RedHat has issued an advisory today (June 12): https://access.redhat.com/errata/RHSA-2018:1836 The issue is fixed upstream in 3.6.0. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Fedora has issued advisories for this today: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GZQQJQ2AQA6TR7BYV4DBSHZ3DE7ADWM3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I7XAAUCTHL2PDJHW5Q2IYATOAXX4AFFU/
Status comment: (none) => Patch available from Fedora
Fixed in plexus-archiver-3.5-2.mga7 in Cauldron.
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Advisory: ======================== Updated plexus-archiver packages fix security vulnerability: A path traversal vulnerability has been discovered in plexus-archiver when extracting a carefully crafted zip file which holds path traversal file names. A remote attacker could use this vulnerability to write files outside the target directory and overwrite existing files with malicious code or vulnerable configurations (CVE-2018-1002200). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002200 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I7XAAUCTHL2PDJHW5Q2IYATOAXX4AFFU/ ======================== Updated packages in core/updates_testing: ======================== plexus-archiver-3.4-1.1.mga6 plexus-archiver-javadoc-3.4-1.1.mga6 from plexus-archiver-3.4-1.1.mga6.src.rpm
Assignee: java => qa-bugs
Mageia 6, x86_64 Could find no man pages or system menu entry for plexus-archiver. API documentation at file:///usr/share/javadoc/plexus-archiver/help-doc.html Information on the Zip Slip vulnerability at https://github.com/snyk/zip-slip-vulnerability Before update: urpmq --whatrequires-recursive turned up some applications needing plexus-archiver. Installed curator along with 106 other packages including several plexus modules. No man page or entry in the menus. More java stuff by the looks of it. Stumbled around looking for some way to use curator. Tried this against local qa directory: $ jar c /usr/share/java/curator/curator-client.jar qa > qa.plexus qa/.#report.plexus : no such file or directory qa/perl-Archive-Tar/moo : no such file or directory qa/gd/demos : no such file or directory qa/ruby/.#report.22844 : no such file or directory qa/libc.so.6 : no such file or directory qa/glibc/libc.so.6 : no such file or directory qa/zend/Zend/library/Zend : no such file or directory Not all of those messages make sense but something is being built, 2 gigabytes so far. $ ll qa.plexus -rw-r--r-- 1 lcl lcl 2115689925 Jan 2 17:10 qa.plexus $ du -hs qa 6.0G qa Final count: $ ll qa.plexus -rw-r--r-- 1 lcl lcl 4045550189 Jan 2 17:17 qa.plexus $ file qa.plexus qa.plexus: Java archive data (JAR) Shall try to read the "archive" after updating.
CC: (none) => tarazed25
Updated the packages and tried $ jar tf qa.plexus | wc -l 20117 $ jar tf qa.plexus | head META-INF/ META-INF/MANIFEST.MF usr/share/java/curator/curator-client.jar qa/ qa/LOtest.ps qa/mgaonline/ qa/mgaonline/applet qa/crypt/ qa/openjfx/ qa/openjfx/report.23349 That shows that the original command entirely missed the point, so I am giving up on this.
$ java -jar /usr/share/java/curator/curator-client.jar no main manifest attribute, in /usr/share/java/curator/curator-client.jar
Just a clean update will do.
OK - you've got it.
Whiteboard: (none) => MGA6-64-OK
Well then, the only thing left to do is to validate. I can handle that. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => lewyssmith
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0005.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED