oss-security - Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <Z9KFQxKr65F50T/M@256bit.org>
Date: Thu, 13 Mar 2025 08:12:03 +0100
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: Re: [vim-security] potential data loss with zip.vim
 and special crafted zip files in Vim < v9.1.1198

On Thu, 13 Mar 2025, Eli Schwartz wrote:

> unzip will not permit you to run:
> 
> ```
> unzip foo.zip ./dir1/member
> ```
> 
> in order to extract an archive member named "dir1/member". There is no
> ./ member in the archive, it's not resolved like a filesystem path.
> 
> It will print a diagnostic: "caution: filename not matched:
> ./dir1/member" and exit 11 (no matching files were found.)

Correct. Tried that, doesn't work. The whole unzip commandline parsing 
looks quite fragile to me:
```
unzip [-Z] [-cflptTuvz[abjnoqsCDKLMUVWX$/:^]] file[.zip] [file(s) ...]  
[-x xfile(s) ...] [-d exdir]
```
(e.g. it allows optional arguments to be followed after any number of 
member files). 

Thanks,
Christian
-- 
"Problem solving under linux has never been the circus that it is under
AIX."
(By Pete Ehlke in comp.unix.aix)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.