CVE-2018-10860

NameCVE-2018-10860
Descriptionperl-archive-zip is vulnerable to a directory traversal in Archive::Zip. It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1440-1, DSA-4300-1
Debian Bugs902882

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libarchive-zip-perl (PTS)buster1.64-1fixed
sid, trixie, bookworm, bullseye1.68-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libarchive-zip-perlsourcejessie1.39-1+deb8u1DLA-1440-1
libarchive-zip-perlsourcestretch1.59-1+deb9u1DSA-4300-1
libarchive-zip-perlsource(unstable)1.62-1902882

Notes

https://github.com/redhotpenguin/perl-Archive-Zip/pull/33
https://github.com/redhotpenguin/perl-Archive-Zip/commit/95e1df86327
Search for package or bug name: Reporting problems