CVE-2018-10860

NameCVE-2018-10860
Descriptionperl-archive-zip is vulnerable to a directory traversal in Archive::Zip. It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1440-1, DSA-4300-1
Debian Bugs902882

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libarchive-zip-perl (PTS)jessie, jessie (lts)1.39-1+deb8u1fixed
stretch (security), stretch (lts), stretch1.59-1+deb9u1fixed
buster1.64-1fixed
sid, trixie, bullseye, bookworm1.68-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libarchive-zip-perlsourcewheezy(unfixed)end-of-life
libarchive-zip-perlsourcejessie1.39-1+deb8u1DLA-1440-1
libarchive-zip-perlsourcestretch1.59-1+deb9u1DSA-4300-1
libarchive-zip-perlsource(unstable)1.62-1902882

Notes

https://github.com/redhotpenguin/perl-Archive-Zip/pull/33
https://github.com/redhotpenguin/perl-Archive-Zip/commit/95e1df86327
Search for package or bug name: Reporting problems