Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 660466 (CVE-2018-10860) - <dev-perl/Archive-Zip-1.600.0-r1: Directory Traversal vulnerability
Summary: <dev-perl/Archive-Zip-1.600.0-r1: Directory Traversal vulnerability
Alias: CVE-2018-10860
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
Depends on:
Reported: 2018-07-05 16:38 UTC by Eddie Chapman
Modified: 2019-04-18 21:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Eddie Chapman 2018-07-05 16:38:03 UTC
From MITRE CVE entry:
"It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter."

Upstream fix:

Reproducible: Didn't try
Comment 1 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2018-07-08 01:55:30 UTC
Looks like the patch as stated will fail with certain filesystems[1]
Comment 2 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2018-07-08 02:08:21 UTC
Additionally, upstream includes binary patches (literal zip files), which are unsupported:

 * Applying Archive-Zip-1.60-CVE-2018-10860.patch ...
File t/data/ git binary diffs are not supported.
File t/data/ git binary diffs are not supported.
File t/data/ git binary diffs are not supported.

So we'll probably need additional fun our side :/
Comment 3 Larry the Git Cow gentoo-dev 2018-07-08 02:17:31 UTC
The bug has been referenced in the following commit(s):

commit a6da83db771be2c2c31fb9b068f4e1b1fd86a658
Author:     Kent Fredric <>
AuthorDate: 2018-07-08 02:16:42 +0000
Commit:     Kent Fredric <>
CommitDate: 2018-07-08 02:17:05 +0000

    dev-perl/Archive-Zip: Add fix for CVE-2018-10860 bug #660466
    This includes upstreams fixes and tests including binary files
    presented as textual diffs, which appears to work.
    Upstream testing indicates there are potential issues with tests on
    some systems, and so it may not be suitable as-is for stabilization
    See Github PR mentioned below for additional details.
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-perl/Archive-Zip/Archive-Zip-1.600.0-r1.ebuild |  35 ++
 .../files/Archive-Zip-1.60-CVE-2018-10860.patch    | 395 +++++++++++++++++++++
 2 files changed, 430 insertions(+)
Comment 4 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2018-08-16 20:03:23 UTC
Was considering doing a stabilization req today, but it seems upstream are still trying to fix their test failure issues
Comment 5 Larry the Git Cow gentoo-dev 2018-09-07 10:42:19 UTC
The bug has been referenced in the following commit(s):

commit e150c595db68b4ca474b7f0f521eaa7199c16716
Author:     Kent Fredric <>
AuthorDate: 2018-09-07 10:41:34 +0000
Commit:     Kent Fredric <>
CommitDate: 2018-09-07 10:42:06 +0000

    dev-perl/Archive-Zip: Bump to version 1.630.0 re bug #660466
    - Fix symlink traversal CVE
    - Turn on untainting of File::Find results
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-perl/Archive-Zip/Archive-Zip-1.630.0.ebuild | 32 +++++++++++++++++++++++++
 dev-perl/Archive-Zip/Manifest                   |  1 +
 2 files changed, 33 insertions(+)
Comment 6 Larry the Git Cow gentoo-dev 2018-12-02 02:12:30 UTC
The bug has been referenced in the following commit(s):

commit 12c89dc551493fb02a667123880bee01c2402186
Author:     Kent Fredric <>
AuthorDate: 2018-12-02 02:11:46 +0000
Commit:     Kent Fredric <>
CommitDate: 2018-12-02 02:11:46 +0000

    dev-perl/Archive-Zip: Cleanup old re bug #660466
    Remove versions affected by CVE-2018-10860
    Package-Manager: Portage-2.3.51, Repoman-2.3.11
    Signed-off-by: Kent Fredric <>

 dev-perl/Archive-Zip/Archive-Zip-1.600.0.ebuild | 31 ------------------------
 dev-perl/Archive-Zip/Archive-Zip-1.630.0.ebuild | 32 -------------------------
 dev-perl/Archive-Zip/Manifest                   |  2 --
 3 files changed, 65 deletions(-)
Comment 7 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2018-12-02 02:13:52 UTC
1.640.0 is now stable, and all older versions are cleaned. Over to you now to do whatever sec team.