From MITRE CVE entry: "It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter." Upstream fix: https://github.com/redhotpenguin/perl-Archive-Zip/commit/95e1df86327 Reproducible: Didn't try
Looks like the patch as stated will fail with certain filesystems[1] https://github.com/redhotpenguin/perl-Archive-Zip/pull/33#issuecomment-401264591
Additionally, upstream includes binary patches (literal zip files), which are unsupported: * Applying Archive-Zip-1.60-CVE-2018-10860.patch ... File t/data/dotdot-from-unexistant-path.zip: git binary diffs are not supported. File t/data/link-dir.zip: git binary diffs are not supported. File t/data/link-samename.zip: git binary diffs are not supported. https://savannah.gnu.org/forum/forum.php?forum_id=7361 So we'll probably need additional fun our side :/
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6da83db771be2c2c31fb9b068f4e1b1fd86a658 commit a6da83db771be2c2c31fb9b068f4e1b1fd86a658 Author: Kent Fredric <kentnl@gentoo.org> AuthorDate: 2018-07-08 02:16:42 +0000 Commit: Kent Fredric <kentnl@gentoo.org> CommitDate: 2018-07-08 02:17:05 +0000 dev-perl/Archive-Zip: Add fix for CVE-2018-10860 bug #660466 This includes upstreams fixes and tests including binary files presented as textual diffs, which appears to work. Upstream testing indicates there are potential issues with tests on some systems, and so it may not be suitable as-is for stabilization See Github PR mentioned below for additional details. Bug: https://bugs.gentoo.org/660466 Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1591449 Bug: https://github.com/redhotpenguin/perl-Archive-Zip/pull/33 Package-Manager: Portage-2.3.40, Repoman-2.3.9 dev-perl/Archive-Zip/Archive-Zip-1.600.0-r1.ebuild | 35 ++ .../files/Archive-Zip-1.60-CVE-2018-10860.patch | 395 +++++++++++++++++++++ 2 files changed, 430 insertions(+)
Was considering doing a stabilization req today, but it seems upstream are still trying to fix their test failure issues https://github.com/redhotpenguin/perl-Archive-Zip/pull/34
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e150c595db68b4ca474b7f0f521eaa7199c16716 commit e150c595db68b4ca474b7f0f521eaa7199c16716 Author: Kent Fredric <kentnl@gentoo.org> AuthorDate: 2018-09-07 10:41:34 +0000 Commit: Kent Fredric <kentnl@gentoo.org> CommitDate: 2018-09-07 10:42:06 +0000 dev-perl/Archive-Zip: Bump to version 1.630.0 re bug #660466 Upstream: - Fix symlink traversal CVE - Turn on untainting of File::Find results Bug: https://bugs.gentoo.org/660466 Package-Manager: Portage-2.3.40, Repoman-2.3.9 dev-perl/Archive-Zip/Archive-Zip-1.630.0.ebuild | 32 +++++++++++++++++++++++++ dev-perl/Archive-Zip/Manifest | 1 + 2 files changed, 33 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=12c89dc551493fb02a667123880bee01c2402186 commit 12c89dc551493fb02a667123880bee01c2402186 Author: Kent Fredric <kentnl@gentoo.org> AuthorDate: 2018-12-02 02:11:46 +0000 Commit: Kent Fredric <kentnl@gentoo.org> CommitDate: 2018-12-02 02:11:46 +0000 dev-perl/Archive-Zip: Cleanup old re bug #660466 Remove versions affected by CVE-2018-10860 Bug: https://bugs.gentoo.org/660466 Package-Manager: Portage-2.3.51, Repoman-2.3.11 Signed-off-by: Kent Fredric <kentnl@gentoo.org> dev-perl/Archive-Zip/Archive-Zip-1.600.0.ebuild | 31 ------------------------ dev-perl/Archive-Zip/Archive-Zip-1.630.0.ebuild | 32 ------------------------- dev-perl/Archive-Zip/Manifest | 2 -- 3 files changed, 65 deletions(-)
1.640.0 is now stable, and all older versions are cleaned. Over to you now to do whatever sec team.