Ubuntu has issued an advisory on July 4: https://usn.ubuntu.com/3703-1/ Mageia 5 and Mageia 6 are also affected.
Please be mindful of whether perl also bundles this module. Bug 23148 in Archive::Tar still isn't fixed yet for that reason.
Whiteboard: (none) => MGA6TOO
Assigning to the Perl stack maintainers, CC'ing the registered maintainer.
CC: (none) => marja11, shlomifAssignee: bugsquad => perl
perl-Archive-Zip-1.600.0-2.mga7 uploaded by Shlomi for Cauldron to fix this. No word yet whether perl also bundles it.
(In reply to David Walser from comment #3) > perl-Archive-Zip-1.600.0-2.mga7 uploaded by Shlomi for Cauldron to fix this. > No word yet whether perl also bundles it. it does not. shlomif[rpms]:$mageia/6/perl$ ag -g Zip BUILD/perl-5.22.3/cpan/IO-Compress/lib/IO/Compress/Zip.pm BUILD/perl-5.22.3/cpan/IO-Compress/lib/IO/Compress/Zip/Constants.pm shlomif[rpms]:$mageia/6/perl$ ack -g Zip BUILD/perl-5.22.3/cpan/IO-Compress/lib/IO/Compress/Zip.pm BUILD/perl-5.22.3/cpan/IO-Compress/lib/IO/Compress/Zip/Constants.pm shlomif[rpms]:$mageia/6/perl$ ack -g Archive BUILD/perl-5.22.3/cpan/Archive-Tar/lib/Archive/Tar/File.pm BUILD/perl-5.22.3/cpan/Archive-Tar/lib/Archive/Tar/Constant.pm BUILD/perl-5.22.3/cpan/Archive-Tar/lib/Archive/Tar.pm BUILD/perl-5.22.3/cpan/Archive-Tar/t/02_methods.t BUILD/perl-5.22.3/cpan/Archive-Tar/t/03_file.t BUILD/perl-5.22.3/cpan/Archive-Tar/t/04_resolved_issues.t BUILD/perl-5.22.3/cpan/Archive-Tar/t/08_ptargrep.t BUILD/perl-5.22.3/cpan/Archive-Tar/t/90_symlink.t BUILD/perl-5.22.3/cpan/Archive-Tar/t/01_use.t BUILD/perl-5.22.3/cpan/Archive-Tar/t/src/short/b BUILD/perl-5.22.3/cpan/Archive-Tar/t/src/long/b BUILD/perl-5.22.3/cpan/Archive-Tar/t/06_error.t BUILD/perl-5.22.3/cpan/Archive-Tar/t/99_pod.t BUILD/perl-5.22.3/cpan/Archive-Tar/t/05_iter.t BUILD/perl-5.22.3/cpan/Archive-Tar/bin/ptargrep BUILD/perl-5.22.3/cpan/Archive-Tar/bin/ptar BUILD/perl-5.22.3/cpan/Archive-Tar/bin/ptardiff shlomif[rpms]:$mageia/6/perl$
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Updated package uploaded by Shlomi for Mageia 6. Advisory: ======================== Updated perl-Archive-Zip package fixes security vulnerability: It was discovered that the Archive::Zip module incorrectly handled certain inputs. An attacker could possibly use this to access sensitive information (CVE-2018-10860). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10860 ======================== Updated packages in core/updates_testing: ======================== perl-Archive-Zip-1.600.0-1.mga6 from perl-Archive-Zip-1.600.0-1.mga6.src.rpm
Assignee: perl => qa-bugs
Mageia 6, x86_64 Installed perl-Archive-Zip-1.570.0-2.mga6 and attempted to emulate the symbolic link test from bug 23148 by using the example scripts zip.pl and unzipAll.pl from /usr/share/doc/perl-Archive-Zip/examples/ Created a file /tmp/moo with content "Moo!" and added a symbolic link to it in the test directory. $ ll lrwxrwxrwx 1 lcl lcl 8 Jul 7 00:36 moo -> /tmp/moo $ ./zip.pl traversal.zip moo $ rm -f /tmp/moo $ unlink moo $ ./unzipAll.pl traversal.zip $ ll -rw-r--r-- 1 lcl lcl 5 Jul 7 00:49 moo $ cat moo Moo! $ ls /tmp/moo ls: cannot access '/tmp/moo': No such file or directory This demonstrates that the pre-update package does not unpack contents outside the current directory. Whatever the problem is with this package it is not the same as the Tar issue. Leaving the update until later, after checking the CVE again.
CC: (none) => tarazed25
Worked back through various links from the CVE looking for hints on reproducing the '..' issue but none were helpful. Updated to perl-Archive-Zip-1.600.0-1.mga6. Copied files from /usr/share/doc/perl-Archive-Zip/examples/ (probably unnecessary). Created a test directory and populated it then created a zip archive of test. $ ./zip.pl test.zip test $ ll test.zip -rw-r--r-- 1 lcl lcl 9550916 Jul 7 08:08 test.zip $ mkdir tmp $ cp test.zip tmp $ cd tmp $ ../unzipAll.pl test.zip That worked fine. Checked for particular files known to exist in the original directory. $ pwd /home/lcl/qa/perl-Archive-Zip/tmp $ ll drwxr-xr-x 4 lcl lcl 4096 Jul 7 08:13 test/ -rw-r--r-- 1 lcl lcl 9550916 Jul 7 08:08 test.zip $ ll test/bookshelf test/servercheck -rwxr-xr-x 1 lcl lcl 2527 Jul 7 08:04 test/bookshelf* -rwxr-xr-x 1 lcl lcl 6874 Jul 7 08:04 test/servercheck* $ rm -rf test $ ../extract.pl test.zip test/servercheck $ ../extract.pl test.zip test/fontdemo $ ll test -rwxr-xr-x 1 lcl lcl 1285 Jul 7 08:04 fontdemo* -rwxr-xr-x 1 lcl lcl 6874 Jul 7 08:04 servercheck* Finally $ cd .. $ $ ./extract.pl traversal.zip moo Extracting moo $ cat moo Moo! $ ls /tmp/moo ls: cannot access '/tmp/moo': No such file or directory Everything looks OK for 64-bits.
Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0311.html
Status: NEW => RESOLVEDResolution: (none) => FIXED