Bug 23174

Fedora has issued advisories for this today:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GZQQJQ2AQA6TR7BYV4DBSHZ3DE7ADWM3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I7XAAUCTHL2PDJHW5Q2IYATOAXX4AFFU/

Status comment: (none) => Patch available from Fedora

Fixed in plexus-archiver-3.5-2.mga7 in Cauldron.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Advisory:
========================

Updated plexus-archiver packages fix security vulnerability:

A path traversal vulnerability has been discovered in plexus-archiver when
extracting a carefully crafted zip file which holds path traversal file names.
A remote attacker could use this vulnerability to write files outside the
target directory and overwrite existing files with malicious code or vulnerable
configurations (CVE-2018-1002200).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002200
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I7XAAUCTHL2PDJHW5Q2IYATOAXX4AFFU/
========================

Updated packages in core/updates_testing:
========================
plexus-archiver-3.4-1.1.mga6
plexus-archiver-javadoc-3.4-1.1.mga6

from plexus-archiver-3.4-1.1.mga6.src.rpm

Assignee: java => qa-bugs

Mageia 6, x86_64

Could find no man pages or system menu entry for plexus-archiver.
API documentation at file:///usr/share/javadoc/plexus-archiver/help-doc.html

Information on the Zip Slip vulnerability at https://github.com/snyk/zip-slip-vulnerability

Before update:

urpmq --whatrequires-recursive turned up some applications needing plexus-archiver.
Installed curator along with 106 other packages including several plexus modules.  No man page or entry in the menus.  More java stuff by the looks of it.
Stumbled around looking for some way to use curator.
Tried this against local qa directory:
$ jar c /usr/share/java/curator/curator-client.jar qa > qa.plexus
qa/.#report.plexus : no such file or directory
qa/perl-Archive-Tar/moo : no such file or directory
qa/gd/demos : no such file or directory
qa/ruby/.#report.22844 : no such file or directory
qa/libc.so.6 : no such file or directory
qa/glibc/libc.so.6 : no such file or directory
qa/zend/Zend/library/Zend : no such file or directory

Not all of those messages make sense but something is being built, 2 gigabytes so far.
$ ll qa.plexus
-rw-r--r-- 1 lcl lcl 2115689925 Jan  2 17:10 qa.plexus
$ du -hs qa
6.0G	qa
Final count:
$ ll qa.plexus
-rw-r--r-- 1 lcl lcl 4045550189 Jan  2 17:17 qa.plexus
$ file qa.plexus
qa.plexus: Java archive data (JAR)

Shall try to read the "archive" after updating.

CC: (none) => tarazed25

Updated the packages and tried
$ jar tf qa.plexus | wc -l
20117
$ jar tf qa.plexus | head
META-INF/
META-INF/MANIFEST.MF
usr/share/java/curator/curator-client.jar
qa/
qa/LOtest.ps
qa/mgaonline/
qa/mgaonline/applet
qa/crypt/
qa/openjfx/
qa/openjfx/report.23349

That shows that the original command entirely missed the point, so I am giving up on this.

$ java -jar /usr/share/java/curator/curator-client.jar
no main manifest attribute, in /usr/share/java/curator/curator-client.jar

Just a clean update will do.

OK - you've got it.

Whiteboard: (none) => MGA6-64-OK

Well then, the only thing left to do is to validate. I can handle that.

Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0005.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED