From 1d4ef436d0d2b83bae7894768f1b83bd5e303f63 Mon Sep 17 00:00:00 2001
From: Jacek Migacz <jmigacz@redhat.com>
Date: Wed, 20 May 2026 14:07:54 +0000
Subject: [PATCH] Fix CVE-2025-67030: Directory Traversal in Expand.extractFile

Resolves: RHEL-165338
---
 CVE-2025-67030.patch | 25 +++++++++++++++++++++++++
 plexus-utils.spec    |  8 +++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-67030.patch

diff --git a/CVE-2025-67030.patch b/CVE-2025-67030.patch
new file mode 100644
index 0000000..9189216
--- /dev/null
+++ b/CVE-2025-67030.patch
@@ -0,0 +1,25 @@
+--- a/src/main/java/org/codehaus/plexus/util/Expand.java	2026-05-20 09:19:51.014184013 +0000
++++ b/src/main/java/org/codehaus/plexus/util/Expand.java	2026-05-20 09:20:05.847146005 +0000
+@@ -116,9 +116,20 @@
+     {
+         File f = FileUtils.resolveFile( dir, entryName );
+ 
+-        if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) )
++        try
++        {
++            String canonicalDirPath = dir.getCanonicalPath();
++            String canonicalFilePath = f.getCanonicalPath();
++
++            if ( !canonicalFilePath.startsWith( canonicalDirPath + File.separator )
++                    && !canonicalFilePath.equals( canonicalDirPath ) )
++            {
++                throw new IOException( "Entry '" + entryName + "' outside the target directory." );
++            }
++        }
++        catch ( IOException e )
+         {
+-            throw new IOException( "Entry '" + entryName + "' outside the target directory." );
++            throw new IOException( "Failed to verify entry path for '" + entryName + "'", e );
+         }
+ 
+         try
diff --git a/plexus-utils.spec b/plexus-utils.spec
index 5166761..db3082b 100644
--- a/plexus-utils.spec
+++ b/plexus-utils.spec
@@ -1,6 +1,6 @@
 Name:           plexus-utils
 Version:        3.1.0
-Release:        3%{?dist}
+Release:        3%{?dist}.1
 Summary:        Plexus Common Utilities
 # ASL 1.1: several files in src/main/java/org/codehaus/plexus/util/ 
 # xpp: src/main/java/org/codehaus/plexus/util/xml/pull directory
@@ -19,6 +19,7 @@ Source1:        http://apache.org/licenses/LICENSE-2.0.txt
 
 # https://github.com/codehaus-plexus/plexus-utils/issues/45
 Patch1:         0001-Follow-symlinks-in-NioFiles.copy.patch
+Patch2:         CVE-2025-67030.patch
 
 BuildRequires:  maven-local
 BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin)
@@ -43,6 +44,7 @@ Javadoc for %{name}.
 %setup -q -n %{name}-%{name}-%{version}
 
 %patch1 -p1
+%patch -P2 -p1
 
 cp %{SOURCE1} .
 
@@ -77,6 +79,10 @@ cp %{SOURCE1} .
 %doc NOTICE.txt LICENSE-2.0.txt
 
 %changelog
+* Tue May 20 2025 Jacek Migacz <jmigacz@redhat.com> - 3.1.0-3.el8_10.1
+- Fix CVE-2025-67030: Directory Traversal in Expand.extractFile
+  Resolves: RHEL-165338
+
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild