Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN448 _____________________________________________________________________ DATE : 16/07/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Vim versions prior to 9.1.1552. ===================================================================== https://github.com/vim/vim/security/advisories/GHSA-74v4-f3x9-ppvr https://github.com/vim/vim/security/advisories/GHSA-r2fw-9cw4-mj86 _____________________________________________________________________ path traversial issue with tar.vim and special crafted tar files in Vim < 9.1.1552 Moderate chrisbra published GHSA-74v4-f3x9-ppvr Jul 15, 2025 Package Vim Affected versions < v9.1.1552 Patched versions v9.1.1552 Description path traversal issue with tar.vim and special crafted tar archives Date: 15.07.2025 Severity: Low CVE: not-yet-assigned CWE: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) Summary A path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Description Vim includes the tar.vim plugin, which enables viewing and editing of files within tar (and compressed tar) archives. An attacker can create a tar archive that contains member files with relative paths (e.g., ../../somefile). If such an archive is opened in Vim, and the user saves one of these malicious files, Vim may overwrite files outside the intended working directory. Exploitation requires several conditions: The user opens a specially crafted archive in Vim. The user selects and attempts to edit one of the files within the archive. Vim writes the file back to disk using :w!. Only after all these steps are performed would Vim overwrite an existing file on disk. Note: Vim does display the full path to be written, so a careful user may notice suspicious behavior. Standard tar utilities typically do not extract such paths and will warn or skip them. This issue only affects Vim's internal handling, not the tar tool itself. Proof of Concept As a Proof of Concept, the following code crafts a malicious archive: echo pwned > pwn; tar --transform='s|^|/etc/ax-|' -cf evil.tar pwn If the file contained in the evil.tar archive is edited through vim, typing ':w' to save it will create /etc/ax-pwn on the host filesystem (provided that the user has sufficient permissions to write into the /etc directory. Impact Impact is low because this exploit requires direct user interaction: However successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. The Vim project would like to thank @ax for reporting this issue. The issue has been fixed as of Vim patch v9.1.1552 Commit Github Advisory Severity Moderate 4.1/ 10 CVSS v3 base metrics Attack vector Local Attack complexity High Privileges required None User interaction Required Scope Changed Confidentiality None Integrity Low Availability Low CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L CVE ID No known CVE Weaknesses Weakness CWE-22 Credits @ax ax Reporter _____________________________________________________________________ path traversal issue with zip.vim and special crafted zip archives in Vim < v9.1.1551 Moderate chrisbra published GHSA-r2fw-9cw4-mj86 Jul 15, 2025 Package Vim Affected versions < v9.1.1551 Patched versions v9.1.1551 Description Date: 15.07.2025 Severity: Low CVE: CVE-2025-53906 CWE: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) Summary A path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Description Vim includes the zip.vim plugin, which enables viewing and editing of files within zip archives. An attacker can create a zip archive that contains member files with relative paths (e.g., ../../somefile). If such an archive is opened in Vim, and the user saves one of these malicious files, Vim may overwrite files outside the intended working directory. Exploitation requires several conditions: The user opens a specially crafted archive in Vim. The user selects and attempts to edit one of the files within the archive. Vim writes the file back to disk using :w!. Only after all these steps are performed would Vim overwrite an existing file on disk. Note: Vim does display the full path to be written, so a careful user may notice suspicious behavior. Standard zip utilities typically do not extract such paths and will warn or skip them. This issue only affects Vim's internal handling, not the zip tool itself. Proof of Concept As a Proof of Concept, the following code crafts a malicious archive: import zipfile import os zip_path='evil.zip' fname='file' arcname='/etc/ax-pwn' arcname='../../../../etc/ax-pwn' with open(fname, 'w') as f: f.write(f"pwned\n") with zipfile.ZipFile(zip_path, 'w') as zipf: zipf.write(fname, arcname) print(f"Created {zip_path}" ) If the file contained in the evil.zip archive is edited through vim, typing ':w' to save it will create /etc/ax-pwn on the host filesystem (provided that the user has sufficient permissions to write into the /etc directory. Impact Impact is low because this exploit requires direct user interaction: However successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. The Vim project would like to thank @ax for reporting this issue. The issue has been fixed as of Vim patch v9.1.1551 Commit Github Advisory Severity Moderate 4.1/ 10 CVSS v3 base metrics Attack vector Local Attack complexity High Privileges required None User interaction Required Scope Changed Confidentiality None Integrity Low Availability Low CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L CVE ID No known CVE Weaknesses Weakness CWE-22 Credits @ax ax Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================