editors/vim: Update to 9.1.1198 (security)

potential data loss with zip.vim and special crafted zip files

Date: 12.03.2025
Severity: Medium
CVE: CVE-2025-29768
CWE: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
Summary

potential data loss with zip.vim and special crafted zip files
Description

Vim is distributed with the zip.vim plugin, that allows easy editing and
viewing of zip archives.

To view and extract zip files, vim uses the unzip(1) command, usually
provided by Info-ZIP, latest version on Debian is 6.0 from April 2009.

If an attacker creates an archive which contains a file -d/tmp, and a Vim
user views such a file and tries to extract such filename from
the archive, Vim will essentially run the following unzip command:

unzip -o <archive.zip> member-filename

However, since the member-filename is called -d/tmp, this is seen by
the unzip command as an additional argument and it therefore happily
extracts the whole archive into the mentioned directory, overwriting existing
files because of the -o.

Unfortunately, the latest released unzip version does not support --
as and end-of-argument marker, so we cannot use this to mark the
beginning of the member-files for unzip. Well, apparently there exists
some 6.10 beta release, that hasn't made it to an official release
yet which supports the use of the -- marker since 2010 (but this isn't
widely known).

Therefore, Vim will try to work-around it by using the [-] glob when a
filename starts with a - to protect unzip from parsing the filename as
an argument, which is just an ugly work-around.
Impact

Impact is moderate because a user must be made to view such an archive
with Vim and then press 'x' to extract such a strange filename.

The Vim project would like to thank @Ry0taK (GMO Flatt Security Inc) and
@takumi-san-ai for reporting this issue.

MFH: 2025Q1
Security: GHSA-693p-m996-3rmf
(cherry picked from commit f1e4dac294a4de0cd9dcf6d85d0573a70e2bc2cd)