Opened 3 years ago

Closed 3 years ago

#11036 closed enhancement (fixed)

Archive-Zip-1.62 (vulnerability fix)

Reported by: ken@… Owned by: Bruce Dubbs
Priority: high Milestone: 8.3
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

1.62 Sun 19 Aug 2018

  • Add link-samename.zip to MANIFEST

1.61 Sat 18 Aug 2018

  • File::Find will not untaint [github/ThisUsedToBeAnEmail]
  • Prevent from traversing symlinks and parent directories when extracting [github/ppisar]

The latter item is CVE-2018-10860 : perl-archive-zip is vulnerable to a directory traversal in Archive::Zip. It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter.

Change History (4)

comment:1 by ken@…, 3 years ago

Note that the old (1.60) version has already been tagged.

comment:2 by Bruce Dubbs, 3 years ago

Yes, I tagged all perl modules at once. However I think this can be updated now. I jsut updated it. Perl scripts only need a version number and md5sum to update. I'll go ahead and do it.

Last edited 3 years ago by Bruce Dubbs (previous) (diff)

comment:3 by Bruce Dubbs, 3 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:4 by Bruce Dubbs, 3 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 20345.

Note: See TracTickets for help on using tickets.