CVE-2018-10860

NameCVE-2018-10860
Descriptionperl-archive-zip is vulnerable to a directory traversal in Archive::Zip. It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs902882

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libarchive-zip-perl (PTS)jessie1.39-1vulnerable
stretch1.59-1vulnerable
buster, sid1.60-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libarchive-zip-perlsource(unstable)(unfixed)902882

Notes

https://github.com/redhotpenguin/perl-Archive-Zip/pull/33
https://github.com/redhotpenguin/perl-Archive-Zip/commit/95e1df86327

Search for package or bug name: Reporting problems