Initialisation #1 shared by main() and some tests. + */ + void +-common_init(mparm_T *paramp) ++common_init_1(void) + { + estack_init(); + cmdline_init(); +@@ -925,7 +930,15 @@ common_init(mparm_T *paramp) + || (NameBuff = alloc(MAXPATHL)) == NULL) + mch_exit(0); + TIME_MSG("Allocated generic buffers"); ++} ++ + ++/* ++ * Initialisation #2 shared by main() and some tests. ++ */ ++ void ++common_init_2(mparm_T *paramp) ++{ + #ifdef NBDEBUG + // Wait a moment for debugging NetBeans. Must be after allocating + // NameBuff. +diff --git a/src/message_test.c b/src/message_test.c +index 62f7772470d0e4..83767ece930899 100644 +--- a/src/message_test.c ++++ b/src/message_test.c +@@ -508,7 +508,8 @@ main(int argc, char **argv) + CLEAR_FIELD(params); + params.argc = argc; + params.argv = argv; +- common_init(¶ms); ++ common_init_1(); ++ common_init_2(¶ms); + + set_option_value_give_err((char_u *)"encoding", 0, (char_u *)"utf-8", 0); + init_chartab(); +diff --git a/src/proto/main.pro b/src/proto/main.pro +index 496fe66be6950d..7e4c50803e8ef2 100644 +--- a/src/proto/main.pro ++++ b/src/proto/main.pro +@@ -1,6 +1,7 @@ + /* main.c */ + int vim_main2(void); +-void common_init(mparm_T *paramp); ++void common_init_1(void); ++void common_init_2(mparm_T *paramp); + int is_not_a_term(void); + int is_not_a_term_or_gui(void); + void free_vbuf(void); +diff --git a/src/testdir/test_startup.vim b/src/testdir/test_startup.vim +index 7c703916045e70..c16e4ae27de3b2 100644 +--- a/src/testdir/test_startup.vim ++++ b/src/testdir/test_startup.vim +@@ -734,6 +734,13 @@ func Test_log() + call delete('Xlogfile') + endfunc + ++func Test_log_nonexistent() ++ " this used to crash Vim ++ CheckFeature channel ++ let result = join(systemlist(GetVimCommand() .. ' --log /X/Xlogfile -c qa!')) ++ call assert_match("E484: Can't open file", result) ++endfunc ++ + func Test_read_stdin() + let after =<< trim [CODE] + write Xtestout + diff --git a/0020-fix-CVE-2025-29768.patch b/0020-fix-CVE-2025-29768.patch new file mode 100644 index 0000000..963409c --- /dev/null +++ b/0020-fix-CVE-2025-29768.patch @@ -0,0 +1,44 @@ +From 2143c4cd5b4a61b9045352a6a105713cccaef693 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Wed, 12 Mar 2025 22:04:01 +0100 +Subject: [PATCH] patch 9.1.1198: [security]: potential data loss with zip.vim + +Problem: [security]: potential data loss with zip.vim and special + crafted zip files (RyotaK) +Solution: use glob '[-]' to protect filenames starting with '-' + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf + +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +index a27fefe..4bb058a 100644 +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -8,6 +8,7 @@ + " 2024 Aug 04 by Vim Project: escape '[' in name of file to be extracted + " 2024 Aug 05 by Vim Project: workaround for the FreeBSD's unzip + " 2024 Aug 18 by Vim Project: correctly handle special globbing chars ++" 2025 Mar 11 by Vim Project: handle filenames with leading '-' correctly + " License: Vim License (see vim's :help license) + " Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1 + " Permission is hereby granted to use and distribute this code, +@@ -406,6 +407,11 @@ fun! zip#Extract() + return + endif + let target = fname->substitute('\[', '[[]', 'g') ++ " unzip 6.0 does not support -- to denote end-of-arguments ++ " unzip 6.1 (2010) apparently supports, it, but hasn't been released ++ " so the workaround is to use glob '[-]' so that it won't be considered an argument ++ " else, it would be possible to use 'unzip -o '-d/tmp' to extract the whole archive ++ let target = target->substitute('^-', '[&]', '') + if &shell =~ 'cmd' && (has("win32") || has("win64")) + let target = target + \ ->substitute('[?*]', '[&]', 'g') +-- +2.47.3 + diff --git a/backport-runtime-Fix-for-FreeBSD-unzip-command.patch b/backport-runtime-Fix-for-FreeBSD-unzip-command.patch new file mode 100644 index 0000000..d14db01 --- /dev/null +++ b/backport-runtime-Fix-for-FreeBSD-unzip-command.patch @@ -0,0 +1,64 @@ +From f0e9b72c8fdd47b9b410a11edf7479953cb2aed9 Mon Sep 17 00:00:00 2001 +From: Damien <141588647+xrandomname@users.noreply.github.com> +Date: Mon, 5 Aug 2024 20:21:18 +0200 +Subject: [PATCH] runtime(zip): Fix for FreeBSD's unzip command + +Problem: Cannot browse zipfiles with the unzip program found + on FreeBSD. +Solution: Adjust command arguments. + +Unzip found on FreeBSD complain about missing argument with the +zipinfo modifier '-Z -1'. Joining arguments seems to work +for both implementations. + +Also change `:sil!` to `:sil` so that error messages are properly +reported (per review of Christian Brabandt). + +related: #15411 + +Signed-off-by: Damien <141588647+xrandomname@users.noreply.github.com> +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +index e8973e3c80cc8a..8876ef08e60500 100644 +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -1,11 +1,12 @@ + " zip.vim: Handles browsing zipfiles + " AUTOLOAD PORTION +-" Date: Jul 23, 2024 ++" Date: Aug 05, 2024 + " Version: 33 + " Maintainer: Charles E Campbell + " Last Change: + " 2024 Jul 23 by Vim Project: fix 'x' command + " 2024 Aug 04 by Vim Project: escape '[' in name of file to be extracted ++" 2024 Aug 05 by Vim Project: workaround for the FreeBSD's unzip + " License: Vim License (see vim's :help license) + " Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1 + " Permission is hereby granted to use and distribute this code, +@@ -138,7 +139,7 @@ fun! zip#Browse(zipfile) + keepj $ + + " call Decho("exe silent r! ".g:zip_unzipcmd." -l -- ".s:Escape(a:zipfile,1)) +- exe "keepj sil! r! ".g:zip_unzipcmd." -Z -1 -- ".s:Escape(a:zipfile,1) ++ exe $"keepj sil r! {g:zip_unzipcmd} -Z1 -- {s:Escape(a:zipfile, 1)}" + if v:shell_error != 0 + redraw! + echohl WarningMsg | echo "***warning*** (zip#Browse) ".fnameescape(a:zipfile)." is not a zip file" | echohl None +@@ -246,7 +247,7 @@ fun! zip#Read(fname,mode) + let temp = tempname() + " call Decho("using temp file<".temp.">") + let fn = expand('%:p') +- exe "sil! !".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fnameescape(fname),1).' > '.temp ++ exe "sil !".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fname,1).' > '.temp + " call Decho("exe sil! !".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fnameescape(fname),1).' > '.temp) + sil exe 'keepalt file '.temp + sil keepj e! +-- +2.43.0 + + diff --git a/backport-runtime-correctly-extract-file-from-zip-browser.patch b/backport-runtime-correctly-extract-file-from-zip-browser.patch new file mode 100644 index 0000000..4e42857 --- /dev/null +++ b/backport-runtime-correctly-extract-file-from-zip-browser.patch @@ -0,0 +1,45 @@ +From 0f94ae043ad295dee7eceeb49b0a9bff3e64b426 Mon Sep 17 00:00:00 2001 +From: Damien <141588647+xrandomname@users.noreply.github.com> +Date: Tue, 23 Jul 2024 19:56:54 +0200 +Subject: [PATCH] runtime(zip): correctly extract file from zip browser + +Problem: Enter 'x' in zip browser fail with E121 +Solution: Fix typo in zip#Extract() + +closes: #15321 + +Signed-off-by: Damien <141588647+xrandomname@users.noreply.github.com> +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +index 0d9984b..21f68f7 100644 +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -1,8 +1,10 @@ + " zip.vim: Handles browsing zipfiles + " AUTOLOAD PORTION +-" Date: Mar 12, 2023 ++" Date: Jul 23, 2024 + " Version: 33 + " Maintainer: Charles E Campbell ++" Last Change: ++" 2024 Jul 23 by Vim Project: fix 'x' command + " License: Vim License (see vim's :help license) + " Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1 + " Permission is hereby granted to use and distribute this code, +@@ -402,8 +404,7 @@ fun! zip#Extract() + endif + + " extract the file mentioned under the cursor +-" call Decho("system(".g:zip_extractcmd." ".shellescape(b:zipfile)." ".shellescape(shell).")") +- call system(g:zip_extractcmd." ".shellescape(b:zipfile)." ".shellescape(shell)) ++ call system($"{g:zip_extractcmd} {shellescape(b:zipfile)} {shellescape(fname)}") + " call Decho("zipfile<".b:zipfile.">") + if v:shell_error != 0 + echohl Error | echo "***error*** ".g:zip_extractcmd." ".b:zipfile." ".fname.": failed!" | echohl NONE +-- +2.47.3 + diff --git a/backport-runtime-escape-on-Unix-as-well.patch b/backport-runtime-escape-on-Unix-as-well.patch new file mode 100644 index 0000000..717eb9f --- /dev/null +++ b/backport-runtime-escape-on-Unix-as-well.patch @@ -0,0 +1,57 @@ +From 918bce26d464dfbeb0ac813a261692a59a58c684 Mon Sep 17 00:00:00 2001 +From: zeertzjq +Date: Sun, 4 Aug 2024 18:35:50 +0200 +Subject: [PATCH] runtime(zip): escape '[' on Unix as well + +Problem: After 6f1cbfc9ab483a09877e153ad130164875c40b1d fnameescape() + is no longer called on the name of the file to be extracted. + However, while spaces indeed don't need to be escaped, unzip + treats '[' as a wildcard character, so it need to be escaped. +Solution: Escape '[' on both MS-Windows and Unix. + +From the docs it seems '*' and '?' also need escaping, but they seem to +actually work without escaping. + +fixes: neovim/neovim#29977 +closes: #15427 + +Signed-off-by: zeertzjq +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +index 21f68f7..bdd9eac 100644 +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -5,6 +5,7 @@ + " Maintainer: Charles E Campbell + " Last Change: + " 2024 Jul 23 by Vim Project: fix 'x' command ++" 2024 Aug 04 by Vim Project: escape '[' in name of file to be extracted + " License: Vim License (see vim's :help license) + " Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1 + " Permission is hereby granted to use and distribute this code, +@@ -225,8 +226,8 @@ fun! zip#Read(fname,mode) + else + let zipfile = substitute(a:fname,'^.\{-}zipfile://\(.\{-}\)::[^\\].*$','\1','') + let fname = substitute(a:fname,'^.\{-}zipfile://.\{-}::\([^\\].*\)$','\1','') +- let fname = substitute(fname, '[', '[[]', 'g') + endif ++ let fname = substitute(fname, '[', '[[]', 'g') + " call Decho("zipfile<".zipfile.">") + " call Decho("fname <".fname.">") + " sanity check +@@ -240,7 +241,7 @@ fun! zip#Read(fname,mode) + endif + + " the following code does much the same thing as +- " exe "keepj sil! r! ".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fnameescape(fname),1) ++ " exe "keepj sil! r! ".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fname,1) + " but allows zipfile://... entries in quickfix lists + let temp = tempname() + " call Decho("using temp file<".temp.">") +-- +2.47.3 + diff --git a/backport-runtime-zip-plugin-has-problems-with-special.patch b/backport-runtime-zip-plugin-has-problems-with-special.patch new file mode 100644 index 0000000..9be2330 --- /dev/null +++ b/backport-runtime-zip-plugin-has-problems-with-special.patch @@ -0,0 +1,108 @@ +From 247d0d3ed1d3ee03455159d5bb79d4aaa91d0257 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Tue, 20 Aug 2024 22:41:52 +0200 +Subject: [PATCH] patch 9.1.0686: zip-plugin has problems with special + characters + +Problem: zip-plugin has problems with special characters + (user202729) +Solution: escape '*?[\' on Unix and handle those chars + a bit differently on MS-Windows, add a test, check + before overwriting files + +runtime(zip): small fixes for zip plugin + +This does the following: +- verify the unzip plugin is executable when loading the autoload plugin +- handle extracting file names with '[*?\' in its name correctly by + escaping those characters for the unzip command (and handle those + characters a bit differently on MS-Windows, since the quoting is different) +- verify, that the extract plugin is not overwriting a file (could cause + a hang, because unzip asking for confirmation) +- add a test zip file which contains those special file names + +fixes: #15505 +closes: #15519 + +Signed-off-by: Christian Brabandt +--- + runtime/autoload/zip.vim | 34 +++++++++++++++++++++++----------- + 1 file changed, 23 insertions(+), 11 deletions(-) + +diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim +index 4d2082a..a27fefe 100644 +--- a/runtime/autoload/zip.vim ++++ b/runtime/autoload/zip.vim +@@ -1,12 +1,13 @@ + " zip.vim: Handles browsing zipfiles + " AUTOLOAD PORTION +-" Date: Aug 05, 2024 ++" Date: Aug 18, 2024 + " Version: 33 + " Maintainer: Charles E Campbell + " Last Change: + " 2024 Jul 23 by Vim Project: fix 'x' command + " 2024 Aug 04 by Vim Project: escape '[' in name of file to be extracted + " 2024 Aug 05 by Vim Project: workaround for the FreeBSD's unzip ++" 2024 Aug 18 by Vim Project: correctly handle special globbing chars + " License: Vim License (see vim's :help license) + " Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1 + " Permission is hereby granted to use and distribute this code, +@@ -61,6 +62,11 @@ if !exists("g:zip_extractcmd") + let g:zip_extractcmd= g:zip_unzipcmd + endif + ++" sanity checks ++ if !executable(g:zip_unzipcmd) ++ echohl Error | echo "***error*** (zip#Browse) unzip not available on your system" | echohl None ++ finish ++ endif + if !dist#vim#IsSafeExecutable('zip', g:zip_unzipcmd) + echoerr "Warning: NOT executing " .. g:zip_unzipcmd .. " from current directory!" + finish +@@ -228,7 +234,7 @@ fun! zip#Read(fname,mode) + let zipfile = substitute(a:fname,'^.\{-}zipfile://\(.\{-}\)::[^\\].*$','\1','') + let fname = substitute(a:fname,'^.\{-}zipfile://.\{-}::\([^\\].*\)$','\1','') + endif +- let fname = substitute(fname, '[', '[[]', 'g') ++ let fname = fname->substitute('[', '[[]', 'g')->escape('?*\\') + " call Decho("zipfile<".zipfile.">") + " call Decho("fname <".fname.">") + " sanity check +@@ -395,18 +401,24 @@ fun! zip#Extract() + " call Dret("zip#Extract") + return + endif +- if fname =~ '/$' +- redraw! +- echohl Error | echo "***error*** (zip#Extract) Please specify a file, not a directory" | echohl None +- return +- elseif fname =~ '^[.]\?[.]/' +- redraw! +- echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!" | echohl None ++ if filereadable(fname) ++ echohl Error | echo "***error*** (zip#Extract) <".fname."> already exists in directory, not overwriting!" | echohl None + return +- endif ++ endif ++ let target = fname->substitute('\[', '[[]', 'g') ++ if &shell =~ 'cmd' && (has("win32") || has("win64")) ++ let target = target ++ \ ->substitute('[?*]', '[&]', 'g') ++ \ ->substitute('[\\]', '?', 'g') ++ \ ->shellescape() ++ " there cannot be a file name with '\' in its name, unzip replaces it by _ ++ let fname = fname->substitute('[\\?*]', '_', 'g') ++ else ++ let target = target->escape('*?\\')->shellescape() ++ endif + + " extract the file mentioned under the cursor +- call system($"{g:zip_extractcmd} {shellescape(b:zipfile)} {shellescape(fname)}") ++ call system($"{g:zip_extractcmd} -o {shellescape(b:zipfile)} {target}") + " call Decho("zipfile<".b:zipfile.">") + if v:shell_error != 0 + echohl Error | echo "***error*** ".g:zip_extractcmd." ".b:zipfile." ".fname.": failed!" | echohl NONE +-- +2.47.3 + diff --git a/vim.spec b/vim.spec index 228b21f..7fe3ab8 100644 --- a/vim.spec +++ b/vim.spec @@ -1,4 +1,4 @@ -%define anolis_release 7 +%define anolis_release 8 %bcond_without gui %bcond_with default_editor @@ -76,6 +76,18 @@ Patch0014: 0014-update-tar_vim-to-support-permissions.patch Patch0015: 0015-fix-code-execution-with-tar_vim.patch # https://github.com/vim/vim/commit/87757c6b0a4b2c1f71c72ea8e1438b8fb116b239 Patch0016: 0016-fix-CVE-2025-53905.patch +# https://github.com/vim/vim/commit/c9a1e257f1630a0866447e53a564f7ff96a80ead +Patch0017: 0017-fix-CVE-2025-22134.patch +# https://github.com/vim/vim/commit/c0f0e2380e5954f4a52a131bf6b8 +Patch0018: 0018-fix-CVE-2025-26603.patch +# https://github.com/vim/vim/commit/c5654b84480822817bb7b69ebc97c174c91185e9 +Patch0019: 0019-fix-CVE-2025-1215.patch +# https://github.com/vim/vim/commit/f209dcd3defb95bae21b2740910e6aa7bb940531 +Patch0020: backport-runtime-correctly-extract-file-from-zip-browser.patch +Patch0021: backport-runtime-escape-on-Unix-as-well.patch +Patch0022: backport-runtime-Fix-for-FreeBSD-unzip-command.patch +Patch0023: backport-runtime-zip-plugin-has-problems-with-special.patch +Patch0024: 0020-fix-CVE-2025-29768.patch Patch1001: 1001-vim-8.0-copy-paste.patch #CVE-2024-22667 @@ -85,6 +97,9 @@ Patch1002: 1002-stack-buffer-overflow-in-option-callback-functions.patch Patch1003: 1003-fix-cve-2025-24014.patch # https://github.com/vim/vim/commit/0a6e57b09bc8c76691b367a5babfb79b31b770e8 Patch1004: 1004-fix-CVE-2024-43374.patch +# https://github.com/vim/vim/commit/8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5 +# https://github.com/vim/vim/commit/b29f4abcd4b3382fa746edd1d0562b7b48c9de60 +Patch1005: 1005-fix-CVE-2024-41957-and-CVE-2024-41965.patch BuildRequires: autoconf gcc glibc-gconv-extra make BuildRequires: gettext gpm-devel libacl-devel @@ -829,6 +844,9 @@ touch %{buildroot}/%{data_dir}/vimfiles/doc/tags %endif %changelog +* Mon Aug 25 2025 zjl002254423 -3:9.0.2092-8 +- Add patch to fix CVE-2025-22134,CVE-2025-26603,CVE-2024-1215,CVE-2025-29768,CVE-2024-41957,CVE-2024-41965 + * Wed Jul 30 2025 zjl002254423 -3:9.0.2092-7 - Add patch to fix CVE-2025-53905,CVE-2025-53906,CVE-2024-41957,CVE-2024-41965,CVE-2024-47814 @@ -845,7 +863,7 @@ touch %{buildroot}/%{data_dir}/vimfiles/doc/tags * Thu Aug 29 2024 wangce - 3:9.0.2092-3 - fix fix CVE-2024-22667 -* Tue Wed 27 2024 houfangdong - 3:9.0.2092-2 +* Wed Mar 27 2024 houfangdong - 3:9.0.2092-2 - New patchlevel 9.0.2092 * Tue Nov 23 2023 Funda Wang - 2:9.0.2122-1 -- Gitee