Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

zip_slip #1210

Closed
QiAnXinCodeSafe opened this issue Dec 18, 2018 · 3 comments
Closed

zip_slip #1210

QiAnXinCodeSafe opened this issue Dec 18, 2018 · 3 comments
Assignees
@barthanssens
Labels
🐞 bug issue is a bug security
Milestone
2.4.3

Comments

@QiAnXinCodeSafe
Copy link

QiAnXinCodeSafe commented Dec 18, 2018
edited
Loading

Hi all,
There is a path traversal vulnerability found by Qihoo360 CodeSafe Team.
Details as bellow:
default

When decompressing zip files, entries are not checked, resulting in overwriting arbitrary files by traversing directories using “.. /”
@barthanssens barthanssens added the 🐞 bug issue is a bug label Dec 18, 2018
@barthanssens
Copy link
Contributor

Thanks.

Method is part of org.eclipse.rdf4j.common.io.ZipUtil class

@barthanssens barthanssens mentioned this issue Dec 18, 2018
Merged
@barthanssens barthanssens self-assigned this Dec 18, 2018
@barthanssens barthanssens added security 📶 enhancement issue is a new feature or improvement and removed 🐞 bug issue is a bug labels Dec 18, 2018
barthanssens added a commit that referenced this issue Dec 19, 2018
@barthanssens
Merge pull request #1211 from Fedict/issues/#1210-zip-travers
b7dae5e 
Verify that zip file entries don't try to escape the parent dir + test
@barthanssens barthanssens added this to the 2.5.0 milestone Dec 19, 2018
@aschwarte10
Copy link
Contributor

@jeenbroekstra, @barthanssens would it make sense to backport this fix to a 2.4.3 release, especially since it is rather small?

The security group of our company has notified us about this one, and we need to do an assessment. As we are approaching dev-complete state for the current release of our application, we could potentially only do smaller updates - if at all (and particularly cannot wait for a 2.5 release, which may also bring new features).

@aschwarte10 aschwarte10 reopened this Jan 8, 2019
@barthanssens
Copy link
Contributor

Well, it sure is a small effort to backport it.
I'll take care of it this evening or tomorrow morning.

@barthanssens barthanssens modified the milestones: 2.5.0, 2.4.3 Jan 8, 2019
@abrokenjester abrokenjester added 🐞 bug issue is a bug and removed 📶 enhancement issue is a new feature or improvement labels Jan 8, 2019
@barthanssens barthanssens mentioned this issue Jan 8, 2019
Merged
barthanssens added a commit that referenced this issue Jan 8, 2019
@barthanssens
Merge pull request #1239 from Fedict/issues/#1210-zip-travers-243
dea1cd7 
Backport fix for zip traversal from develop
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@barthanssens barthanssens

Labels
🐞 bug issue is a bug security
Projects
None yet
Milestone
2.4.3
Development

No branches or pull requests
4 participants
@abrokenjester @barthanssens @aschwarte10 @QiAnXinCodeSafe