Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aHa8pkMVruLeYeZ2@256bit.org>
Date: Tue, 15 Jul 2025 22:40:06 +0200
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] path traversal issue with tar.vim and special crafted
 tar archives in Vim < 9.1.1552

path traversal issue with tar.vim and special crafted tar archives in Vim < 9.1.1552
====================================================================================
Date: 15.07.2025
Severity: Low
CVE: CVE-2025-53905
CWE: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

### Summary
A path traversal issue in Vim’s tar.vim plugin can allow overwriting of
arbitrary files when opening specially crafted tar archives.

### Description
Vim includes the tar.vim plugin, which enables viewing and editing of files
within tar (and compressed tar) archives.

An attacker can create a tar archive that contains member files with relative
paths (e.g., ../../somefile). If such an archive is opened in Vim, and the user
saves one of these malicious files, Vim may overwrite files outside the
intended working directory.

Exploitation requires several conditions:
- The user opens a specially crafted archive in Vim.
- The user selects and attempts to edit one of the files within the archive.
- Vim writes the file back to disk using :w!.

Only after all these steps are performed would Vim overwrite an existing file
on disk.

**Note**:
- Vim does display the full path to be written, so a careful user may notice
  suspicious behavior.
- Standard tar utilities typically do not extract such paths and will warn or
  skip them. This issue only affects Vim's internal handling, not the tar tool
  itself.


### Proof of Concept
As a Proof of Concept, the following code crafts a malicious archive:
```
echo pwned > pwn; tar --transform='s|^|/etc/ax-|' -cf evil.tar pwn
```
If the file contained in the evil.tar archive is edited through vim, typing
':w' to save it will create /etc/ax-pwn on the host filesystem (provided that
the user has sufficient permissions to write into the /etc directory.

### Impact
Impact is **low** because this exploit requires direct user interaction:

However successfully exploitation can lead to overwritint sensitive files or
placing executable code in privileged locations, depending on the permissions
of the process editing the archive.

The victim must edit such a file using Vim which will reveal the filename
and the file content, a careful user may suspect some strange things going on.
Successful exploitation could results in the ability to execute
arbitrary commands on the underlying operating system.

The Vim project would like to thank @ax for reporting this issue.

The issue has been fixed as of Vim patch v9.1.1552

[Commit](https://github.com/vim/vim/commit/87757c6b0a4b2c1f71c72ea8e1438b8fb116b239)
[Github Advisory](https://github.com/vim/vim/security/advisories/GHSA-74v4-f3x9-ppvr)
Liebe Grüße
Christian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.