CVE-2018-10860

NameCVE-2018-10860
Descriptionperl-archive-zip is vulnerable to a directory traversal in Archive::Zip. It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1440-1, DSA-4300-1
NVD severitymedium (attack range: remote)
Debian Bugs902882

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libarchive-zip-perl (PTS)jessie1.39-1vulnerable
jessie (security)1.39-1+deb8u1fixed
stretch (security), stretch1.59-1+deb9u1fixed
buster, sid1.64-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libarchive-zip-perlsource(unstable)1.62-1medium902882
libarchive-zip-perlsourcejessie1.39-1+deb8u1mediumDLA-1440-1
libarchive-zip-perlsourcestretch1.59-1+deb9u1mediumDSA-4300-1

Notes

https://github.com/redhotpenguin/perl-Archive-Zip/pull/33
https://github.com/redhotpenguin/perl-Archive-Zip/commit/95e1df86327

Search for package or bug name: Reporting problems