Fix CVE-2025-67030: Directory Traversal in Expand.extractFile

Resolves: RHEL-165352
This commit is contained in:
Jacek Migacz 2026-05-20 13:19:13 +00:00
parent ae9f2c1a95
commit a229edaa67
2 changed files with 32 additions and 1 deletions

25
CVE-2025-67030.patch Normal file
View File

@ -0,0 +1,25 @@
--- a/src/main/java/org/codehaus/plexus/util/Expand.java 2026-05-20 09:19:51.014184013 +0000
+++ b/src/main/java/org/codehaus/plexus/util/Expand.java 2026-05-20 09:20:05.847146005 +0000
@@ -116,9 +116,20 @@
{
File f = FileUtils.resolveFile( dir, entryName );
- if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) )
+ try
+ {
+ String canonicalDirPath = dir.getCanonicalPath();
+ String canonicalFilePath = f.getCanonicalPath();
+
+ if ( !canonicalFilePath.startsWith( canonicalDirPath + File.separator )
+ && !canonicalFilePath.equals( canonicalDirPath ) )
+ {
+ throw new IOException( "Entry '" + entryName + "' outside the target directory." );
+ }
+ }
+ catch ( IOException e )
{
- throw new IOException( "Entry '" + entryName + "' outside the target directory." );
+ throw new IOException( "Failed to verify entry path for '" + entryName + "'", e );
}
try

View File

@ -2,7 +2,7 @@
Name: plexus-utils
Version: 3.3.0
Release: 13%{?dist}
Release: 14%{?dist}
Summary: Plexus Common Utilities
# ASL 1.1: several files in src/main/java/org/codehaus/plexus/util/
# xpp: src/main/java/org/codehaus/plexus/util/xml/pull directory
@ -20,6 +20,8 @@ ExclusiveArch: aarch64 ppc64le s390x x86_64 noarch
Source0: https://github.com/codehaus-plexus/%{name}/archive/%{name}-%{version}.tar.gz
Source1: http://apache.org/licenses/LICENSE-2.0.txt
Patch0: CVE-2025-67030.patch
BuildRequires: maven-local-openjdk8
%if %{with bootstrap}
BuildRequires: javapackages-bootstrap
@ -41,6 +43,7 @@ is like a J2EE application server, without all the baggage.
%prep
%setup -q -n %{name}-%{name}-%{version}
%patch -P0 -p1
cp %{SOURCE1} .
@ -72,6 +75,9 @@ cp %{SOURCE1} .
%license NOTICE.txt LICENSE-2.0.txt
%changelog
* Tue May 20 2025 Jacek Migacz <jmigacz@redhat.com> - 3.3.0-14
- Fix CVE-2025-67030: Directory Traversal in Expand.extractFile
* Sat Nov 23 2024 Marián Konček <mkoncek@redhat.com> - 3.3.0-13
- Add noarch to ExclusiveArch