Your message dated Tue, 08 Jul 2025 07:50:57 +0000
with message-id <[email protected]>
and subject line Bug#1107939: fixed in erlang 1:27.3.4.1+dfsg-1
has caused the Debian Bug report #1107939,
regarding erlang: CVE-2025-4748
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1107939: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107939
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: erlang
Version: 1:27.3.4+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/erlang/otp/pull/9941
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for erlang.
CVE-2025-4748[0]:
| Improper Limitation of a Pathname to a Restricted Directory ('Path
| Traversal') vulnerability in Erlang OTP (stdlib modules) allows
| Absolute Path Traversal, File Manipulation. This vulnerability is
| associated with program files lib/stdlib/src/zip.erl and program
| routines zip:unzip/1, zip:unzip/2, zip:extract/1,
| zip:extract/2 unless the memory option is passed. This issue
| affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and
| OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1
| and 5.2.3.4.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-4748
https://www.cve.org/CVERecord?id=CVE-2025-4748
[1] https://github.com/erlang/otp/pull/9941
[2] https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc
[3]
https://github.com/erlang/otp/commit/10608879c81332af2d3c00db61ee173c93c1ea4e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: erlang
Source-Version: 1:27.3.4.1+dfsg-1
Done: Sergei Golovan <[email protected]>
We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <[email protected]> (supplier of updated erlang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 08 Jul 2025 10:27:28 +0300
Source: erlang
Architecture: source
Version: 1:27.3.4.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Erlang Packagers <[email protected]>
Changed-By: Sergei Golovan <[email protected]>
Closes: 1107939
Changes:
erlang (1:27.3.4.1+dfsg-1) unstable; urgency=medium
.
* New upstream bugfix release.
* Fix CVE-2025-4748 in erlang-stdlib application, where unzipping a ZIP
archive could overwrite files using absolute paths because of insufficient
path sanitizing (closes: #1107939).
Checksums-Sha1:
f06d43bb72fadbee37da3fbb0d39bc79f087c763 4910 erlang_27.3.4.1+dfsg-1.dsc
c5e31111a88a6175bcdbb333ef2fdf172500a6ce 47613664
erlang_27.3.4.1+dfsg.orig.tar.xz
7b5b2e6e9a38cc898734f38117e4ca6c4d4d5b1a 57580
erlang_27.3.4.1+dfsg-1.debian.tar.xz
17fcedfe22a238ba654f7e1fba6f1bb5f3fff687 30791
erlang_27.3.4.1+dfsg-1_amd64.buildinfo
Checksums-Sha256:
aa5ba0733c9842ff69147b4ed3706b8d6c92932a7bf3d3f040421ccb4114951a 4910
erlang_27.3.4.1+dfsg-1.dsc
0834643ef1e17886d5e334a39527d8429bcf50613b86d59d4757466f32984b7e 47613664
erlang_27.3.4.1+dfsg.orig.tar.xz
323037a5891893b70df4eabd1ac9f3e2d76f1465b54be40851d9374665eadee0 57580
erlang_27.3.4.1+dfsg-1.debian.tar.xz
1463585bdd14ee3b82a7c25ddd85010de53da068d663f94ff439705fdedcb2b0 30791
erlang_27.3.4.1+dfsg-1_amd64.buildinfo
Files:
75110b5f912e8613ea54b1169488e7f2 4910 interpreters optional
erlang_27.3.4.1+dfsg-1.dsc
8e316a9e63f5c4167ba34596b146ab35 47613664 interpreters optional
erlang_27.3.4.1+dfsg.orig.tar.xz
e739685166d0c3e59e4d2041c57935b2 57580 interpreters optional
erlang_27.3.4.1+dfsg-1.debian.tar.xz
681a8e85bbd39b7011c5dd34577faeef 30791 interpreters optional
erlang_27.3.4.1+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmhsybwACgkQTyrk60tj
54dVDg//UpMaVicoEKLU2N/71D3YXjhCUAud2wVyTUcjWwsAkTs4917ypzQ1+QvF
dss0T0ZhNHxDecZZibD7PFuW76QF8Cfs30OA/I42kHrA6BynziRkVIMJkmy2nQ/9
ZJi5duXnYSr5p3YblXeQFt8zt/m9rx7kEA56K2m7tDF5kJzCfIfPLpmUF9x51858
76ztEoMNCN11Tl2Rm87kbjQGBie3JPSookBE8q+OiYfuJc70THusdAuRAvKJvGUa
6EXaEw45KyTT2V86XgwFhE7SGliAETJLX41DDBDIGm2pLzf/Kq1Ur2KAcnBUYL/N
d3Sm47Fq/77j0AHIfg5Dr36NfmlShvVJlFQsA8dyNBIGX2DlnXrvguukRbAWsvUg
hzkNJX8e/y2AaGJQAq19vzBfgCSyLu/P3dFV2I3n/V6NjSS9WBMJpmhjMQkXf0A3
ap3wYGIrZ0vFaLsmqRXc6Zc2B2S2NJY0BMIWBVzJoFiTtEuWihlZ+8YcSFzPw53R
SlCujcBCpDe/23NIq/zblghIglcDrfJPiCTgIU5YHa1T0puPL0j8wL6XJpiOkgIj
Sj8eSfSs2oRVKmVwsim2vb7bNGqRoHosGbYEJ6W+7Ke6XCO2MyntGtBjN+EWZT9w
T/z2QLrrc2dV2x3URGCaK5ul9vwFPJt/2SITbBvxMBUT24RYbyM=
=EhpQ
-----END PGP SIGNATURE-----
pgpif3HglYAQh.pgp
Description: PGP signature
--- End Message ---
