Fix CVE-2025-67030: Directory Traversal in Expand.extractFile

Resolves: RHEL-165338
2026-05-20 14:07:54 +00:00 · 2026-05-20 14:07:54 +00:00 · 1d4ef436d0
commit 1d4ef436d0
parent 26af3a41de
2 changed files with 32 additions and 1 deletions
--- a/CVE-2025-67030.patch
+++ b/CVE-2025-67030.patch
@ -0,0 +1,25 @@
+--- a/src/main/java/org/codehaus/plexus/util/Expand.java	2026-05-20 09:19:51.014184013 +0000
+++ b/src/main/java/org/codehaus/plexus/util/Expand.java	2026-05-20 09:20:05.847146005 +0000
+@@ -116,9 +116,20 @@
+     {
+         File f = FileUtils.resolveFile( dir, entryName );
+ 
+-        if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) )
+        try
+        {
+            String canonicalDirPath = dir.getCanonicalPath();
+            String canonicalFilePath = f.getCanonicalPath();
+
+            if ( !canonicalFilePath.startsWith( canonicalDirPath + File.separator )
+                    && !canonicalFilePath.equals( canonicalDirPath ) )
+            {
+                throw new IOException( "Entry '" + entryName + "' outside the target directory." );
+            }
+        }
+        catch ( IOException e )
+         {
+-            throw new IOException( "Entry '" + entryName + "' outside the target directory." );
+            throw new IOException( "Failed to verify entry path for '" + entryName + "'", e );
+         }
+ 
+         try
--- a/plexus-utils.spec
+++ b/plexus-utils.spec
@ -1,6 +1,6 @@
 Name:           plexus-utils
 Version:        3.1.0
-Release:        3%{?dist}
+Release:        3%{?dist}.1
 Summary:        Plexus Common Utilities
 # ASL 1.1: several files in src/main/java/org/codehaus/plexus/util/ 
 # xpp: src/main/java/org/codehaus/plexus/util/xml/pull directory
@ -19,6 +19,7 @@ Source1:        http://apache.org/licenses/LICENSE-2.0.txt

 # https://github.com/codehaus-plexus/plexus-utils/issues/45
 Patch1:         0001-Follow-symlinks-in-NioFiles.copy.patch
+Patch2:         CVE-2025-67030.patch

 BuildRequires:  maven-local
 BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin)
@ -43,6 +44,7 @@ Javadoc for %{name}.
 %setup -q -n %{name}-%{name}-%{version}

 %patch1 -p1
+%patch -P2 -p1

 cp %{SOURCE1} .

@ -77,6 +79,10 @@ cp %{SOURCE1} .
 %doc NOTICE.txt LICENSE-2.0.txt

 %changelog
+* Tue May 20 2025 Jacek Migacz <jmigacz@redhat.com> - 3.1.0-3.el8_10.1
+- Fix CVE-2025-67030: Directory Traversal in Expand.extractFile
+  Resolves: RHEL-165338
+
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild