Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <agXwIrvbXxGulKbo@256bit.org>
Date: Thu, 14 May 2026 17:54:10 +0200
From: Christian Brabandt <cblists@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] Command Injection in tar.vim affects Vim < 9.2.479


Command Injection in tar.vim affects Vim < 9.2.479
==================================================
Date: 14.05.2026
Severity: Medium
CVE: *requested, not yet assigned*
CWE: Improper Neutralization of Special Elements used in an OS Command (CWE-78) /
     Improper Neutralization of Argument Delimiters in a Command (CWE-88)

## Summary
A command injection vulnerability exists in `tar#Vimuntar()` in
`runtime/autoload/tar.vim` when decompressing `.tgz` archives on
Unix-like systems.  The function builds `:!gunzip` and `:!gzip -d`
commands using `shellescape(tartail)` without the `{special}` flag,
allowing a crafted archive filename to trigger Vim cmdline-special
expansion and execute shell commands in the user's context.

## Description
In `tar#Vimuntar()` (`runtime/autoload/tar.vim`), the archive tail name
derived from the current buffer filename is incorporated into a `:!`
command via `shellescape()` without the second argument.  For `:!`
commands, Vim re-expands cmdline-special characters (`%`, `#`, `!`, and
similar) before passing the command to the shell.  As documented under
`:help shellescape()`, the second argument must be set to a non-zero
value (`shellescape({string}, 1)`) whenever the result is used inside
`:!` or `:r !`.  Because the flag is omitted here, a filename containing
both shell metacharacters and Vim special characters can break out of
the intended single-quoted argument and inject arbitrary shell commands.

## Impact
The vulnerability allows arbitrary shell command execution with the
privileges of the user running Vim.  Exploitation requires:
- a Unix-like system with the tar plugin enabled,
- a crafted `.tgz` archive on disk whose filename contains both a
  single quote and Vim cmdline-special characters, and
- the victim to open the file and invoke the non-routine `:Vimuntar`
  command.
The severity is rated Medium because successful exploitation yields
arbitrary command execution, but the requirement for a user-initiated
`:Vimuntar` invocation on an attacker-supplied suspicious filename limits the
practical attack surface.

## Acknowledgements
The Vim project would like to thank Aisle Research for reporting and
analyzing the issue.

## References
The issue has been fixed as of Vim patch [v9.2.479](https://github.com/vim/vim/releases/tag/v9.2.0479).
- [Commit](https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1)
- [Github Security Advisory](https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w)



Thanks,
Chris
-- 
I'm prepared for all emergencies but totally unprepared for everyday life.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.