Archive::Zip does not protect against symlinks or '..' path traversals. Attacks similar to CVE-2007-4829 or CVE-2018-12015 also affect Archive::Zip.
Archive::Zip has never been part of upstream Perl release: $ corelist Archive::Zip Data for 2018-04-14 Archive::Zip was not in CORE (or so I think) It's an independent project <https://metacpan.org/release/Archive-Zip>.
Note: summary edited for clarification.
Acknowledgments: Name: Doran Moppert (Red Hat)
Created perl-Archive-Zip tracking bugs for this issue: Affects: fedora-all [bug 1596132]
Upstream fix: https://github.com/redhotpenguin/perl-Archive-Zip/commit/95e1df86327
perl-Archive-Zip-1.59-6.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
perl-Archive-Zip-1.60-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.