diff --git a/files/security/cve-2018-10860.patch b/files/security/cve-2018-10860.patch deleted file mode 100644 --- a/files/security/cve-2018-10860.patch +++ /dev/null @@ -1,102 +0,0 @@ -diff --git a/lib/Archive/Zip.pm b/lib/Archive/Zip.pm -index ca82e31..907808b 100644 ---- a/lib/Archive/Zip.pm -+++ b/lib/Archive/Zip.pm -@@ -1145,6 +1145,9 @@ member is used as the name of the extracted file or - directory. - If you pass C<$extractedName>, it should be in the local file - system's format. -+If you do not pass C<$extractedName> and the internal filename traverses -+a parent directory or a symbolic link, the extraction will be aborted with -+C for security reason. - All necessary directories will be created. Returns C - on success. - -@@ -1162,6 +1165,9 @@ extracted member (its paths will be deleted too). Otherwise, - the internal filename of the member (minus paths) is used as - the name of the extracted file or directory. Returns C - on success. -+If you do not pass C<$extractedName> and the internal filename is equalled -+to a local symbolic link, the extraction will be aborted with C for -+security reason. - - =item addMember( $member ) - -@@ -1609,6 +1615,8 @@ a/x to f:\d\e\x - - a/b/c to f:\d\e\b\c and ignore ax/d/e and d/e - -+If the path to the extracted file traverses a parent directory or a symbolic -+link, the extraction will be aborted with C for security reason. - Returns an error code or AZ_OK if everything worked OK. - - =back -diff --git a/lib/Archive/Zip/Archive.pm b/lib/Archive/Zip/Archive.pm -index 48f0d1a..b0d3e46 100644 ---- a/lib/Archive/Zip/Archive.pm -+++ b/lib/Archive/Zip/Archive.pm -@@ -185,6 +185,8 @@ sub extractMember { - $dirName = File::Spec->catpath($volumeName, $dirName, ''); - } else { - $name = $member->fileName(); -+ if ((my $ret = _extractionNameIsSafe($name)) -+ != AZ_OK) { return $ret; } - ($dirName = $name) =~ s{[^/]*$}{}; - $dirName = Archive::Zip::_asLocalName($dirName); - $name = Archive::Zip::_asLocalName($name); -@@ -218,6 +220,8 @@ sub extractMemberWithoutPaths { - unless ($name) { - $name = $member->fileName(); - $name =~ s{.*/}{}; # strip off directories, if any -+ if ((my $ret = _extractionNameIsSafe($name)) -+ != AZ_OK) { return $ret; } - $name = Archive::Zip::_asLocalName($name); - } - my $rc = $member->extractToFileNamed($name, @_); -@@ -827,6 +831,37 @@ sub addTreeMatching { - return $self->addTree($root, $dest, $matcher, $compressionLevel); - } - -+# Check if one of the components of a path to the file or the file name -+# itself is an already existing symbolic link. If yes then return an -+# error. Continuing and writing to a file traversing a link posseses -+# a security threat, especially if the link was extracted from an -+# attacker-supplied archive. This would allow writing to an arbitrary -+# file. The same applies when using ".." to escape from a working -+# directory. -+sub _extractionNameIsSafe { -+ my $name = shift; -+ my ($volume, $directories) = File::Spec->splitpath($name, 1); -+ my @directories = File::Spec->splitdir($directories); -+ if (grep '..' eq $_, @directories) { -+ return _error( -+ "Could not extract $name safely: a parent directory is used"); -+ } -+ my @path; -+ my $path; -+ for my $directory (@directories) { -+ push @path, $directory; -+ $path = File::Spec->catpath($volume, File::Spec->catdir(@path), ''); -+ if (-l $path) { -+ return _error( -+ "Could not extract $name safely: $path is an existing symbolic link"); -+ } -+ if (!-e $path) { -+ last; -+ } -+ } -+ return AZ_OK; -+} -+ - # $zip->extractTree( $root, $dest [, $volume] ); - # - # $root and $dest are Unix-style. -@@ -861,6 +896,8 @@ sub extractTree { - $fileName =~ s{$pattern}{$dest}; # in Unix format - # convert to platform format: - $fileName = Archive::Zip::_asLocalName($fileName, $volume); -+ if ((my $ret = _extractionNameIsSafe($fileName)) -+ != AZ_OK) { return $ret; } - my $status = $member->extractToFileNamed($fileName); - return $status if $status != AZ_OK; - } diff --git a/package.yml b/package.yml --- a/package.yml +++ b/package.yml @@ -1,8 +1,8 @@ name : perl-archive-zip -version : '1.60' -release : 12 +version : '1.68' +release : 13 source : - - https://cpan.metacpan.org/authors/id/P/PH/PHRED/Archive-Zip-1.60.tar.gz : eac75b05f308e860aa860c3094aa4e7915d3d31080e953e49bc9c38130f5c20b + - https://cpan.metacpan.org/authors/id/P/PH/PHRED/Archive-Zip-1.68.tar.gz : 984e185d785baf6129c6e75f8eb44411745ac00bf6122fb1c8e822a3861ec650 homepage : https://metacpan.org/release/Archive-Zip license : Artistic-Perl-1.0 component : programming.perl @@ -11,10 +11,8 @@ The Archive::Zip module allows a Perl program to create, manipulate, read, and write Zip archive file builddeps : - perl-test-mockmodule - - perl-super - perl-sub-identify setup : | - %patch -p1 < $pkgfiles/security/cve-2018-10860.patch %perl_setup build : | %perl_build diff --git a/pspec_x86_64.xml b/pspec_x86_64.xml --- a/pspec_x86_64.xml +++ b/pspec_x86_64.xml @@ -3,8 +3,8 @@ perl-archive-zip https://metacpan.org/release/Archive-Zip - Pierre-Yves - pyu@riseup.net + Algent Albrahimi + algent@protonmail.com Artistic-Perl-1.0 programming.perl @@ -42,12 +42,12 @@ - - 2020-06-27 - 1.60 + + 2020-07-17 + 1.68 Packaging update - Pierre-Yves - pyu@riseup.net + Algent Albrahimi + algent@protonmail.com \ No newline at end of file