Debian Bug report logs -
#900953
plexus-archiver: CVE-2018-1002200
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#900953; Package src:plexus-archiver.
(Thu, 07 Jun 2018 09:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 07 Jun 2018 09:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: plexus-archiver
Version: 3.5-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://github.com/codehaus-plexus/plexus-archiver/pull/87
Hi,
The following vulnerability was published for plexus-archiver.
CVE-2018-1002200[0]:
| arbitrary file write vulnerability / arbitrary code execution using a
| specially crafted zip file
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1002200
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002200
[1] https://github.com/codehaus-plexus/plexus-archiver/pull/87
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#900953.
(Thu, 07 Jun 2018 10:03:11 GMT) (full text, mbox, link).
Message #8 received at 900953-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #900953 in plexus-archiver reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/java-team/plexus-archiver/commit/35f70760eb10ddde30dbdb337546cc09e533183f
------------------------------------------------------------------------
New upstream release (3.6.0)
Fixes CVE-2018-1002200: Arbitrary file write vulnerability using a specially crafted zip file (Closes: #900953)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/900953
Added tag(s) pending.
Request was from ebourg@apache.org
to 900953-submitter@bugs.debian.org.
(Thu, 07 Jun 2018 10:03:11 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Thu, 07 Jun 2018 10:21:16 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 07 Jun 2018 10:21:16 GMT) (full text, mbox, link).
Message #15 received at 900953-close@bugs.debian.org (full text, mbox, reply):
Source: plexus-archiver
Source-Version: 3.6.0-1
We believe that the bug you reported is fixed in the latest version of
plexus-archiver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900953@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated plexus-archiver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Jun 2018 11:50:41 +0200
Source: plexus-archiver
Binary: libplexus-archiver-java
Architecture: source
Version: 3.6.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libplexus-archiver-java - Archiver plugin for the Plexus compiler system
Closes: 889426 900953
Changes:
plexus-archiver (3.6.0-1) unstable; urgency=medium
.
* Team upload.
* New upstream release
- Fixes CVE-2018-1002200: Arbitrary file write vulnerability using
a specially crafted zip file (Closes: #900953)
* Removed Damien Raude-Morvan from the uploaders (Closes: #889426)
* Standards-Version updated to 4.1.4
* Switch to debhelper level 11
* Use salsa.debian.org Vcs-* URLs
Checksums-Sha1:
c2eaeefbe692980ed505875578e070b495d84067 2323 plexus-archiver_3.6.0-1.dsc
fd15074c740a551877bc30b94ad5c46d0567ee70 425988 plexus-archiver_3.6.0.orig.tar.xz
49731591269037da5098d87f0891f4e87abb466c 4552 plexus-archiver_3.6.0-1.debian.tar.xz
a3edb759bfe596b867f5b3c14b38c1e3067cf81a 14873 plexus-archiver_3.6.0-1_source.buildinfo
Checksums-Sha256:
950b9dfe30783cc67ac6c53ec950c13ac0230fce0a0a81358e9ac382822a7611 2323 plexus-archiver_3.6.0-1.dsc
ffe914d89c386cc092c999056d761fc50e8d91bc272bde88717f601ded43c476 425988 plexus-archiver_3.6.0.orig.tar.xz
34e118bb95960fc413aa27a481071ea08df68472fac2bdf6421a92c7b6deef2c 4552 plexus-archiver_3.6.0-1.debian.tar.xz
5a39f16a8d2494f7dd1dbc8dd20235cb80dfaee22ccf357346df61b0f1c46afd 14873 plexus-archiver_3.6.0-1_source.buildinfo
Files:
e82a8902044bc8e2305785b5e94921b2 2323 java optional plexus-archiver_3.6.0-1.dsc
5ad9a01cdfb2ff0d35070ae580e691f6 425988 java optional plexus-archiver_3.6.0.orig.tar.xz
d81948f576146dab21ea0810ac01bd59 4552 java optional plexus-archiver_3.6.0-1.debian.tar.xz
c97a04a95806b3401160a5c5c0c01ad5 14873 java optional plexus-archiver_3.6.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlsZAkgSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsn4wP/jKamEPg7A7gZbV53mOWhowce2FsxuSB
xIDyZ7kg0apRs7fB4d0UYMZZqcS01/BN3oepI/xSS6H75bUUMMw4o+XN7sIJAxu7
Oz3EVHGS14iqLaeQoVbBOBokC6kbBDQ36cR/GMNwqxeIDmPPSBpxzLNC3a6v7DTd
Wsc1QMXg0045vOkaKiynw3xwl4Crhcwn1tHIRRb1toDqD2QNAbKrfJUNusNr/rXg
4ol+rXTbNAZd3O65G05g1YoHFCCeGYA6LxqpDrnRebYOPs33c1VzLSxzwPAybosD
t1P+2Q8+j62AGVYZ2HxGMA5wtuXbtmZz2tDJYs7xb/Qzcj1Vi5IDPtg9IvVazes/
6EqJ2C/tACeLIaRHJ75tIOtMMEgtom5ZzEISRt/UgXtfNBmvtcb224YHgLvgUr/h
Lrr2s7QPJtJOIAV/Gsr1586OytHVD3hQKWt8e4msNw/B9y+ZEeaQ2Fe5f4MMt+0N
oJZ6Q8yUtE+PEq/y4LcHVwWJJA+AvZiI1pS/OeBa8+VoaYGU6DI8GHh0vueEDuel
S/15CFe8hfsZxauoIwqk/v/2mw+V3JadAE6OliD6nSCXVUY7VElV7NRB6Anri09r
Kh/ApUkPclxxxLKICHez+iPMkoZ4MtbwAXBv6S7aMfSxRXwsnI0b6CPKG7aGXmln
QBFqAyXaO+ts
=86Dq
-----END PGP SIGNATURE-----
Marked as found in versions plexus-archiver/1.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 07 Jun 2018 21:09:04 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 13 Jun 2018 22:21:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 13 Jun 2018 22:21:06 GMT) (full text, mbox, link).
Message #22 received at 900953-close@bugs.debian.org (full text, mbox, reply):
Source: plexus-archiver
Source-Version: 1.2-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
plexus-archiver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900953@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated plexus-archiver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Jun 2018 21:17:18 +0200
Source: plexus-archiver
Binary: libplexus-archiver-java
Architecture: all source
Version: 1.2-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 900953
Description:
libplexus-archiver-java - Archiver plugin for the Plexus compiler system
Changes:
plexus-archiver (1.2-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fail when trying to extract outside of dest dir (CVE-2018-1002200)
Fixes arbitrary file write vulnerability using a specially crafted zip
file. (Closes: #900953)
Checksums-Sha1:
657a8d10077a1ef86195640062b5fc2fc6c1bfcd 2487 plexus-archiver_1.2-1+deb8u1.dsc
73b0cb563903c97dfa276b44409b852da78ffcf1 125994 plexus-archiver_1.2.orig.tar.gz
b0b0cddda2456ae3209ae5b79efa6e06c3a800d3 4404 plexus-archiver_1.2-1+deb8u1.debian.tar.xz
a53e3e54ec6cfbafc818a62da41d3256b2106b7b 165576 libplexus-archiver-java_1.2-1+deb8u1_all.deb
Checksums-Sha256:
e8551f1d118da04c0b72932a15ae49d7354e084997ca412d636d3b61bad5f686 2487 plexus-archiver_1.2-1+deb8u1.dsc
37c48eaa6af2d88476b885849a4e7157190a918c0259eeab7ead00c52d7d4e59 125994 plexus-archiver_1.2.orig.tar.gz
511b9a9aef380b5e86ee4063133d0780e331a09ed41a4b5f9d00fb3783fd5454 4404 plexus-archiver_1.2-1+deb8u1.debian.tar.xz
989a071a9667323c1777794d94cba2ac57edf8ad91914f49881a5d7342de19df 165576 libplexus-archiver-java_1.2-1+deb8u1_all.deb
Files:
ea05ae8a053cd0f1665f9fc82545b07e 2487 java optional plexus-archiver_1.2-1+deb8u1.dsc
72ab4e8d4505f8db159dc760fe85aef1 125994 java optional plexus-archiver_1.2.orig.tar.gz
d8a6b6749543a01c89196c62ea727f5d 4404 java optional plexus-archiver_1.2-1+deb8u1.debian.tar.xz
69d90ba3d7f5fb84ec9f05ec22c9df89 165576 java optional libplexus-archiver-java_1.2-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsdeqVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EwfUP/0WhTz9A/hNP7qc8C4uCz9pR8bMHs4bS
MZAxdVeVTSIoyRiavpWZ94cvMRlvKNb2TfBMasARrlGUQKHjd/TsHFdoX9V1pATb
x+RrgZksZFZTkqrRKJzUToHHG/L5nx9iRzZlWvwWfbqOxBuNPBRUo3+Z47I4EKYC
RJRA0ieNAq32h+4q0e1Fo0THCsB6WcqnIFQnQXkkYn+aO42TU8ezkfMrPYx1CI3z
uqavA75gQVCXSi2adwN2raUHYuuNibNi1I2PU3W2xVFQeewgHgwrG5L0KF5eaQmT
/Ca1ULuTiofb22lssAN5u0HOJEuFaBpGuh/xuH1WsodC9DusyS/dc4/ElUMJVCRx
+KX1fyFaHmTQ1Qe75MnFy+AfwytjVdBBgsDJ9fbjv9wKpRzhabV3rydsbm1e9v3X
7/nkHOOiSNlTcktvka0uYNmIywsaTQs+jTcmhprsNUme7GQMBCuIm8OPp/L+9JdA
Q4YYouaC8FfHHdCsp7IoJ3EykzHCM63zJqswyQDLUTOPJ2o6WwzCFZS0UEfqF/bf
i/vywAinRyVcEcd4/PvNi/W8CJmRdLsS7V48EXinTs6amK7L/K/RZ+7kF+ufwsOp
SAaMbP7NhCenvtN5xW2asg4A429/ysAz+vYpub0HknDrE4e4c1yaxsQ9pvc3EJ0s
3nFs435KuPi7
=9vFj
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 14 Jun 2018 19:21:27 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 14 Jun 2018 19:21:27 GMT) (full text, mbox, link).
Message #27 received at 900953-close@bugs.debian.org (full text, mbox, reply):
Source: plexus-archiver
Source-Version: 2.2-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
plexus-archiver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900953@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated plexus-archiver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Jun 2018 16:49:48 +0200
Source: plexus-archiver
Binary: libplexus-archiver-java
Architecture: source
Version: 2.2-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libplexus-archiver-java - Archiver plugin for the Plexus compiler system
Closes: 900953
Changes:
plexus-archiver (2.2-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fail when trying to extract outside of dest dir (CVE-2018-1002200)
Fixes arbitrary file write vulnerability using a specially crafted zip
file. (Closes: #900953)
Checksums-Sha1:
b240cce32f14ba1f7074af0ca35e0ef718872ee0 2480 plexus-archiver_2.2-1+deb9u1.dsc
bcbe1e9013634eb77c20b90729c0434df9a11246 136141 plexus-archiver_2.2.orig.tar.gz
2ac61f5c2eec9e3ffa532280bbe0cc9300a50a54 4924 plexus-archiver_2.2-1+deb9u1.debian.tar.xz
3dc5d05a123c571d10063c6e3bec7c460be62b70 6188 plexus-archiver_2.2-1+deb9u1_source.buildinfo
Checksums-Sha256:
840aeb21bbe2b43850123ec4b542cba9457eea26e766b63522576789616e1ce8 2480 plexus-archiver_2.2-1+deb9u1.dsc
93572eafdbf0e037303a5a1ed7e91b9cb251a9072ae513067efa5ca3ca32570e 136141 plexus-archiver_2.2.orig.tar.gz
4fccf74ef9cbea391933543f7cbd697aff405756c70b46a24aa355cd6c2376ab 4924 plexus-archiver_2.2-1+deb9u1.debian.tar.xz
a50060addb77050187942a4cb64de024b3fc70f85cf53804650eccafb24b8cfe 6188 plexus-archiver_2.2-1+deb9u1_source.buildinfo
Files:
5d56f32b90171db07195165d8eb1300d 2480 java optional plexus-archiver_2.2-1+deb9u1.dsc
d3325095c0859aeac96aa14d7276a9d3 136141 java optional plexus-archiver_2.2.orig.tar.gz
4df7e694bc223a6171b0e1073dcfa5ff 4924 java optional plexus-archiver_2.2-1+deb9u1.debian.tar.xz
496b98e813ce1698fed3ae3ed9fe0648 6188 java optional plexus-archiver_2.2-1+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsdQPZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EHZ8QAIHNfzrr4KHOeg1RqEtRe3SiaFP5glqC
hBItfRF9CZavsfjipEj+eBHlu02prZYos+idX/sNV1v1JoP2Cm2sbv0sLtRyknjD
Iv2blbu3r/ajC2onZPdXtROkgO7xprguoB246CFEd9Zc8m7B1MpphO4UWc2yLm6g
TOx5XW8I3f5jcWqyhMfdaAxhfrN1ptRKDXO26iqvMqMtYysuRYaUtBy7smNOB2mP
BV9Ipsu2W7Kr6l0QECDTho421nYGmwzKcwgQhw4fQfLKeZfa0HtexPKM6202HdEm
yT3/nraZ1LlMTi912umXuz3W/SntLIPMF/Wntwe8Dj1XLsq0/ZoDsXeH5VX4UqMh
0XJQRgDZIc/BWzwk/nbZxkOSXR+o2MqvgRAIfADS1Sa/zTZzmo6KhVPQbjUOddPh
LUJvmvMAwRZM4HIEyqNF5nCRJEe4gP1aKMQKyGm5zox/SWLOty0pqnZEl3bmyRfn
UhWPOR9Yv4CBXEpLM6rvtUmEg8AlbVYnjhz8f+MkR5Rjgy3TU1JBy1TuuOlMlQG8
WCNC+2j9HdAnXRCs/vm0LrUjJVd+tYl6KEJE3grAZZiZs9TlhcxG6PNPdYJZyxfT
0A/JMN1WFKeochRQZaLmOpqX3rN17YIS/IIHwdHDL0gTWSpaqVGbDGlwln3h8tgZ
XMKO5pp4HeY/
=0J42
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 15 Jul 2018 07:29:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:00:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon