Opened 6 years ago
Closed 6 years ago
#11036 closed enhancement (fixed)
Archive-Zip-1.62 (vulnerability fix)
| Reported by: | Owned by: | Bruce Dubbs | |
|---|---|---|---|
| Priority: | high | Milestone: | 8.3 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
1.62 Sun 19 Aug 2018
- Add link-samename.zip to MANIFEST
1.61 Sat 18 Aug 2018
- File::Find will not untaint [github/ThisUsedToBeAnEmail]
- Prevent from traversing symlinks and parent directories when extracting [github/ppisar]
The latter item is CVE-2018-10860 : perl-archive-zip is vulnerable to a directory traversal in Archive::Zip. It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter.
Change History (4)
comment:1 by , 6 years ago
comment:2 by , 6 years ago
Yes, I tagged all perl modules at once. However I think this can be updated now. I jsut updated it. Perl scripts only need a version number and md5sum to update. I'll go ahead and do it.
comment:3 by , 6 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
Note:
See TracTickets
for help on using tickets.
Note that the old (1.60) version has already been tagged.