diff --git a/CVE-2025-67030.patch b/CVE-2025-67030.patch new file mode 100644 index 0000000..9189216 --- /dev/null +++ b/CVE-2025-67030.patch @@ -0,0 +1,25 @@ +--- a/src/main/java/org/codehaus/plexus/util/Expand.java 2026-05-20 09:19:51.014184013 +0000 ++++ b/src/main/java/org/codehaus/plexus/util/Expand.java 2026-05-20 09:20:05.847146005 +0000 +@@ -116,9 +116,20 @@ + { + File f = FileUtils.resolveFile( dir, entryName ); + +- if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) ) ++ try ++ { ++ String canonicalDirPath = dir.getCanonicalPath(); ++ String canonicalFilePath = f.getCanonicalPath(); ++ ++ if ( !canonicalFilePath.startsWith( canonicalDirPath + File.separator ) ++ && !canonicalFilePath.equals( canonicalDirPath ) ) ++ { ++ throw new IOException( "Entry '" + entryName + "' outside the target directory." ); ++ } ++ } ++ catch ( IOException e ) + { +- throw new IOException( "Entry '" + entryName + "' outside the target directory." ); ++ throw new IOException( "Failed to verify entry path for '" + entryName + "'", e ); + } + + try diff --git a/plexus-utils.spec b/plexus-utils.spec index 020b14b..14176b2 100644 --- a/plexus-utils.spec +++ b/plexus-utils.spec @@ -2,7 +2,7 @@ Name: plexus-utils Version: 3.3.0 -Release: 13%{?dist} +Release: 14%{?dist} Summary: Plexus Common Utilities # ASL 1.1: several files in src/main/java/org/codehaus/plexus/util/ # xpp: src/main/java/org/codehaus/plexus/util/xml/pull directory @@ -20,6 +20,8 @@ ExclusiveArch: aarch64 ppc64le s390x x86_64 noarch Source0: https://github.com/codehaus-plexus/%{name}/archive/%{name}-%{version}.tar.gz Source1: http://apache.org/licenses/LICENSE-2.0.txt +Patch0: CVE-2025-67030.patch + BuildRequires: maven-local-openjdk8 %if %{with bootstrap} BuildRequires: javapackages-bootstrap @@ -41,6 +43,7 @@ is like a J2EE application server, without all the baggage. %prep %setup -q -n %{name}-%{name}-%{version} +%patch -P0 -p1 cp %{SOURCE1} . @@ -72,6 +75,9 @@ cp %{SOURCE1} . %license NOTICE.txt LICENSE-2.0.txt %changelog +* Tue May 20 2025 Jacek Migacz - 3.3.0-14 +- Fix CVE-2025-67030: Directory Traversal in Expand.extractFile + * Sat Nov 23 2024 Marián Konček - 3.3.0-13 - Add noarch to ExclusiveArch