oss-sec mailing list archives
Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198
From: Eli Schwartz <eschwartz () gentoo org>
Date: Thu, 13 Mar 2025 01:03:21 -0400
On 3/13/25 12:14 AM, Solar Designer wrote:
On Wed, Mar 12, 2025 at 10:22:23PM +0100, Christian Brabandt wrote:Therefore, Vim will try to work-around it by using the `[-]` glob when a filename starts with a `-` to protect unzip from parsing the filename as an argument, which is just an ugly work-around.I was puzzled by this. I expected that if you were running unzip via the shell, then the glob pattern would be expanded back to a simple dash before being passed to unzip, and if you were running unzip directly then the glob pattern would never be expanded, so the brackets would break the intended behavior. However, it appears that unzip itself expands glob patterns even for archive names (not only for matching files in archives)? I guess this is unexpected by many unzip users, and it likely allows for other attacks on unzip and on the zip.vim plugin, by providing a filename that includes glob patterns in it so that a different archive would be processed.
It certainly surprised me! That being said, given the potential danger is I guess limited to extracting multiple archives you didn't expect but you still cannot control the location (without using the member-named-leading-dash-d trick as well) and you also have to convince the user to have multiple zip archives in the same directory, it seems harder to pull anything off like this. Note: unzip won't re-parse globs in a directory segment, only the final filename segment.
Otherwise, a workaround for the original issue would be to prefix the filename with ./ as we most recently discussed in this thread: https://www.openwall.com/lists/oss-security/2024/11/06/1
unzip will not permit you to run: ``` unzip foo.zip ./dir1/member ``` in order to extract an archive member named "dir1/member". There is no ./ member in the archive, it's not resolved like a filesystem path. It will print a diagnostic: "caution: filename not matched: ./dir1/member" and exit 11 (no matching files were found.) -- Eli Schwartz
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
Current thread:
- [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Christian Brabandt (Mar 12)
- Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Solar Designer (Mar 12)
- Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Eli Schwartz (Mar 12)
- Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Christian Brabandt (Mar 13)
- Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Eli Schwartz (Mar 12)
- Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 Solar Designer (Mar 12)