Add --without-wayland for everything except the gtk3 FLAVOR. That
flavor now has a hard dep on wayland (it's already present from the
default gtk30 and libxkbcommon configurations).
This is a NOOP for everybody except gtk3 users who explicitly disabled
wayland in both gtk30 and libxkbcommon. The only effect for those
users is that wayland is now a LIB_DEP. There is no runtime effect
either way.
In the below PR, Piotr identified that vim will eagerly link against
wayland if present, even for a pure-console build.
The only toolkit that vim uses that can use wayland is gtk3, so
we now specify --without-wayland for everything else.
To complicate things, wayland support is optional in the gtk30 and
libxkbcommon ports. If either of those ports are built with wayland,
then vim has to link against libwayland-client regardless of the
relevant configure switches. So, adding a WAYLAND option for the gtk3
flavor would only work to disable wayland if it's disabled in both
gtk30 and libxkbcommon.
Instead, I'm making wayland a hard dep of the gtk3 flavor. For users
of our packages, this will be a transparent change. If your goal in
life is to never install wayland but you also want the gtk3 flavor,
PR: 289408
Reported by: Piotr Smyrak
This update changes how python plugins are handled. Previosuly, we
linked directly against python, requiring all vim installations to
have a dependency on python. Perhaps that's fine for flavours like
gtk20 and gtk30, but it's burdensome and often unexpected for TUI
users.
Now, we use dynamic loading of python libraries, which means that
vim should automatically support python plugins if python is
installed. If python is NOT installed, no harm/no foul, just no
python plugin support.
I'm not expecting this to cause any issues, but if it does please
reach out!
CWE for both CVEs:
Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') (CWE-22)
Security: CVE-2025-53905
Security: CVE-2025-53906
potential data loss with zip.vim and special crafted zip files
Date: 12.03.2025
Severity: Medium
CVE: CVE-2025-29768
CWE: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
Summary
potential data loss with zip.vim and special crafted zip files
Description
Vim is distributed with the zip.vim plugin, that allows easy editing and
viewing of zip archives.
To view and extract zip files, vim uses the unzip(1) command, usually
provided by Info-ZIP, latest version on Debian is 6.0 from April 2009.
If an attacker creates an archive which contains a file -d/tmp, and a Vim
user views such a file and tries to extract such filename from
the archive, Vim will essentially run the following unzip command:
unzip -o <archive.zip> member-filename
However, since the member-filename is called -d/tmp, this is seen by
the unzip command as an additional argument and it therefore happily
extracts the whole archive into the mentioned directory, overwriting existing
files because of the -o.
Unfortunately, the latest released unzip version does not support --
as and end-of-argument marker, so we cannot use this to mark the
beginning of the member-files for unzip. Well, apparently there exists
some 6.10 beta release, that hasn't made it to an official release
yet which supports the use of the -- marker since 2010 (but this isn't
widely known).
Therefore, Vim will try to work-around it by using the [-] glob when a
filename starts with a - to protect unzip from parsing the filename as
an argument, which is just an ugly work-around.
Impact
Impact is moderate because a user must be made to view such an archive
with Vim and then press 'x' to extract such a strange filename.
The Vim project would like to thank @Ry0taK (GMO Flatt Security Inc) and
@takumi-san-ai for reporting this issue.
MFH: 2025Q1
Security: GHSA-693p-m996-3rmf
From the Github Advisory (https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3):
Summary:
Potential code execution with tar.vim and special crafted tar
files.
Description:
Vim is distributed with the tar.vim plugin, that allows easy
editing and viewing of (compressed or uncompressed) tar files.
Since commit 129a844 (Nov 11, 2024 runtime(tar): Update tar.vim to
support permissions), the tar.vim plugin uses the ":read " ex
command line to append below the cursor position, however the is
not sanitized and is taken literaly from the tar archive. This
allows to execute shell commands via special crafted tar archives.
Whether this really happens, depends on the shell being used
('shell' option, which is set using $SHELL).
Impact:
Impact is high but a user must be convinced to edit such a file
using Vim which will reveal the filename, so a careful user may
suspect some strange things going on.
The Vim project would like to thank RyotaK (GMO Flatt Security Inc)
for reporting this issue.
The issue has been fixed as of Vim patch v9.1.1164.
MFH: 2025Q1
Security: GHSA-wfmf-8626-q3r3
While here:
- Add explicit --disable-libsodium [1]
- Clear PORTREVISION on xxd as it gets a bump from this update
PR: 277545
Reported by: dewayne heuristicsystems com au [1]
Rather than conflicting with xxd (which presents a dependency problem
for users who don't want to install vim), add an option to depend on
xxd. So, the vim port will no longer install xxd, but the option is
on by default so most users won't see a difference (other than the new
dependency).
PR: 274104
Reported by: corvink
On 5 August, 2023, Bram Moolenaar, the long-time maintainer and
architect of Vim, passed away. In addition to being a legendary
software engineer and open-source advocate, he was a major
philanthropist. His impact on the OSS world was immense, as was
his dedication to speaking out for those whose voices are too
often missed.. The Vim project remains in good hands with the
Vim community.
