Vim Zip Plugin Data Loss Vulnerability

A vulnerability in Vim's zip.vim plugin, present in versions prior to 9.1.1198, can lead to potential data loss when handling specially crafted zip files. The issue arises because Vim uses the unzip command to extract files from zip archives. If a zip file contains a member named '-d/tmp', Vim will misinterpret this as an argument, causing it to extract the entire archive into the specified directory, overwriting existing files. This vulnerability requires user interaction, as the user must open the zip file in Vim and manually extract the file with the misleading name.

Impact

Exploitation of this vulnerability could result in unintended overwriting of files, leading to data loss.

Reproduction

To reproduce this vulnerability, create a zip file containing a file named '-d/tmp'. Open this zip file in Vim using the zip.vim plugin. When prompted to extract the file, Vim will incorrectly process the filename as an argument, causing it to extract the entire archive into the specified directory, overwriting any existing files.

Remediation

Users can update to Vim version 9.1.1198 or later, where this vulnerability has been fixed.