Page MenuHomeSolus
Files F11051763

D9249.id22334.diff
No OneTemporary
Actions

D9249.id22334.diff
View Options

diff --git a/files/security/cve-2018-10860.patch b/files/security/cve-2018-10860.patch
deleted file mode 100644
--- a/files/security/cve-2018-10860.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-diff --git a/lib/Archive/Zip.pm b/lib/Archive/Zip.pm
-index ca82e31..907808b 100644
---- a/lib/Archive/Zip.pm
-+++ b/lib/Archive/Zip.pm
-@@ -1145,6 +1145,9 @@ member is used as the name of the extracted file or
- directory.
- If you pass C<$extractedName>, it should be in the local file
- system's format.
-+If you do not pass C<$extractedName> and the internal filename traverses
-+a parent directory or a symbolic link, the extraction will be aborted with
-+C<AC_ERROR> for security reason.
- All necessary directories will be created. Returns C<AZ_OK>
- on success.
-
-@@ -1162,6 +1165,9 @@ extracted member (its paths will be deleted too). Otherwise,
- the internal filename of the member (minus paths) is used as
- the name of the extracted file or directory. Returns C<AZ_OK>
- on success.
-+If you do not pass C<$extractedName> and the internal filename is equalled
-+to a local symbolic link, the extraction will be aborted with C<AC_ERROR> for
-+security reason.
-
- =item addMember( $member )
-
-@@ -1609,6 +1615,8 @@ a/x to f:\d\e\x
-
- a/b/c to f:\d\e\b\c and ignore ax/d/e and d/e
-
-+If the path to the extracted file traverses a parent directory or a symbolic
-+link, the extraction will be aborted with C<AC_ERROR> for security reason.
- Returns an error code or AZ_OK if everything worked OK.
-
- =back
-diff --git a/lib/Archive/Zip/Archive.pm b/lib/Archive/Zip/Archive.pm
-index 48f0d1a..b0d3e46 100644
---- a/lib/Archive/Zip/Archive.pm
-+++ b/lib/Archive/Zip/Archive.pm
-@@ -185,6 +185,8 @@ sub extractMember {
- $dirName = File::Spec->catpath($volumeName, $dirName, '');
- } else {
- $name = $member->fileName();
-+ if ((my $ret = _extractionNameIsSafe($name))
-+ != AZ_OK) { return $ret; }
- ($dirName = $name) =~ s{[^/]*$}{};
- $dirName = Archive::Zip::_asLocalName($dirName);
- $name = Archive::Zip::_asLocalName($name);
-@@ -218,6 +220,8 @@ sub extractMemberWithoutPaths {
- unless ($name) {
- $name = $member->fileName();
- $name =~ s{.*/}{}; # strip off directories, if any
-+ if ((my $ret = _extractionNameIsSafe($name))
-+ != AZ_OK) { return $ret; }
- $name = Archive::Zip::_asLocalName($name);
- }
- my $rc = $member->extractToFileNamed($name, @_);
-@@ -827,6 +831,37 @@ sub addTreeMatching {
- return $self->addTree($root, $dest, $matcher, $compressionLevel);
- }
-
-+# Check if one of the components of a path to the file or the file name
-+# itself is an already existing symbolic link. If yes then return an
-+# error. Continuing and writing to a file traversing a link posseses
-+# a security threat, especially if the link was extracted from an
-+# attacker-supplied archive. This would allow writing to an arbitrary
-+# file. The same applies when using ".." to escape from a working
-+# directory. <https://bugzilla.redhat.com/show_bug.cgi?id=1591449>
-+sub _extractionNameIsSafe {
-+ my $name = shift;
-+ my ($volume, $directories) = File::Spec->splitpath($name, 1);
-+ my @directories = File::Spec->splitdir($directories);
-+ if (grep '..' eq $_, @directories) {
-+ return _error(
-+ "Could not extract $name safely: a parent directory is used");
-+ }
-+ my @path;
-+ my $path;
-+ for my $directory (@directories) {
-+ push @path, $directory;
-+ $path = File::Spec->catpath($volume, File::Spec->catdir(@path), '');
-+ if (-l $path) {
-+ return _error(
-+ "Could not extract $name safely: $path is an existing symbolic link");
-+ }
-+ if (!-e $path) {
-+ last;
-+ }
-+ }
-+ return AZ_OK;
-+}
-+
- # $zip->extractTree( $root, $dest [, $volume] );
- #
- # $root and $dest are Unix-style.
-@@ -861,6 +896,8 @@ sub extractTree {
- $fileName =~ s{$pattern}{$dest}; # in Unix format
- # convert to platform format:
- $fileName = Archive::Zip::_asLocalName($fileName, $volume);
-+ if ((my $ret = _extractionNameIsSafe($fileName))
-+ != AZ_OK) { return $ret; }
- my $status = $member->extractToFileNamed($fileName);
- return $status if $status != AZ_OK;
- }
diff --git a/package.yml b/package.yml
--- a/package.yml
+++ b/package.yml
@@ -1,8 +1,8 @@
name : perl-archive-zip
-version : '1.60'
-release : 12
+version : '1.68'
+release : 13
source :
- - https://cpan.metacpan.org/authors/id/P/PH/PHRED/Archive-Zip-1.60.tar.gz : eac75b05f308e860aa860c3094aa4e7915d3d31080e953e49bc9c38130f5c20b
+ - https://cpan.metacpan.org/authors/id/P/PH/PHRED/Archive-Zip-1.68.tar.gz : 984e185d785baf6129c6e75f8eb44411745ac00bf6122fb1c8e822a3861ec650
homepage : https://metacpan.org/release/Archive-Zip
license : Artistic-Perl-1.0
component : programming.perl
@@ -14,7 +14,6 @@
- perl-super
- perl-sub-identify
setup : |
- %patch -p1 < $pkgfiles/security/cve-2018-10860.patch
%perl_setup
build : |
%perl_build
diff --git a/pspec_x86_64.xml b/pspec_x86_64.xml
--- a/pspec_x86_64.xml
+++ b/pspec_x86_64.xml
@@ -3,8 +3,8 @@
<Name>perl-archive-zip</Name>
<Homepage>https://metacpan.org/release/Archive-Zip</Homepage>
<Packager>
- <Name>Pierre-Yves</Name>
- <Email>pyu@riseup.net</Email>
+ <Name>Algent Albrahimi</Name>
+ <Email>algent@protonmail.com</Email>
</Packager>
<License>Artistic-Perl-1.0</License>
<PartOf>programming.perl</PartOf>
@@ -42,12 +42,12 @@
</Files>
</Package>
<History>
- <Update release="12">
- <Date>2020-06-27</Date>
- <Version>1.60</Version>
+ <Update release="13">
+ <Date>2020-07-16</Date>
+ <Version>1.68</Version>
<Comment>Packaging update</Comment>
- <Name>Pierre-Yves</Name>
- <Email>pyu@riseup.net</Email>
+ <Name>Algent Albrahimi</Name>
+ <Email>algent@protonmail.com</Email>
</Update>
</History>
</PISI>
\ No newline at end of file

File Metadata

Mime Type
text/plain
Expires
Fri, Aug 11, 8:17 PM (2 h, 47 m ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5858129
Default Alt Text
D9249.id22334.diff (6 KB)

Event Timeline

Copyright © 2015-2021 Solus Project. The Solus logo is Copyright © 2016-2021 Solus Project. All Rights Reserved.