fix CVE-2025-29768

backport-CVE-2025-29768.patch

@@ -0,0 +1,44 @@
+From f209dcd3defb95bae21b2740910e6aa7bb940531 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Wed, 12 Mar 2025 22:04:01 +0100
+Subject: [PATCH] patch 9.1.1198: [security]: potential data loss with zip.vim
+
+Problem:  [security]: potential data loss with zip.vim and special
+          crafted zip files (RyotaK)
+Solution: use glob '[-]' to protect filenames starting with '-'
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/autoload/zip.vim | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim
+index 4a53fc5f28656..dae4ddeb9921e 100644
+--- a/runtime/autoload/zip.vim
++++ b/runtime/autoload/zip.vim
+@@ -8,6 +8,7 @@
+ " 2024 Aug 04 by Vim Project: escape '[' in name of file to be extracted
+ " 2024 Aug 05 by Vim Project: workaround for the FreeBSD's unzip
+ " 2024 Aug 18 by Vim Project: correctly handle special globbing chars
++" 2025 Mar 11 by Vim Project: handle filenames with leading '-' correctly
+ " License:	Vim License  (see vim's :help license)
+ " Copyright:    Copyright (C) 2005-2019 Charles E. Campbell {{{1
+ "               Permission is hereby granted to use and distribute this code,
+@@ -414,6 +415,11 @@ fun! zip#Extract()
+     return
+    endif
+    let target = fname->substitute('\[', '[[]', 'g')
++   " unzip 6.0 does not support -- to denote end-of-arguments
++   " unzip 6.1 (2010) apparently supports, it, but hasn't been released
++   " so the workaround is to use glob '[-]' so that it won't be considered an argument
++   " else, it would be possible to use 'unzip -o <file.zip> '-d/tmp' to extract the whole archive
++   let target = target->substitute('^-', '[&]', '')
+    if &shell =~ 'cmd' && (has("win32") || has("win64"))
+      let target = target
+  		\ ->substitute('[?*]', '[&]', 'g')
+-- 
+2.43.0
+

backport-runtime-Fix-for-FreeBSD-unzip-command.patch

@@ -0,0 +1,63 @@
+From f0e9b72c8fdd47b9b410a11edf7479953cb2aed9 Mon Sep 17 00:00:00 2001
+From: Damien <141588647+xrandomname@users.noreply.github.com>
+Date: Mon, 5 Aug 2024 20:21:18 +0200
+Subject: [PATCH] runtime(zip): Fix for FreeBSD's unzip command
+
+Problem:  Cannot browse zipfiles with the unzip program found
+	  on FreeBSD.
+Solution: Adjust command arguments.
+
+Unzip found on FreeBSD complain about missing argument with the
+zipinfo modifier '-Z -1'. Joining arguments seems to work
+for both implementations.
+
+Also change `:sil!` to `:sil` so that error messages are properly
+reported (per review of Christian Brabandt).
+
+related: #15411
+
+Signed-off-by: Damien <141588647+xrandomname@users.noreply.github.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/autoload/zip.vim | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim
+index e8973e3c80cc8a..8876ef08e60500 100644
+--- a/runtime/autoload/zip.vim
++++ b/runtime/autoload/zip.vim
+@@ -1,11 +1,12 @@
+ " zip.vim: Handles browsing zipfiles
+ "            AUTOLOAD PORTION
+-" Date:		Jul 23, 2024
++" Date:		Aug 05, 2024
+ " Version:	33
+ " Maintainer:	Charles E Campbell <NcampObell@SdrPchip.AorgM-NOSPAM>
+ " Last Change:
+ " 2024 Jul 23 by Vim Project: fix 'x' command
+ " 2024 Aug 04 by Vim Project: escape '[' in name of file to be extracted
++" 2024 Aug 05 by Vim Project: workaround for the FreeBSD's unzip
+ " License:	Vim License  (see vim's :help license)
+ " Copyright:    Copyright (C) 2005-2019 Charles E. Campbell {{{1
+ "               Permission is hereby granted to use and distribute this code,
+@@ -138,7 +139,7 @@ fun! zip#Browse(zipfile)
+   keepj $
+ 
+ "  call Decho("exe silent r! ".g:zip_unzipcmd." -l -- ".s:Escape(a:zipfile,1))
+-  exe "keepj sil! r! ".g:zip_unzipcmd." -Z -1 -- ".s:Escape(a:zipfile,1)
++  exe $"keepj sil r! {g:zip_unzipcmd} -Z1 -- {s:Escape(a:zipfile, 1)}"
+   if v:shell_error != 0
+    redraw!
+    echohl WarningMsg | echo "***warning*** (zip#Browse) ".fnameescape(a:zipfile)." is not a zip file" | echohl None
+@@ -246,7 +247,7 @@ fun! zip#Read(fname,mode)
+   let temp = tempname()
+ "  call Decho("using temp file<".temp.">")
+   let fn   = expand('%:p')
+-  exe "sil! !".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fnameescape(fname),1).' > '.temp
++  exe "sil !".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fname,1).' > '.temp
+ "  call Decho("exe sil! !".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fnameescape(fname),1).' > '.temp)
+   sil exe 'keepalt file '.temp
+   sil keepj e!
+-- 
+2.43.0
+

backport-runtime-correctly-extract-file-from-zip-browser.patch

@@ -0,0 +1,45 @@
+From 38ce71c1c323716cc4b130dbb3e8837a8b9a710b Mon Sep 17 00:00:00 2001
+From: Damien <141588647+xrandomname@users.noreply.github.com>
+Date: Tue, 23 Jul 2024 19:56:54 +0200
+Subject: [PATCH] runtime(zip): correctly extract file from zip browser
+
+Problem:  Enter 'x' in zip browser fail with E121
+Solution: Fix typo in zip#Extract()
+
+closes: #15321
+
+Signed-off-by: Damien <141588647+xrandomname@users.noreply.github.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/autoload/zip.vim | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim
+index d0e706e83ac24..34bcad3368d13 100644
+--- a/runtime/autoload/zip.vim
++++ b/runtime/autoload/zip.vim
+@@ -1,8 +1,10 @@
+ " zip.vim: Handles browsing zipfiles
+ "            AUTOLOAD PORTION
+-" Date:		Mar 12, 2023
++" Date:		Jul 23, 2024
+ " Version:	33
+ " Maintainer:	Charles E Campbell <NcampObell@SdrPchip.AorgM-NOSPAM>
++" Last Change:
++" 2024 Jul 23 by Vim Project: fix 'x' command
+ " License:	Vim License  (see vim's :help license)
+ " Copyright:    Copyright (C) 2005-2019 Charles E. Campbell {{{1
+ "               Permission is hereby granted to use and distribute this code,
+@@ -401,8 +403,7 @@ fun! zip#Extract()
+   endif
+ 
+   " extract the file mentioned under the cursor
+-"  call Decho("system(".g:zip_extractcmd." ".shellescape(b:zipfile)." ".shellescape(shell).")")
+-  call system(g:zip_extractcmd." ".shellescape(b:zipfile)." ".shellescape(shell))
++  call system($"{g:zip_extractcmd} {shellescape(b:zipfile)} {shellescape(fname)}")
+ "  call Decho("zipfile<".b:zipfile.">")
+   if v:shell_error != 0
+    echohl Error | echo "***error*** ".g:zip_extractcmd." ".b:zipfile." ".fname.": failed!" | echohl NONE
+-- 
+2.43.0
+

backport-runtime-escape-on-Unix-as-well.patch

@@ -0,0 +1,57 @@
+From c5bdd66558b14f04424a22d9714a9b7d0c277dac Mon Sep 17 00:00:00 2001
+From: zeertzjq <zeertzjq@outlook.com>
+Date: Sun, 4 Aug 2024 18:35:50 +0200
+Subject: [PATCH] runtime(zip): escape '[' on Unix as well
+
+Problem:  After 6f1cbfc9ab483a09877e153ad130164875c40b1d fnameescape()
+          is no longer called on the name of the file to be extracted.
+          However, while spaces indeed don't need to be escaped, unzip
+          treats '[' as a wildcard character, so it need to be escaped.
+Solution: Escape '[' on both MS-Windows and Unix.
+
+From the docs it seems '*' and '?' also need escaping, but they seem to
+actually work without escaping.
+
+fixes: neovim/neovim#29977
+closes: #15427
+
+Signed-off-by: zeertzjq <zeertzjq@outlook.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/autoload/zip.vim | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim
+index f77d729f036557..e8973e3c80cc8a 100644
+--- a/runtime/autoload/zip.vim
++++ b/runtime/autoload/zip.vim
+@@ -5,6 +5,7 @@
+ " Maintainer:	Charles E Campbell <NcampObell@SdrPchip.AorgM-NOSPAM>
+ " Last Change:
+ " 2024 Jul 23 by Vim Project: fix 'x' command
++" 2024 Aug 04 by Vim Project: escape '[' in name of file to be extracted
+ " License:	Vim License  (see vim's :help license)
+ " Copyright:    Copyright (C) 2005-2019 Charles E. Campbell {{{1
+ "               Permission is hereby granted to use and distribute this code,
+@@ -225,8 +226,8 @@ fun! zip#Read(fname,mode)
+   else
+    let zipfile = substitute(a:fname,'^.\{-}zipfile://\(.\{-}\)::[^\\].*$','\1','')
+    let fname   = substitute(a:fname,'^.\{-}zipfile://.\{-}::\([^\\].*\)$','\1','')
+-   let fname   = substitute(fname, '[', '[[]', 'g')
+   endif
++  let fname   = substitute(fname, '[', '[[]', 'g')
+ "  call Decho("zipfile<".zipfile.">")
+ "  call Decho("fname  <".fname.">")
+   " sanity check
+@@ -240,7 +241,7 @@ fun! zip#Read(fname,mode)
+   endif
+ 
+   " the following code does much the same thing as
+-  "   exe "keepj sil! r! ".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fnameescape(fname),1)
++  "   exe "keepj sil! r! ".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fname,1)
+   " but allows zipfile://... entries in quickfix lists
+   let temp = tempname()
+ "  call Decho("using temp file<".temp.">")
+-- 
+2.43.0
+

backport-runtime-zip-plugin-has-problems-with-special.patch

@@ -0,0 +1,100 @@
+From 7790ea0c680a9f951a86066e5940ec16b2333c9a Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 20 Aug 2024 22:41:52 +0200
+Subject: [PATCH] patch 9.1.0686: zip-plugin has problems with special
+ characters
+
+Problem:  zip-plugin has problems with special characters
+          (user202729)
+Solution: escape '*?[\' on Unix and handle those chars
+          a bit differently on MS-Windows, add a test, check
+          before overwriting files
+
+runtime(zip): small fixes for zip plugin
+
+This does the following:
+- verify the unzip plugin is executable when loading the autoload plugin
+- handle extracting file names with '[*?\' in its name correctly by
+  escaping those characters for the unzip command (and handle those
+  characters a bit differently on MS-Windows, since the quoting is different)
+- verify, that the extract plugin is not overwriting a file (could cause
+  a hang, because unzip asking for confirmation)
+- add a test zip file which contains those special file names
+
+fixes: #15505
+closes: #15519
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/autoload/zip.vim | 27 ++++++++++++++++++++++++---
+ 1 file changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim
+index 31fb32779f86d8..a7a7e579a2f319 100644
+--- a/runtime/autoload/zip.vim
++++ b/runtime/autoload/zip.vim
+@@ -1,12 +1,13 @@
+ " zip.vim: Handles browsing zipfiles
+ "            AUTOLOAD PORTION
+-" Date:		Aug 05, 2024
++" Date:		Aug 18, 2024
+ " Version:	33
+ " Maintainer:	Charles E Campbell <NcampObell@SdrPchip.AorgM-NOSPAM>
+ " Last Change:
+ " 2024 Jul 23 by Vim Project: fix 'x' command
+ " 2024 Aug 04 by Vim Project: escape '[' in name of file to be extracted
+ " 2024 Aug 05 by Vim Project: workaround for the FreeBSD's unzip
++" 2024 Aug 18 by Vim Project: correctly handle special globbing chars
+ " License:	Vim License  (see vim's :help license)
+ " Copyright:    Copyright (C) 2005-2019 Charles E. Campbell {{{1
+ "               Permission is hereby granted to use and distribute this code,
+@@ -61,6 +62,11 @@ if !exists("g:zip_extractcmd")
+  let g:zip_extractcmd= g:zip_unzipcmd
+ endif
+ 
++" sanity checks
++ if !executable(g:zip_unzipcmd)
++  echohl Error | echo "***error*** (zip#Browse) unzip not available on your system" | echohl None
++  finish
++ endif
+ if !dist#vim#IsSafeExecutable('zip', g:zip_unzipcmd)
+  echoerr "Warning: NOT executing " .. g:zip_unzipcmd .. " from current directory!"
+  finish
+@@ -228,7 +234,7 @@ fun! zip#Read(fname,mode)
+    let zipfile = substitute(a:fname,'^.\{-}zipfile://\(.\{-}\)::[^\\].*$','\1','')
+    let fname   = substitute(a:fname,'^.\{-}zipfile://.\{-}::\([^\\].*\)$','\1','')
+   endif
+-  let fname   = substitute(fname, '[', '[[]', 'g')
++  let fname    = fname->substitute('[', '[[]', 'g')->escape('?*\\')
+ "  call Decho("zipfile<".zipfile.">")
+ "  call Decho("fname  <".fname.">")
+   " sanity check
+@@ -403,9 +409,24 @@ fun! zip#Extract()
+ "   call Dret("zip#Extract")
+    return
+   endif
++  if filereadable(fname)
++    echohl Error | echo "***error*** (zip#Extract) <".fname."> already exists in directory, not overwriting!" | echohl None
++    return
++   endif
++   let target = fname->substitute('\[', '[[]', 'g')
++   if &shell =~ 'cmd' && (has("win32") || has("win64"))
++     let target = target
++ 		\ ->substitute('[?*]', '[&]', 'g')
++ 		\ ->substitute('[\\]', '?', 'g')
++ 		\ ->shellescape()
++     " there cannot be a file name with '\' in its name, unzip replaces it by _
++     let fname = fname->substitute('[\\?*]', '_', 'g')
++   else
++     let target = target->escape('*?\\')->shellescape()
++   endif
+ 
+   " extract the file mentioned under the cursor
+-  call system($"{g:zip_extractcmd} {shellescape(b:zipfile)} {shellescape(fname)}")
++  call system($"{g:zip_extractcmd} -o {shellescape(b:zipfile)} {target}")
+ "  call Decho("zipfile<".b:zipfile.">")
+   if v:shell_error != 0
+    echohl Error | echo "***error*** ".g:zip_extractcmd." ".b:zipfile." ".fname.": failed!" | echohl NONE
+-- 
+2.43.0
+

vim.spec

@@ -14,7 +14,7 @@
 Name:           vim
 Epoch:          2
 Version:        %{baseversion}.%{patchlevel}
-Release:        17
+Release:        18
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -58,6 +58,11 @@ Patch6023:      backport-CVE-2025-22134.patch
 Patch6024:      backport-CVE-2025-24014.patch
 Patch6025:      backport-CVE-2025-1215.patch
 Patch6026:      backport-CVE-2025-26603.patch
+Patch6027:      backport-runtime-correctly-extract-file-from-zip-browser.patch
+Patch6028:      backport-runtime-escape-on-Unix-as-well.patch
+Patch6029:      backport-runtime-Fix-for-FreeBSD-unzip-command.patch
+Patch6030:      backport-runtime-zip-plugin-has-problems-with-special.patch
+Patch6031:      backport-CVE-2025-29768.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      fix-CVE-2024-47814.patch
@@ -466,6 +471,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
 %{_mandir}/man1/evim.*
 
 %changelog
+* Tue Mar 18 2025 wangjiang <app@cameyan.com> - 2:9.0.2092-18
+- Type:CVE
+- ID:CVE-2025-29768
+- SUG:NA
+- DESC:fix CVE-2025-29768
+
 * Tue Feb 18 2025 wangjiang <app@cameyan.com> - 2:9.0.2092-17
 - Type:CVE
 - ID:CVE-2025-1215 CVE-2025-26603