[Bugs] [Bug 13570] New: [CVE 21] plexus-archiver 4.1.0 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Авг 23 23:22:41 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13570

          Platform: 2021.1
            Bug ID: 13570
           Summary: [CVE 21] plexus-archiver 4.1.0  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2023-37460,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
                    y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package plexus-archiver version 4.1.0

INFO (CVEs are): plexus-archiver 4.1.0
 cves found
CVE-2023-37460
Desc: Plexis Archiver is a collection of Plexus components to create archives
or extract archives to a directory with a unified `Archiver`/`UnArchiver` API.
Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive
might lead to an arbitrary file creation and possibly remote code execution.
When extracting an archive with an entry that already exists in the destination
directory as a symbolic link whose target does not exist - the `resolveFile()`
function will return the symlink's source instead of its target, which will
pass the verification that ensures the file will not be extracted outside of
the destination directory. Later `Files.newOutputStream()`, that follows
symlinks by default,  will actually write the entry's content to the symlink's
target. Whoever uses plexus archiver to extract an untrusted archive is
vulnerable to an arbitrary file creation and possibly remote code execution.
Version 4.8.0 contains a patch for this issue.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-37460
Severity: CRITICAL

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/307bf905/attachment.html>

Подробная информация о списке рассылки Bugs