Fix CVE-2025-67030: Directory Traversal in extractFile method

Resolves: RHEL-165337
This commit is contained in:
Jacek Migacz 2026-05-20 09:21:05 +00:00
parent 52aec984e7
commit ccc57c509e
2 changed files with 32 additions and 1 deletions

25
CVE-2025-67030.patch Normal file
View File

@ -0,0 +1,25 @@
--- a/src/main/java/org/codehaus/plexus/util/Expand.java
+++ b/src/main/java/org/codehaus/plexus/util/Expand.java
@@ -116,9 +116,20 @@
{
File f = FileUtils.resolveFile( dir, entryName );
- if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) )
+ try
+ {
+ String canonicalDirPath = dir.getCanonicalPath();
+ String canonicalFilePath = f.getCanonicalPath();
+
+ if ( !canonicalFilePath.startsWith( canonicalDirPath + File.separator )
+ && !canonicalFilePath.equals( canonicalDirPath ) )
+ {
+ throw new IOException( "Entry '" + entryName + "' outside the target directory." );
+ }
+ }
+ catch ( IOException e )
{
- throw new IOException( "Entry '" + entryName + "' outside the target directory." );
+ throw new IOException( "Failed to verify entry path for '" + entryName + "'", e );
}
try

View File

@ -2,7 +2,7 @@
Name: plexus-utils
Version: 3.5.1
Release: 8%{?dist}
Release: 10%{?dist}
Summary: Plexus Common Utilities
# ASL 1.1: several files in src/main/java/org/codehaus/plexus/util/
# xpp: src/main/java/org/codehaus/plexus/util/xml/pull directory
@ -19,6 +19,8 @@ ExclusiveArch: %{java_arches} noarch
Source0: https://github.com/codehaus-plexus/%{name}/archive/%{name}-%{version}.tar.gz
Patch0: CVE-2025-67030.patch
%if %{with bootstrap}
BuildRequires: javapackages-bootstrap
%else
@ -38,6 +40,7 @@ is like a J2EE application server, without all the baggage.
%prep
%setup -q -n %{name}-%{name}-%{version}
%patch -P0 -p1
%mvn_file : plexus/utils
%mvn_alias : plexus:plexus-utils
@ -52,6 +55,9 @@ is like a J2EE application server, without all the baggage.
%license NOTICE.txt LICENSE.txt
%changelog
* Tue May 20 2025 Jacek Migacz <jmigacz@redhat.com> - 3.5.1-10
- Fix CVE-2025-67030: Directory Traversal in extractFile method
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.5.1-8
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018