Vim Zip Plugin Path Traversal Vulnerability Allowing Arbitrary File Overwrite

A path traversal vulnerability has been identified in Vim's zip.vim plugin, affecting versions prior to 9.1.1551. This issue allows overwriting of arbitrary files when opening specially crafted zip archives. The vulnerability requires direct user interaction, as the user must edit a file from the archive using Vim, which could lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process. Successful exploitation could also allow execution of arbitrary commands on the underlying operating system.

Impact

Exploitation of this vulnerability could result in overwriting important files or executing arbitrary commands on the system, especially if the overwritten files are sensitive or if executable code is placed in a privileged location.

Reproduction

To reproduce this vulnerability, create a zip archive containing files with relative paths that traverse directories (e.g., ../../filename) and include a file named 'file' with the content 'pwned'. When this archive is opened in Vim, the path traversal can be exploited by editing the file and saving it, which will overwrite a file on the system, such as one in the /etc directory, depending on the user's permissions.

Remediation

Users can update to Vim version 9.1.1551 or later, where this vulnerability has been patched.