Package: vim X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for vim. CVE-2025-53905[0]: | Vim is an open source, command line text editor. Prior to version | 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow | overwriting of arbitrary files when opening specially crafted tar | archives. Impact is low because this exploit requires direct user | interaction. However, successfully exploitation can lead to | overwriting sensitive files or placing executable code in privileged | locations, depending on the permissions of the process editing the | archive. The victim must edit such a file using Vim which will | reveal the filename and the file content, a careful user may suspect | some strange things going on. Successful exploitation could results | in the ability to execute arbitrary commands on the underlying | operating system. Version 9.1.1552 contains a patch for the | vulnerability. https://www.openwall.com/lists/oss-security/2025/07/15/1 CVE-2025-53906[1]: | Vim is an open source, command line text editor. Prior to version | 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow | overwriting of arbitrary files when opening specially crafted zip | archives. Impact is low because this exploit requires direct user | interaction. However, successfully exploitation can lead to | overwriting sensitive files or placing executable code in privileged | locations, depending on the permissions of the process editing the | archive. The victim must edit such a file using Vim which will | reveal the filename and the file content, a careful user may suspect | some strange things going on. Successful exploitation could results | in the ability to execute arbitrary commands on the underlying | operating system. Version 9.1.1551 contains a patch for the | vulnerability. https://www.openwall.com/lists/oss-security/2025/07/15/2 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-53905 https://www.cve.org/CVERecord?id=CVE-2025-53905 [1] https://security-tracker.debian.org/tracker/CVE-2025-53906 https://www.cve.org/CVERecord?id=CVE-2025-53906 Please adjust the affected versions in the BTS as needed.
