From fd3f8b95773a784fa122be66dcd3a82973f3ef00 Mon Sep 17 00:00:00 2001 From: hanguanqiang Date: Thu, 19 Jun 2025 19:20:16 +0800 Subject: [PATCH] Fix CVE-2023-37460 (cherry picked from commit 8ab71afe3fe4d75263fcc999731296ff8ffda026) --- 0001-CVE-2023-37460.patch | 128 ++++++++++++++++++++++++++++++++++++++ non_existing_symlink.zip | Bin 0 -> 320 bytes plexus-archiver.spec | 10 ++- 3 files changed, 136 insertions(+), 2 deletions(-) create mode 100644 0001-CVE-2023-37460.patch create mode 100644 non_existing_symlink.zip diff --git a/0001-CVE-2023-37460.patch b/0001-CVE-2023-37460.patch new file mode 100644 index 0000000..ab428a7 --- /dev/null +++ b/0001-CVE-2023-37460.patch @@ -0,0 +1,128 @@ +From a8a56a9ad3c8b6f4414ebbb80880bd395ad5568a Mon Sep 17 00:00:00 2001 +From: hanguanqiang +Date: Thu, 19 Jun 2025 18:15:27 +0800 +Subject: [PATCH] CVE-2023-37460 + +--- + .../plexus/archiver/AbstractUnArchiver.java | 17 +++++++++++------ + .../codehaus/plexus/archiver/SymlinkTest.java | 4 ++++ + .../plexus/archiver/zip/ZipArchiverTest.java | 11 +++++++++++ + src/test/resources/symlinks/regen.sh | 15 ++++++++++++++- + 4 files changed, 40 insertions(+), 7 deletions(-) + +diff --git a/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java b/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java +index f3f389e..5d55689 100644 +--- a/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java ++++ b/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java +@@ -36,6 +36,8 @@ + import org.codehaus.plexus.util.IOUtil; + import org.codehaus.plexus.util.StringUtils; + ++import java.nio.file.Path; ++import static java.nio.file.StandardCopyOption.REPLACE_EXISTING; + // TODO there should really be constructors which take the source file. + + /** +@@ -332,14 +334,20 @@ protected void extractFile( final File srcF, final File dir, final InputStream c + final File targetFileName = FileUtils.resolveFile( dir, entryName ); + + // Make sure that the resolved path of the extracted file doesn't escape the destination directory +- String canonicalDirPath = dir.getCanonicalPath(); +- String canonicalDestPath = targetFileName.getCanonicalPath(); ++ Path canonicalDirPath = dir.getCanonicalFile().toPath(); ++ Path canonicalDestPath = targetFileName.getCanonicalFile().toPath(); + + if ( !canonicalDestPath.startsWith( canonicalDirPath ) ) + { + throw new ArchiverException( "Entry is outside of the target directory (" + entryName + ")" ); + } + ++ if (StringUtils.isEmpty(symlinkDestination) && Files.isSymbolicLink(canonicalDestPath)) { ++ throw new ArchiverException("Entry is outside of the target directory (" + entryName + ")"); ++ } ++ ++ ++ + try + { + if ( !shouldExtractEntry( dir, targetFileName, entryName, entryDate ) ) +@@ -364,10 +372,7 @@ else if ( isDirectory ) + } + else + { +- try ( OutputStream out = Files.newOutputStream( targetFileName.toPath() ) ) +- { +- IOUtil.copy( compressedInputStream, out ); +- } ++ Files.copy(compressedInputStream,targetFileName.toPath(),REPLACE_EXISTING); + } + + targetFileName.setLastModified( entryDate.getTime() ); +diff --git a/src/test/java/org/codehaus/plexus/archiver/SymlinkTest.java b/src/test/java/org/codehaus/plexus/archiver/SymlinkTest.java +index 0afb78a..a14ff20 100644 +--- a/src/test/java/org/codehaus/plexus/archiver/SymlinkTest.java ++++ b/src/test/java/org/codehaus/plexus/archiver/SymlinkTest.java +@@ -68,6 +68,8 @@ public void testSymlinkTar() + unarchiver.setSourceFile( archiveFile ); + unarchiver.setDestFile( output ); + unarchiver.extract(); ++ // second unpacking should also work ++ unarchiver.extract(); + } + + public void testSymlinkZip() +@@ -88,6 +90,8 @@ public void testSymlinkZip() + unarchiver.setSourceFile( archiveFile ); + unarchiver.setDestFile( output ); + unarchiver.extract(); ++ // second unpacking should also work ++ unarchiver.extract(); + } + + public void testSymlinkDirArchiver() +diff --git a/src/test/java/org/codehaus/plexus/archiver/zip/ZipArchiverTest.java b/src/test/java/org/codehaus/plexus/archiver/zip/ZipArchiverTest.java +index cca135c..b6168e2 100644 +--- a/src/test/java/org/codehaus/plexus/archiver/zip/ZipArchiverTest.java ++++ b/src/test/java/org/codehaus/plexus/archiver/zip/ZipArchiverTest.java +@@ -947,4 +947,15 @@ private long toLocalTimeZone( long timestamp ) + } + } + ++ public void testNonExistingSymlink() throws Exception { ++ File zipFile = new File("src/test/resources/symlinks/non_existing_symlink.zip"); ++ ZipUnArchiver unArchiver = getZipUnArchiver(zipFile); ++ String tmpdir = Files.createTempDirectory("tmpe_extract").toFile().getAbsolutePath(); ++ unArchiver.setDestDirectory(new File(tmpdir)); ++ try { ++ unArchiver.extract(); ++ } catch (Exception e){ ++ assertEquals("Entry is outside of the target directory (entry1)", e.getMessage()); ++ } ++ } + } +diff --git a/src/test/resources/symlinks/regen.sh b/src/test/resources/symlinks/regen.sh +index f3c3a9d..9cff2ec 100755 +--- a/src/test/resources/symlinks/regen.sh ++++ b/src/test/resources/symlinks/regen.sh +@@ -3,4 +3,17 @@ rm symlinks.tar + cd src + zip --symlinks ../symlinks.zip file* targetDir sym* + tar -cvf ../symlinks.tar file* targetDir sym* +- ++cd .. ++rm non_existing_symlink.zip ++mkdir non_existing_symlink ++cd non_existing_symlink ++ln -s /tmp/target entry1 ++echo -ne 'content' > entry2 ++zip --symlinks ../non_existing_symlink.zip entry1 entry2 ++cd .. ++rm -rf non_existing_symlink ++if [ "x$(uname)" = "xLinux" ];then ++ LC_ALL=C sed -i 's/entry2/entry1/' non_existing_symlink.zip ++else ++ LC_ALL=C sed -i '' 's/entry2/entry1/' non_existing_symlink.zip ++fi +-- +2.43.0 + diff --git a/non_existing_symlink.zip b/non_existing_symlink.zip new file mode 100644 index 0000000000000000000000000000000000000000..a281a860d465fa53040019d90c3272bff70d0bf3 GIT binary patch literal 320 zcmWIWW@h1H0D<(?r=!B|r}}XN*&xiuAj6QFS5j1I7#hOKz--jwnE}G372FJrEFcYF zLcb)pK))ohC_S|#0L7@421oy~166@AaYiNQ=am304De=Tl4Hi@CJB(uVDNt-h=RG0 m72-lP*P)w*>L`d=j6hSCG - 0:4.2.7-2 +- Fix CVE-2023-37460 + * Fri Jul 28 2023 yaoxin - 0:4.2.7-1 - Update to 4.2.7 -- Gitee