Your message dated Tue, 02 Oct 2018 06:03:29 +0000
with message-id <[email protected]>
and subject line Bug#902882: fixed in libarchive-zip-perl 1.59-1+deb9u1
has caused the Debian Bug report #902882,
regarding libarchive-zip-perl: CVE-2018-10860: Directory traversal in
Archive::Zip
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
902882: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902882
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libarchive-zip-perl
Version: 1.60-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/redhotpenguin/perl-Archive-Zip/pull/33
Hi,
The following vulnerability was published for libarchive-zip-perl.
CVE-2018-10860[0]:
| perl-archive-zip is vulnerable to a directory traversal in
| Archive::Zip. It was found that the Archive::Zip module did not
| properly sanitize paths while extracting zip files. An attacker able
| to provide a specially crafted archive for processing could use this
| flaw to write or overwrite arbitrary files in the context of the perl
| interpreter.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10860
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10860
[1] https://github.com/redhotpenguin/perl-Archive-Zip/pull/33
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libarchive-zip-perl
Source-Version: 1.59-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
libarchive-zip-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated
libarchive-zip-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Sep 2018 17:17:23 +0200
Source: libarchive-zip-perl
Binary: libarchive-zip-perl
Architecture: source
Version: 1.59-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 902882
Description:
libarchive-zip-perl - Perl module for manipulation of ZIP archives
Changes:
libarchive-zip-perl (1.59-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Prevent from traversing symlinks and parent directories when extracting
(CVE-2018-10860) (Closes: #902882)
* Extract test files needed for t/25_traversal.t test.
Add zip files to debian/t/data directory and add them to
debian/sorce/include-binaries to include those in the debian tarball.
Add an override for dh_auto_test to copy debian/t/data/*.zip testfiles
to test directory prior to running the testsuite.
Clean test files needed for t/25_traversal.t in dh_clean
Checksums-Sha1:
144b84e8de376b68b9c3cffe34602c227e73dab8 2384
libarchive-zip-perl_1.59-1+deb9u1.dsc
1f229e626474dbc75547ce0f60bae25c5048bd57 192151
libarchive-zip-perl_1.59.orig.tar.gz
34d49d40ef9e38a2a5319ba1b2f0d90103cb00fd 12308
libarchive-zip-perl_1.59-1+deb9u1.debian.tar.xz
Checksums-Sha256:
8fbc41d9820ea63b400b03d1a2d7ffa000828b9e3421e0f54633244a8a1146aa 2384
libarchive-zip-perl_1.59-1+deb9u1.dsc
7a4b1b0aa43ae7231bb3212e86ab6b538725625df06e82772c3da24c8b26e75d 192151
libarchive-zip-perl_1.59.orig.tar.gz
d99b8bcc92ce02200d563327fccbccd083d4cec07e41dc5fda63d9de9bc17118 12308
libarchive-zip-perl_1.59-1+deb9u1.debian.tar.xz
Files:
82b98e2dd49681fee44a125c93aa7167 2384 perl optional
libarchive-zip-perl_1.59-1+deb9u1.dsc
b649a593391573f9382cef8c08d1d5ba 192151 perl optional
libarchive-zip-perl_1.59.orig.tar.gz
b65e4f6046bdc4b73bd8f8bf3adccaeb 12308 perl optional
libarchive-zip-perl_1.59-1+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlulTplfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E5ucP/3c0QFQLOe+lNb6IyUAjP7ig+z9sC3Yu
vhH+LX3JfLgIsqSNFGRW2LEprZnrR+VYoUqQ1xR1I4vf7VdkVbBsyrBSlPGjQe9J
CIIqGj8dI9ArQ7L7e9diKPiyRtvsOQq39ic56Rx/aKP60fDQcReerEbgGmb5dETX
sxIShlOLCv0oXLhrJdKqToth7s1T/DnPxlfCQkBFPnu+FHzqK6Q37mauUOpvguy6
czxMES+eZNNrCs7oyEriN5LtFqak5c/UByjAcS200kPqh7cKVRFGZnRuDS9WtULi
sXKxhvyw6wMWerEtURYIMmSB5152reDZGvPuZoh6ul6+kLCNyiylX2ftyhAeqnbu
lL5O7pIKZbLNynZVWmT2wXquty3AHrGns7R4L23ow2BqVaf1kdgGP4rdkSRyKMOl
3CigtBgiG+HXT3qBkZx5FCGc+dyQA5TISwgMY65QqZuFyF0QmQn2xUDhwS4euhGX
B2vOjKytZHI4rpl3dcxnWG+Nk1kiGm9G19rrAPFR8WdwttCc8oV//4FE9aSa49IO
lmEHv33NHWPTHU5eBLNnsT7w6XEpeIoMzrnib66TMSjE5tf/+ov0vHIFr7UPPqmq
F+PZko9otk9NVe0FX0gkNiO2LfhZkmSEqs2xtS01mfUCBNxONToWyCycBEKQ1Q5r
LLxJhlvDA2QJ
=TXbk
-----END PGP SIGNATURE-----
--- End Message ---
