From 8d0effd55160b7c9390bd375d56a693e770b5da6 Mon Sep 17 00:00:00 2001
From: hanguanqiang <hanguanqiang@kylinos.cn>
Date: Thu, 19 Jun 2025 19:33:45 +0800
Subject: [PATCH] Fix CVE-2023-37460

(cherry picked from commit 3a6ee088fb617f5954146af717896f2b1bee5ed9)
---
 0001-CVE-2023-37460.patch | 139 ++++++++++++++++++++++++++++++++++++++
 non_existing_symlink.zip  | Bin 0 -> 320 bytes
 plexus-archiver.spec      |   9 ++-
 3 files changed, 146 insertions(+), 2 deletions(-)
 create mode 100644 0001-CVE-2023-37460.patch
 create mode 100644 non_existing_symlink.zip

diff --git a/0001-CVE-2023-37460.patch b/0001-CVE-2023-37460.patch
new file mode 100644
index 0000000..5f07988
--- /dev/null
+++ b/0001-CVE-2023-37460.patch
@@ -0,0 +1,139 @@
+From 901be51055d0c083231bcff6dac647d4f211f6ac Mon Sep 17 00:00:00 2001
+From: hanguanqiang <hanguanqiang@kylinos.cn>
+Date: Wed, 11 Jun 2025 21:48:24 +0800
+Subject: [PATCH] CVE-2023-37460
+
+---
+ .../plexus/archiver/AbstractUnArchiver.java     | 17 +++++++++++------
+ .../codehaus/plexus/archiver/SymlinkTest.java   |  4 ++++
+ .../plexus/archiver/zip/ZipArchiverTest.java    | 15 +++++++++++++--
+ src/test/resources/symlinks/regen.sh            | 14 ++++++++++++++
+ 4 files changed, 42 insertions(+), 8 deletions(-)
+
+diff --git a/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java b/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java
+index f3f389e..50a4838 100644
+--- a/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java
++++ b/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java
+@@ -36,6 +36,9 @@
+ import org.codehaus.plexus.util.IOUtil;
+ import org.codehaus.plexus.util.StringUtils;
+ 
++import java.nio.file.Files;
++import java.nio.file.Path;
++import static java.nio.file.StandardCopyOption.REPLACE_EXISTING;
+ // TODO there should really be constructors which take the source file.
+ 
+ /**
+@@ -332,14 +335,19 @@ protected void extractFile( final File srcF, final File dir, final InputStream c
+         final File targetFileName = FileUtils.resolveFile( dir, entryName );
+ 
+         // Make sure that the resolved path of the extracted file doesn't escape the destination directory
+-        String canonicalDirPath = dir.getCanonicalPath();
+-        String canonicalDestPath = targetFileName.getCanonicalPath();
++	Path canonicalDirPath = dir.getCanonicalFile().toPath();
++        Path canonicalDestPath = targetFileName.getCanonicalFile().toPath();
+ 
+         if ( !canonicalDestPath.startsWith( canonicalDirPath ) )
+         {
+             throw new ArchiverException( "Entry is outside of the target directory (" + entryName + ")" );
+         }
+ 
++	if (StringUtils.isEmpty(symlinkDestination) && Files.isSymbolicLink(canonicalDestPath)) {
++           throw new ArchiverException("Entry is outside of the target directory (" + entryName + ")");
++        }
++
++
+         try
+         {
+             if ( !shouldExtractEntry( dir, targetFileName, entryName, entryDate ) )
+@@ -364,10 +372,7 @@ else if ( isDirectory )
+             }
+             else
+             {
+-                try ( OutputStream out = Files.newOutputStream( targetFileName.toPath() ) )
+-                {
+-                    IOUtil.copy( compressedInputStream, out );
+-                }
++		Files.copy(compressedInputStream,targetFileName.toPath(),REPLACE_EXISTING);
+             }
+ 
+             targetFileName.setLastModified( entryDate.getTime() );
+diff --git a/src/test/java/org/codehaus/plexus/archiver/SymlinkTest.java b/src/test/java/org/codehaus/plexus/archiver/SymlinkTest.java
+index 0afb78a..a14ff20 100644
+--- a/src/test/java/org/codehaus/plexus/archiver/SymlinkTest.java
++++ b/src/test/java/org/codehaus/plexus/archiver/SymlinkTest.java
+@@ -68,6 +68,8 @@ public void testSymlinkTar()
+         unarchiver.setSourceFile( archiveFile );
+         unarchiver.setDestFile( output );
+         unarchiver.extract();
++	// second unpacking should also work
++        unarchiver.extract();
+     }
+ 
+     public void testSymlinkZip()
+@@ -88,6 +90,8 @@ public void testSymlinkZip()
+         unarchiver.setSourceFile( archiveFile );
+         unarchiver.setDestFile( output );
+         unarchiver.extract();
++        // second unpacking should also work
++        unarchiver.extract();
+     }
+ 
+     public void testSymlinkDirArchiver()
+diff --git a/src/test/java/org/codehaus/plexus/archiver/zip/ZipArchiverTest.java b/src/test/java/org/codehaus/plexus/archiver/zip/ZipArchiverTest.java
+index cca135c..0976adc 100644
+--- a/src/test/java/org/codehaus/plexus/archiver/zip/ZipArchiverTest.java
++++ b/src/test/java/org/codehaus/plexus/archiver/zip/ZipArchiverTest.java
+@@ -78,7 +78,7 @@
+ import org.codehaus.plexus.util.FileUtils;
+ import org.codehaus.plexus.util.IOUtil;
+ import org.codehaus.plexus.util.Os;
+-
++import java.nio.file.Files;
+ /**
+  * @author Emmanuel Venisse
+  */
+@@ -946,5 +946,16 @@ private long toLocalTimeZone( long timestamp )
+             return 0L;
+         }
+     }
+-
++    
++    public  void testNonExistingSymlink() throws Exception {
++        File zipFile = new File("src/test/resources/symlinks/non_existing_symlink.zip");
++        ZipUnArchiver unArchiver = getZipUnArchiver(zipFile);
++        String tmpdir = Files.createTempDirectory("tmpe_extract").toFile().getAbsolutePath();
++        unArchiver.setDestDirectory(new File(tmpdir));
++        try {
++            unArchiver.extract();
++        } catch (Exception e){
++            assertEquals("Entry is outside of the target directory (entry1)", e.getMessage());
++        }
++    }
+ }
+diff --git a/src/test/resources/symlinks/regen.sh b/src/test/resources/symlinks/regen.sh
+index f3c3a9d..9190c92 100755
+--- a/src/test/resources/symlinks/regen.sh
++++ b/src/test/resources/symlinks/regen.sh
+@@ -3,4 +3,18 @@ rm symlinks.tar
+ cd src
+ zip --symlinks ../symlinks.zip file* targetDir sym*
+ tar -cvf ../symlinks.tar file* targetDir sym*
++cd ..
++rm non_existing_symlink.zip
++mkdir non_existing_symlink
++cd non_existing_symlink
++ln -s /tmp/target entry1
++echo -ne 'content' > entry2
++zip  --symlinks ../non_existing_symlink.zip entry1 entry2
++cd ..
++rm -rf non_existing_symlink
++if [ "x$(uname)" = "xLinux" ];then
++        LC_ALL=C sed  -i  's/entry2/entry1/' non_existing_symlink.zip
++else
++        LC_ALL=C sed  -i '' 's/entry2/entry1/' non_existing_symlink.zip
++fi
+ 
+-- 
+2.33.0
+
diff --git a/non_existing_symlink.zip b/non_existing_symlink.zip
new file mode 100644
index 0000000000000000000000000000000000000000..a281a860d465fa53040019d90c3272bff70d0bf3
GIT binary patch
literal 320
zcmWIWW@h1H0D<(?r=!B|r}}XN*&xiuAj6QFS5j1I7#hOKz--jwnE}G372FJrEFcYF
zLcb)pK))ohC_S|#0L7@421oy~166@AaYiNQ=am304De=Tl4Hi@CJB(uVDNt-h=RG0
m72-lP*P)w*>L`d=j6hSCG<p+Z7AqUbMkXMf0i-8^I1B(&raE%~

literal 0
HcmV?d00001

diff --git a/plexus-archiver.spec b/plexus-archiver.spec
index 4d32ac8..2e39274 100644
--- a/plexus-archiver.spec
+++ b/plexus-archiver.spec
@@ -1,11 +1,13 @@
 Name:           plexus-archiver
 Version:        4.2.6
-Release:        1
+Release:        2
 Epoch:          0
 Summary:        Plexus Archiver Components
 License:        ASL 2.0
 URL:            http://codehaus-plexus.github.io/plexus-archiver
 Source0:        https://github.com/codehaus-plexus/plexus-archiver/archive/plexus-archiver-%{version}.tar.gz
+Source1:        non_existing_symlink.zip
+Patch1: 0001-CVE-2023-37460.patch
 
 BuildRequires:  maven-local
 BuildRequires:  mvn(org.tukaani:xz)
@@ -43,7 +45,7 @@ including Java EE applications or web applications.
 %prep
 %autosetup -n %{name}-%{name}-%{version} -p1
 %mvn_file :%{name} plexus/archiver
-
+cp -a %{SOURCE1} src/test/resources/symlinks/
 
 %build
 %mvn_build -f
@@ -57,6 +59,9 @@ including Java EE applications or web applications.
 
 
 %changelog
+* Thu Jun 19 2025 hanguanqiang <hanguanqiang@kylinos.cn> - 0:4.2.6-2
+- Fix CVE-2023-37460
+
 * Thu Dec 30 2021 yaoxin <yaoxin30@huawei.com> - 0:4.2.6-1
 - Upgrade plexus-archiver to 4.2.6
 
-- 
Gitee