Bug 1591449 (CVE-2018-10860)

Summary: CVE-2018-10860 perl-Archive-Zip: Directory traversal in Archive::Zip
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alexl, caillon+fedoraproject, hhorak, john.j5live, jorton, jplesnik, kasal, perl-devel, perl-maint-list, ppisar, psabata, rhughes, rstrode, sandmann, security-response-team, steve
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: perl-Archive-Zip 1.61 Doc Type: If docs needed, set a value
Doc Text:
It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-01 02:17:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1596131, 1596132, 1596133, 1596134, 1596135    
Bug Blocks: 1588762    

Description Cedric Buissart 2018-06-14 18:19:34 UTC 
Archive::Zip does not protect against symlinks or '..' path traversals. Attacks similar to CVE-2007-4829 or CVE-2018-12015 also affect Archive::Zip.
Comment 1 Petr Pisar 2018-06-15 06:10:51 UTC 
Archive::Zip has never been part of upstream Perl release:

$ corelist Archive::Zip

Data for 2018-04-14
Archive::Zip was not in CORE (or so I think)

It's an independent project <https://metacpan.org/release/Archive-Zip>.
Comment 2 Cedric Buissart 2018-06-15 10:10:20 UTC 
Note: summary edited for clarification.
Comment 4 Cedric Buissart 2018-06-20 13:09:21 UTC 
Acknowledgments:

Name: Doran Moppert (Red Hat)
Comment 7 Cedric Buissart 2018-06-28 09:56:47 UTC 
Created perl-Archive-Zip tracking bugs for this issue:

Affects: fedora-all [bug 1596132]
Comment 10 Cedric Buissart 2018-06-29 11:55:02 UTC 
Upstream fix:
https://github.com/redhotpenguin/perl-Archive-Zip/commit/95e1df86327
Comment 11 Fedora Update System 2018-07-19 17:47:29 UTC 
perl-Archive-Zip-1.59-6.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2018-07-19 18:05:27 UTC 
perl-Archive-Zip-1.60-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.