Bug#904191: ant: Incomplete fix of CVE-2018-10886
Salvatore Bonaccorso
carnil at debian.org
Sat Jul 21 12:07:58 BST 2018
Source: ant
Version: 1.10.4-1
Severity: grave
Tags: security upstream
Forwarded: https://bz.apache.org/bugzilla/show_bug.cgi?id=62502
Control: fixed -1 1.10.5-1
Control: found -1 1.9.4-3+deb8u1
Hi
To CVE-2018-10886 there was a followup due to incomplete fix in
upstream 10.0.5 and 1.9.13:
* the new allowFilesToEscapeDest didn't work when set to false and
archive entries contained relative paths with so many ".."
segnments that the resulting path would go beyond the file system
root.
Bugzilla Report 62502
Cf. https://bz.apache.org/bugzilla/show_bug.cgi?id=62502
https://github.com/apache/ant/commit/6a41d62cb9ab4e640b72cb4de42a6c211dea645d
https://github.com/apache/ant/commit/5a8c37b271677587046bfd0fea18c1675d5a6300
I requested a CVE for the incomplete fix.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list