Debian Bug report logs -
#902882
libarchive-zip-perl: CVE-2018-10860: Directory traversal in Archive::Zip
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 2 Jul 2018 19:33:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in versions libarchive-zip-perl/1.60-1, libarchive-zip-perl/1.59-1, libarchive-zip-perl/1.39-1
Fixed in versions libarchive-zip-perl/1.39-1+deb8u1, libarchive-zip-perl/1.62-1, libarchive-zip-perl/1.59-1+deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/redhotpenguin/perl-Archive-Zip/pull/33
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#902882; Package src:libarchive-zip-perl.
(Mon, 02 Jul 2018 19:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Mon, 02 Jul 2018 19:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libarchive-zip-perl
Version: 1.60-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/redhotpenguin/perl-Archive-Zip/pull/33
Hi,
The following vulnerability was published for libarchive-zip-perl.
CVE-2018-10860[0]:
| perl-archive-zip is vulnerable to a directory traversal in
| Archive::Zip. It was found that the Archive::Zip module did not
| properly sanitize paths while extracting zip files. An attacker able
| to provide a specially crafted archive for processing could use this
| flaw to write or overwrite arbitrary files in the context of the perl
| interpreter.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10860
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10860
[1] https://github.com/redhotpenguin/perl-Archive-Zip/pull/33
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Fri, 06 Jul 2018 01:00:26 GMT) (full text, mbox, link).
Marked as found in versions libarchive-zip-perl/1.39-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 24 Jul 2018 20:33:04 GMT) (full text, mbox, link).
Marked as fixed in versions libarchive-zip-perl/1.39-1+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 24 Jul 2018 20:33:05 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 20 Aug 2018 07:06:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 20 Aug 2018 07:06:03 GMT) (full text, mbox, link).
Message #16 received at 902882-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive-zip-perl
Source-Version: 1.62-1
We believe that the bug you reported is fixed in the latest version of
libarchive-zip-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 902882@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive-zip-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 20 Aug 2018 08:03:09 +0200
Source: libarchive-zip-perl
Binary: libarchive-zip-perl
Architecture: source
Version: 1.62-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 902882
Description:
libarchive-zip-perl - Perl module for manipulation of ZIP archives
Changes:
libarchive-zip-perl (1.62-1) unstable; urgency=medium
.
[ Damyan Ivanov ]
* declare conformance with Policy 4.1.3 (no changes needed)
.
[ Salvatore Bonaccorso ]
* Update Vcs-* headers for switch to salsa.debian.org
* Import upstream version 1.61 and 1.62
+ Prevent from traversing symlinks and parent directories when
extracting (CVE-2018-10860) (Closes: #902882)
* Bump Debhelper compat level to 10
* Update copyright years for debian/* packaging files
* Declare compliance with Debian policy 4.2.0
Checksums-Sha1:
d78bde73bb8e318fa9596825f6b51b2b5398e641 2355 libarchive-zip-perl_1.62-1.dsc
08842c4fd86d277c01ba0e16dbe14f0bd52511ca 191576 libarchive-zip-perl_1.62.orig.tar.gz
6ebc4645d63bd015106da86602f3debd89e331b4 8384 libarchive-zip-perl_1.62-1.debian.tar.xz
Checksums-Sha256:
bce56c5ba20bdda3c79b1c0183bc277f25a9bc3265c0e18600af4c57544355c5 2355 libarchive-zip-perl_1.62-1.dsc
2bf362586744cab99ccd7831ed294885e7a0f7d4cc557fa6c9a5dac3c7095dc9 191576 libarchive-zip-perl_1.62.orig.tar.gz
97cbb4e9393a4d23247956ff7cef55ee46787a95e9ab3aa073cd35f320b88d22 8384 libarchive-zip-perl_1.62-1.debian.tar.xz
Files:
619bb959945efcbed3865673f574ce78 2355 perl optional libarchive-zip-perl_1.62-1.dsc
af9eff34f8c948656e09c2ed348a675f 191576 perl optional libarchive-zip-perl_1.62.orig.tar.gz
992202b4b13656fdeadf8d0f3c88393d 8384 perl optional libarchive-zip-perl_1.62-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlt6ZSxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89El4AP/iTmfqD22fI8/aSq46R0Y/gfePuiwwn5
UcM5kWF70G+/H640sFeAKE1VpPeXOt1504iZGXXhPqujSTEQODdeFSA1LkSXfvZH
fWU48JeFOPCmFZko/YSBIAUd8UbHni/bBa4A+cM+xjrh4RUKLnbovApbKRq7U11J
W96m3CNhk2iklez1JaK+Sfhkqv42zL6YnO6FSMOjZv4wdKf5kaAI0a4X8g8W1Tyl
sGf3o0HSKVRC6RYarHMwMKCdN1JFah40vnEzqykMpnSX1zIb0811J7BHyZ4CjUdl
GncnbK5tJ4uxtWntgRFTeNOBPleSiQ7q2h7iL+sqNwdO+6eAFemhJuCbnN45s6EO
kiLaSbL61KP8Xd5tETgXK0yE+/5f1YpN4IsNEjBDovNuV3TH5sTzQkmhdm1qBEVP
yUI74rFhuZDFZ6S0DWM1G72CrG4wpOtFfFNFBBzvATHoA0CFRSZec0EMwF2weu87
Nq8KLw3v97peBP71JmwDyAILgzCEHab9/WPC9TSB6/JnzoTSEUolSw+pwbmcOahd
9mMWXy+aNsafyOXUger612wbcItvpBz/AIND23caVqtUuix96ycEEJmqHWd5vRN0
i6aHLxkjMmjodDrFeQDkiSBtSS6tO2kCitT4USo5MsZVMyZdvD8YWcvNrFHwgi7c
ZFXMEBfms0uz
=xaeq
-----END PGP SIGNATURE-----
Marked as found in versions libarchive-zip-perl/1.59-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 21 Sep 2018 15:27:02 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 02 Oct 2018 06:06:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 02 Oct 2018 06:06:03 GMT) (full text, mbox, link).
Message #23 received at 902882-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive-zip-perl
Source-Version: 1.59-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
libarchive-zip-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 902882@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive-zip-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Sep 2018 17:17:23 +0200
Source: libarchive-zip-perl
Binary: libarchive-zip-perl
Architecture: source
Version: 1.59-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 902882
Description:
libarchive-zip-perl - Perl module for manipulation of ZIP archives
Changes:
libarchive-zip-perl (1.59-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Prevent from traversing symlinks and parent directories when extracting
(CVE-2018-10860) (Closes: #902882)
* Extract test files needed for t/25_traversal.t test.
Add zip files to debian/t/data directory and add them to
debian/sorce/include-binaries to include those in the debian tarball.
Add an override for dh_auto_test to copy debian/t/data/*.zip testfiles
to test directory prior to running the testsuite.
Clean test files needed for t/25_traversal.t in dh_clean
Checksums-Sha1:
144b84e8de376b68b9c3cffe34602c227e73dab8 2384 libarchive-zip-perl_1.59-1+deb9u1.dsc
1f229e626474dbc75547ce0f60bae25c5048bd57 192151 libarchive-zip-perl_1.59.orig.tar.gz
34d49d40ef9e38a2a5319ba1b2f0d90103cb00fd 12308 libarchive-zip-perl_1.59-1+deb9u1.debian.tar.xz
Checksums-Sha256:
8fbc41d9820ea63b400b03d1a2d7ffa000828b9e3421e0f54633244a8a1146aa 2384 libarchive-zip-perl_1.59-1+deb9u1.dsc
7a4b1b0aa43ae7231bb3212e86ab6b538725625df06e82772c3da24c8b26e75d 192151 libarchive-zip-perl_1.59.orig.tar.gz
d99b8bcc92ce02200d563327fccbccd083d4cec07e41dc5fda63d9de9bc17118 12308 libarchive-zip-perl_1.59-1+deb9u1.debian.tar.xz
Files:
82b98e2dd49681fee44a125c93aa7167 2384 perl optional libarchive-zip-perl_1.59-1+deb9u1.dsc
b649a593391573f9382cef8c08d1d5ba 192151 perl optional libarchive-zip-perl_1.59.orig.tar.gz
b65e4f6046bdc4b73bd8f8bf3adccaeb 12308 perl optional libarchive-zip-perl_1.59-1+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlulTplfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E5ucP/3c0QFQLOe+lNb6IyUAjP7ig+z9sC3Yu
vhH+LX3JfLgIsqSNFGRW2LEprZnrR+VYoUqQ1xR1I4vf7VdkVbBsyrBSlPGjQe9J
CIIqGj8dI9ArQ7L7e9diKPiyRtvsOQq39ic56Rx/aKP60fDQcReerEbgGmb5dETX
sxIShlOLCv0oXLhrJdKqToth7s1T/DnPxlfCQkBFPnu+FHzqK6Q37mauUOpvguy6
czxMES+eZNNrCs7oyEriN5LtFqak5c/UByjAcS200kPqh7cKVRFGZnRuDS9WtULi
sXKxhvyw6wMWerEtURYIMmSB5152reDZGvPuZoh6ul6+kLCNyiylX2ftyhAeqnbu
lL5O7pIKZbLNynZVWmT2wXquty3AHrGns7R4L23ow2BqVaf1kdgGP4rdkSRyKMOl
3CigtBgiG+HXT3qBkZx5FCGc+dyQA5TISwgMY65QqZuFyF0QmQn2xUDhwS4euhGX
B2vOjKytZHI4rpl3dcxnWG+Nk1kiGm9G19rrAPFR8WdwttCc8oV//4FE9aSa49IO
lmEHv33NHWPTHU5eBLNnsT7w6XEpeIoMzrnib66TMSjE5tf/+ov0vHIFr7UPPqmq
F+PZko9otk9NVe0FX0gkNiO2LfhZkmSEqs2xtS01mfUCBNxONToWyCycBEKQ1Q5r
LLxJhlvDA2QJ
=TXbk
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 30 Oct 2018 07:27:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:45:44 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon