Fix CVE-2025-67030: Directory Traversal in extractFile method
Resolves: RHEL-165337
This commit is contained in:
parent
52aec984e7
commit
ccc57c509e
25
CVE-2025-67030.patch
Normal file
25
CVE-2025-67030.patch
Normal file
@ -0,0 +1,25 @@
|
||||
--- a/src/main/java/org/codehaus/plexus/util/Expand.java
|
||||
+++ b/src/main/java/org/codehaus/plexus/util/Expand.java
|
||||
@@ -116,9 +116,20 @@
|
||||
{
|
||||
File f = FileUtils.resolveFile( dir, entryName );
|
||||
|
||||
- if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) )
|
||||
+ try
|
||||
+ {
|
||||
+ String canonicalDirPath = dir.getCanonicalPath();
|
||||
+ String canonicalFilePath = f.getCanonicalPath();
|
||||
+
|
||||
+ if ( !canonicalFilePath.startsWith( canonicalDirPath + File.separator )
|
||||
+ && !canonicalFilePath.equals( canonicalDirPath ) )
|
||||
+ {
|
||||
+ throw new IOException( "Entry '" + entryName + "' outside the target directory." );
|
||||
+ }
|
||||
+ }
|
||||
+ catch ( IOException e )
|
||||
{
|
||||
- throw new IOException( "Entry '" + entryName + "' outside the target directory." );
|
||||
+ throw new IOException( "Failed to verify entry path for '" + entryName + "'", e );
|
||||
}
|
||||
|
||||
try
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
Name: plexus-utils
|
||||
Version: 3.5.1
|
||||
Release: 8%{?dist}
|
||||
Release: 10%{?dist}
|
||||
Summary: Plexus Common Utilities
|
||||
# ASL 1.1: several files in src/main/java/org/codehaus/plexus/util/
|
||||
# xpp: src/main/java/org/codehaus/plexus/util/xml/pull directory
|
||||
@ -19,6 +19,8 @@ ExclusiveArch: %{java_arches} noarch
|
||||
|
||||
Source0: https://github.com/codehaus-plexus/%{name}/archive/%{name}-%{version}.tar.gz
|
||||
|
||||
Patch0: CVE-2025-67030.patch
|
||||
|
||||
%if %{with bootstrap}
|
||||
BuildRequires: javapackages-bootstrap
|
||||
%else
|
||||
@ -38,6 +40,7 @@ is like a J2EE application server, without all the baggage.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{name}-%{version}
|
||||
%patch -P0 -p1
|
||||
|
||||
%mvn_file : plexus/utils
|
||||
%mvn_alias : plexus:plexus-utils
|
||||
@ -52,6 +55,9 @@ is like a J2EE application server, without all the baggage.
|
||||
%license NOTICE.txt LICENSE.txt
|
||||
|
||||
%changelog
|
||||
* Tue May 20 2025 Jacek Migacz <jmigacz@redhat.com> - 3.5.1-10
|
||||
- Fix CVE-2025-67030: Directory Traversal in extractFile method
|
||||
|
||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.5.1-8
|
||||
- Bump release for October 2024 mass rebuild:
|
||||
Resolves: RHEL-64018
|
||||
|
||||
Loading…
Reference in New Issue
Block a user