[Git][java-team/libpf4j-java][master] 2 commits: CVE-2023-40826 CVE-2023-40827 CVE-2023-40828 (Closes: #1050834)

Wed Aug 30 23:51:43 BST 2023


Tony Mancill pushed to branch master at Debian Java Maintainers / libpf4j-java


Commits:
a8f18d50 by tony mancill at 2023-08-30T15:14:35-07:00
CVE-2023-40826 CVE-2023-40827 CVE-2023-40828 (Closes: #1050834)

CVE-2023-40826[0]:
| An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to
| obtain sensitive information and execute arbitrary code via the
| zippluginPath parameter.

https://github.com/pf4j/pf4j/issues/536
Duplicate/similar to: https://github.com/pf4j/pf4j/issues/526
https://github.com/pf4j/pf4j/pull/538
Fixed by: https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72

CVE-2023-40827[1]:
| An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to
| obtain sensitive information and execute arbitrary code via the
| loadpluginPath parameter.

https://github.com/pf4j/pf4j/issues/536
https://github.com/pf4j/pf4j/pull/537
https://github.com/pf4j/pf4j/pull/538
Fixed by: https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72

CVE-2023-40828[2]:
| An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to
| obtain sensitive information and execute arbitrary code via the
| expandIfZip method in the extract function.

https://github.com/pf4j/pf4j/pull/537
https://github.com/pf4j/pf4j/pull/538
Fixed by: https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-40826
    https://www.cve.org/CVERecord?id=CVE-2023-40826
[1] https://security-tracker.debian.org/tracker/CVE-2023-40827
    https://www.cve.org/CVERecord?id=CVE-2023-40827
[2] https://security-tracker.debian.org/tracker/CVE-2023-40828
    https://www.cve.org/CVERecord?id=CVE-2023-40828

- - - - -
ae62744b by tony mancill at 2023-08-30T15:26:31-07:00
Prepare changelog for upload

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/debian_1050834.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+libpf4j-java (3.9.0+dfsg-2) unstable; urgency=medium
+
+  * Team upload.
+  * Add upstream patch to address:
+    CVE-2023-40826 CVE-2023-40827 CVE-2023-40828 (Closes: #1050834)
+
+ -- tony mancill <tmancill at debian.org>  Wed, 30 Aug 2023 15:18:17 -0700
+
 libpf4j-java (3.9.0+dfsg-1) unstable; urgency=medium
 
   * New upstream version 3.9.0+dfsg


=====================================
debian/patches/debian_1050834.patch
=====================================
@@ -0,0 +1,127 @@
+Description: patch for CVE-2023-40826 CVE-2023-40827 CVE-2023-40828
+Origin: https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72.patch
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050834
+Forwarded: not-needed
+
+From 8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72 Mon Sep 17 00:00:00 2001
+From: Decebal Suiu <decebal.suiu at gmail.com>
+Date: Wed, 16 Aug 2023 21:00:59 +0300
+Subject: [PATCH] Add security checks to prevent directory traversal when
+ decompressing (#538)
+
+---
+ pf4j/src/main/java/org/pf4j/util/Unzip.java   | 14 +++--
+ .../test/java/org/pf4j/util/UnzipTest.java    | 60 +++++++++++++++++++
+ 2 files changed, 70 insertions(+), 4 deletions(-)
+ create mode 100644 pf4j/src/test/java/org/pf4j/util/UnzipTest.java
+
+diff --git a/pf4j/src/main/java/org/pf4j/util/Unzip.java b/pf4j/src/main/java/org/pf4j/util/Unzip.java
+index 198cf7d8..a78cf83e 100644
+--- a/pf4j/src/main/java/org/pf4j/util/Unzip.java
++++ b/pf4j/src/main/java/org/pf4j/util/Unzip.java
+@@ -15,17 +15,17 @@
+  */
+ package org.pf4j.util;
+ 
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
++
+ import java.io.File;
+ import java.io.FileInputStream;
+-import java.io.FileNotFoundException;
+ import java.io.FileOutputStream;
+ import java.io.IOException;
+ import java.util.zip.ZipEntry;
++import java.util.zip.ZipException;
+ import java.util.zip.ZipInputStream;
+ 
+-import org.slf4j.Logger;
+-import org.slf4j.LoggerFactory;
+-
+ /**
+  * This class extracts the content of the plugin zip into a directory.
+  * It's a class for only the internal use.
+@@ -75,11 +75,17 @@ public void extract() throws IOException {
+             FileUtils.delete(destination.toPath());
+         }
+ 
++        String destinationCanonicalPath = destination.getCanonicalPath();
+         try (ZipInputStream zipInputStream = new ZipInputStream(new FileInputStream(source))) {
+             ZipEntry zipEntry;
+             while ((zipEntry = zipInputStream.getNextEntry()) != null) {
+                 File file = new File(destination, zipEntry.getName());
+ 
++                String fileCanonicalPath = file.getCanonicalPath();
++                if (!fileCanonicalPath.startsWith(destinationCanonicalPath)) {
++                    throw new ZipException("The file "+ zipEntry.getName() + " is trying to leave the target output directory of "+ destination);
++                }
++
+                 // create intermediary directories - sometimes zip don't add them
+                 File dir = new File(file.getParent());
+ 
+diff --git a/pf4j/src/test/java/org/pf4j/util/UnzipTest.java b/pf4j/src/test/java/org/pf4j/util/UnzipTest.java
+new file mode 100644
+index 00000000..202e1b0b
+--- /dev/null
++++ b/pf4j/src/test/java/org/pf4j/util/UnzipTest.java
+@@ -0,0 +1,60 @@
++/*
++ * Copyright (C) 2012-present the original author or authors.
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *     http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.pf4j.util;
++
++import org.junit.jupiter.api.Test;
++
++import java.io.File;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.nio.file.Files;
++import java.nio.file.Path;
++import java.util.zip.ZipEntry;
++import java.util.zip.ZipException;
++import java.util.zip.ZipOutputStream;
++
++import static org.junit.jupiter.api.Assertions.assertThrows;
++import static org.junit.jupiter.api.Assertions.assertTrue;
++
++public class UnzipTest {
++
++    @Test
++    public void zipSlip() throws IOException {
++        File zipFile = createMaliciousZipFile();
++        Path destination = Files.createTempDirectory("zipSlip");
++
++        Unzip unzip = new Unzip();
++        unzip.setSource(zipFile);
++        unzip.setDestination(destination.toFile());
++
++        Exception exception = assertThrows(ZipException.class, unzip::extract);
++        assertTrue(exception.getMessage().contains("is trying to leave the target output directory"));
++    }
++
++    private File createMaliciousZipFile() throws IOException {
++        File zipFile = File.createTempFile("malicious", ".zip");
++        String maliciousFileName = "../malicious.sh";
++        try (ZipOutputStream zipOutputStream = new ZipOutputStream(new FileOutputStream(zipFile))) {
++            ZipEntry entry = new ZipEntry(maliciousFileName);
++            zipOutputStream.putNextEntry(entry);
++            zipOutputStream.write("Malicious content".getBytes());
++            zipOutputStream.closeEntry();
++        }
++
++        return zipFile;
++    }
++
++}


=====================================
debian/patches/series
=====================================
@@ -3,3 +3,4 @@ no_module_expectation.patch
 omit_TempDir_annotations_in_tests.patch
 omit_tests_needing_google_testing_compile.patch
 omit_mocking_Filer.patch
+debian_1050834.patch



View it on GitLab: https://salsa.debian.org/java-team/libpf4j-java/-/compare/3d9635f1edf9afe375b1a801f8816fcde8e1197f...ae62744ba694713a36b773a8e39c3ba775c54093

-- 
View it on GitLab: https://salsa.debian.org/java-team/libpf4j-java/-/compare/3d9635f1edf9afe375b1a801f8816fcde8e1197f...ae62744ba694713a36b773a8e39c3ba775c54093
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230830/eb8018ea/attachment.htm>
