patch 9.2.0479: [security]: runtime(tar): command injection in tar plugin

Problem: [security]: runtime(tar): command injection in tar plugin (Christopher Lusk) Solution: Use the correct shellescape(args, 1) form for a :! command Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w Signed-off-by: Christian Brabandt <cb@256bit.org>
2026-05-28 00:21:37 +02:00 · 2026-05-14 15:35:28 +00:00
parent 950f501a18
commit 3fb5e58fbc
3 changed files with 24 additions and 2 deletions
@@ -25,6 +25,7 @@
 "   2026 Apr 09 by Vim Project: fix bug with dotted filename (#19930)
 "   2026 Apr 15 by Vim Project: fix more path traversal issues (#19981)
 "   2026 Apr 16 by Vim Project: use g:tar_secure in tar#Extract()
+"   2026 May 14 by Vim Project: use correct shellescape() call in Vimuntar()
 "
 "	Contains many ideas from Michael Toren's <tar.vim>
 "
@@ -832,9 +833,9 @@ fun! tar#Vimuntar(...)
  " if necessary, decompress the tarball; then, extract it
  if tartail =~ '\.tgz'
   if executable("gunzip")
-    silent exe "!gunzip ".shellescape(tartail)
+    silent exe "!gunzip ".shellescape(tartail, 1)
   elseif executable("gzip")
-    silent exe "!gzip -d ".shellescape(tartail)
+    silent exe "!gzip -d ".shellescape(tartail, 1)
   else
    echoerr "unable to decompress<".tartail."> on this system"
    if simplify(curdir) != simplify(tarhome)
@@ -318,3 +318,22 @@ def g:Test_extract_with_dotted_filename()
  delete('X.txt')
  bw!
 enddef
+
+def g:Test_extract_command_injection()
+  CheckExecutable gunzip
+  CheckExecutable touch
+  var tgz = eval('0z1F8B08087795056A000364756D6D792E74617200EDCE2B12C2300004D01C254' ..
+   '7480269CE534080A8495BD1DBF3996106C3A08A7ACFACD8157B59A7690BFB4A0FC3707C666E357D' ..
+   'E65BC8B5A47CC8A5D61A522EA5B510D3CEBF5ED679197B8CE17CEDB7F9D4C76FBB5F3D000000000' ..
+   '000000000FCD11D32415E2C00280000')
+  var dirname = tempname()
+
+  mkdir(dirname, 'R')
+  var tar = dirname .. "/';%$(touch pwned)'.tgz"
+  writefile(tgz, tar)
+  new
+  exe "e " .. fnameescape(tar)
+  exe ":Vimuntar " .. dirname
+  assert_false(filereadable(dirname .. "/pwned"))
+  bw!
+enddef
@@ -729,6 +729,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    479,
 /**/
    478,
 /**/