Vim Command Injection Vulnerability in tar Plugin Prior to 9.2.0479

A command injection vulnerability has been identified in Vim versions prior to 9.2.0479, specifically within the tar plugin's 'Vimuntar' function. This vulnerability occurs when decompressing .tgz archives on Unix-like systems. The issue arises because the function constructs shell commands for 'gunzip' and 'gzip -d' using 'shellescape' without the necessary special flag. As a result, a maliciously crafted archive filename can exploit Vim's command-line special character handling, leading to the execution of arbitrary shell commands in the user's context.

Impact

Exploitation of this vulnerability allows for arbitrary shell command execution with the privileges of the user running Vim. However, successful exploitation requires user interaction to invoke the 'Vimuntar' command on a suspiciously named file, which limits the practical risk.

Reproduction

To reproduce this vulnerability, create a .tgz archive with a filename that includes both a single quote and Vim command-line special characters. Then, open this archive in Vim on a Unix-like system with the tar plugin enabled. Invoke the 'Vimuntar' command, and the crafted filename will trigger the command injection by exploiting the improper handling of special characters in the archive name.

Remediation

Users can upgrade to Vim version 9.2.0479 or later to address this vulnerability.