1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109374: vim: CVE-2025-53905 CVE-2025-53906

    From =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=@21:1/5 to All on Wed Jul 16 11:20:01 2025
    Package: vim
    X-Debbugs-CC: [email protected]
    Severity: important
    Tags: security

    Hi,

    The following vulnerabilities were published for vim.

    CVE-2025-53905[0]:
    | Vim is an open source, command line text editor. Prior to version
    | 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow
    | overwriting of arbitrary files when opening specially crafted tar
    | archives. Impact is low because this exploit requires direct user
    | interaction. However, successfully exploitation can lead to
    | overwriting sensitive files or placing executable code in privileged
    | locations, depending on the permissions of the process editing the
    | archive. The victim must edit such a file using Vim which will
    | reveal the filename and the file content, a careful user may suspect
    | some strange things going on. Successful exploitation could results
    | in the ability to execute arbitrary commands on the underlying
    | operating system. Version 9.1.1552 contains a patch for the
    | vulnerability.

    https://www.openwall.com/lists/oss-security/2025/07/15/1


    CVE-2025-53906[1]:
    | Vim is an open source, command line text editor. Prior to version
    | 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow
    | overwriting of arbitrary files when opening specially crafted zip
    | archives. Impact is low because this exploit requires direct user
    | interaction. However, successfully exploitation can lead to
    | overwriting sensitive files or placing executable code in privileged
    | locations, depending on the permissions of the process editing the
    | archive. The victim must edit such a file using Vim which will
    | reveal the filename and the file content, a careful user may suspect
    | some strange things going on. Successful exploitation could results
    | in the ability to execute arbitrary commands on the underlying
    | operating system. Version 9.1.1551 contains a patch for the
    | vulnerability.

    https://www.openwall.com/lists/oss-security/2025/07/15/2


    If you fix the vulnerabilities please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-53905
    https://www.cve.org/CVERecord?id=CVE-2025-53905
    [1] https://security-tracker.debian.org/tracker/CVE-2025-53906
    https://www.cve.org/CVERecord?id=CVE-2025-53906

    Please adjust the affected versions in the BTS as needed.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)