Univention Bugzilla – Bug 47535
libarchive-zip-perl: Multiple issues (4.2)
Last modified: 2018-08-15 16:20:20 CEST
New Debian libarchive-zip-perl 1.39-1+deb8u1 fixes: This update addresses the following issue(s): * * perl-archive-zip is vulnerable to a directory traversal in Archive::Zip. It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter. (CVE-2018-10860) 1.39-1+deb8u1 (Tue, 24 Jul 2018 21:08:04 +0200) * Non-maintainer upload by the LTS team. * Fix CVE-2018-10860: perl-archive-zip is vulnerable to a directory traversal in Archive::Zip. It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter. * CVE-2018-10860 perl-Archive-Zip: Directory traversal in Archive::Zip (CVE-2018-10860)
--- mirror/ftp/4.2/unmaintained/4.2-0/source/libarchive-zip-perl_1.39-1.dsc +++ apt/ucs_4.2-0-errata4.2-4/source/libarchive-zip-perl_1.39-1+deb8u1.dsc @@ -1,3 +1,13 @@ +1.39-1+deb8u1 [Tue, 24 Jul 2018 21:08:04 +0200] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2018-10860: + perl-archive-zip is vulnerable to a directory traversal in Archive::Zip. + It was found that the Archive::Zip module did not properly sanitize paths + while extracting zip files. An attacker able to provide a specially + crafted archive for processing could use this flaw to write or overwrite + arbitrary files in the context of the perl interpreter. (Closes: #902882) + 1.39-1 [Wed, 22 Oct 2014 21:12:14 +0200] gregor herrmann <gregoa@debian.org>: * Team upload. <http://10.200.17.11/4.2-4/#2437725320887429773>
OK: yaml OK: errata-announce OK: patch OK: piuparts [4.2-4] 1f06236a6b Bug #47535: libarchive-zip-perl 1.39-1+deb8u1 doc/errata/staging/libarchive-zip-perl.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) [4.2-4] 17f884130a Bug #47535: libarchive-zip-perl 1.39-1+deb8u1 doc/errata/staging/libarchive-zip-perl.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
<http://errata.software-univention.de/ucs/4.2/458.html>