FEDORA-2018-7a9a2f6ec0 — security update for plexus-archiver

stable

plexus-archiver-3.5-6.fc28

FEDORA-2018-7a9a2f6ec0 created by mizdebsk 6 years ago for Fedora 28

Security fix: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file (CVE-2018-1002200)

A path traversal vulnerability has been discovered in plexus-archiver when extracting a carefully crafted zip file which holds path traversal file names. A remote attacker could use this vulnerability to write files outside the target directory and overwrite existing files with malicious code or vulnerable configurations.

Red Hat would like to thank Danny Grander (Snyk) for reporting this issue. External References: https://snyk.io/research/zip-slip-vulnerability

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2018-7a9a2f6ec0

This update has been submitted for testing by mizdebsk.

6 years ago

This update has been pushed to testing.

6 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

6 years ago

This update has been submitted for stable by mizdebsk.

6 years ago

This update has been pushed to stable.

6 years ago

Please login to add feedback.

Metadata

Type

security

Severity

medium

Karma

Signed

Content Type

RPM

Test Gating

ignored

Autopush Settings

Unstable by Karma

-2

Stable by Karma

Stable by Time

disabled

Dates

submitted

6 years ago

in testing

6 years ago

in stable

6 years ago

Builds

plexus-archiver-3.5-6.fc28

BZ#1584392 CVE-2018-1002200 plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file

BZ#1587817 CVE-2018-1002200 plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file [fedora-28]

plexus-archiver-3.5-6.fc28

Automated Test Results

ignored