Alerts This Week
Warning Icon 1 646
Alerts This Week
Warning Icon 1 646

Fedora 27: FEDORA-2018-6c55e1f79c High: Plexus-Archiver Path Traversal

fedora
Calendar Grey June 14, 2018
Dist Fedora Esm H88
Fedora 27 released an essential security patch for plexus-archiver, fixing vulnerabilities that permitted arbitrary file writes and command execution, enhancing system safety
Security fix: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file (CVE-2018-1002200) A path traversal vulnerability has been discovered...

Summary

The Plexus project seeks to create end-to-end developer tools for

writing applications. At the core is the container, which can be

embedded or for a full scale application server. There are many

reusable components for hibernate, form processing, jndi, i18n,

velocity, etc. Plexus also includes an application server which

is like a J2EE application server, without all the baggage.

Security fix: arbitrary file write vulnerability / arbitrary code execution

using a specially crafted zip file (CVE-2018-1002200) A path traversal

vulnerability has been discovered in plexus-archiver when extracting a carefully

crafted zip file which holds path traversal file names. A remote attacker could

use this vulnerability to write files outside the target directory and overwrite

existing files with malicious code or vulnerable configurations. Red Hat would

like to thank Danny Grander (Snyk) for reporting this issue. External

References: https://security.snyk.io/research/zip-slip-vulnerability

* Fri Jun 1 2018 Mikolaj Izdebski - 0:3.4-4

- Fix arbitrary file write vulnerability

- Resolves: CVE-2018-1002200

[ 1 ] Bug #1584392 - CVE-2018-1002200 plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file

https://bugzilla.redhat.com/show_bug.cgi?id=1584392

su -c 'dnf upgrade --advisory FEDORA-2018-6c55e1f79c' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I7XAAUCTHL2PDJHW5Q2IYATOAXX4AFFU/

Topics%20covered

Topics Covered

security advisory Fedora path traversal arbitrary file write plexus-archiver

Change Log

References

Update Instructions

Product: Fedora 27
Version: 3.4
Release: 4.fc27
URL: http://codehaus-plexus.github.io/plexus-archiver/
Summary: Plexus Archiver Component

Topics%20covered

Topics Covered

security advisory Fedora path traversal arbitrary file write plexus-archiver

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here