Fix CVE-2023-46122

(cherry picked from commit 4ffa881ba0a8f81c77215b43d73af8019d835ae9)
2024-06-26 18:10:46 +08:00 · 2024-06-26 18:10:46 +08:00 · b6d8944139
commit b6d8944139
parent ec6d0607ca
2 changed files with 99 additions and 1 deletions
--- a/CVE-2023-46122.patch
+++ b/CVE-2023-46122.patch
@ -0,0 +1,93 @@
 Refer:
 https://github.com/sbt/io/commit/124538348db0713c80793cb57b915f97ec13188a
 https://build.opensuse.org/projects/SUSE:SLE-15-SP2:Update/packages/sbt/files/sbt-CVE-2023-46122.patch?expand=1
 From f928cdd8aebc5a2b85c326cc267e698229e0b7b2 Mon Sep 17 00:00:00 2001
 From: Eugene Yokota <eed3si9n@gmail.com>
 Date: Sun, 22 Oct 2023 04:42:16 -0400
 Subject: [PATCH] Fixes zip-slip vulnerability
 Fixes https://github.com/sbt/io/issues/358
 Ref codehaus-plexus/plexus-archiver 87
 **Problem**
 IO.unzip currently has zip-slip vulnerability, which can write arbitrary
 files on the machine using specially crafted zip archive that holds path
 traversal file names.
 **Solution**
 This replicates the fix originally sent to plex-archiver by Snyk Team.
 ---
 util/io/src/main/scala/sbt/IO.scala | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)
 diff --git a/util/io/src/main/scala/sbt/IO.scala b/util/io/src/main/scala/sbt/IO.scala
 index ed97657..f09d561 100644
 --- a/util/io/src/main/scala/sbt/IO.scala
 +++ b/util/io/src/main/scala/sbt/IO.scala
@@ -10,6 +10,7 @@ import java.io.{BufferedReader, ByteArrayOutputStream, BufferedWriter, File, Fil
 import java.io.{ObjectInputStream, ObjectStreamClass}
 import java.net.{URI, URISyntaxException, URL}
 import java.nio.charset.Charset
 +import java.nio.file.{ Path => NioPath, _ }
 import java.util.Properties
 import java.util.jar.{Attributes, JarEntry, JarFile, JarInputStream, JarOutputStream, Manifest}
 import java.util.zip.{CRC32, GZIPOutputStream, ZipEntry, ZipFile, ZipInputStream, ZipOutputStream}
@@ -190,11 +191,16 @@ object IO
 	def unzipStream(from: InputStream, toDirectory: File, filter: NameFilter = AllPassFilter, preserveLastModified: Boolean = true): Set[File] =
 	{
 		createDirectory(toDirectory)
 -		zipInputStream(from) { zipInput => extract(zipInput, toDirectory, filter, preserveLastModified) }
 +                zipInputStream(from) { zipInput => extract(zipInput, toDirectory.toPath, filter, preserveLastModified) }
 	}
 -	private def extract(from: ZipInputStream, toDirectory: File, filter: NameFilter, preserveLastModified: Boolean) =
 +        private def extract(from: ZipInputStream, toDirectory: NioPath, filter: NameFilter, preserveLastModified: Boolean) =
 	{
 -		val set = new HashSet[File]
 +                val set = new HashSet[NioPath]
 +                val canonicalDirPath = toDirectory.normalize().toString
 +                def validateExtractPath(name: String, target: NioPath): Unit =
 +                  if (!target.normalize().toString.startsWith(canonicalDirPath)) {
 +                    throw new RuntimeException(s"Entry ($name) is outside of the target directory")
 +                  }
 		def next()
 		{
 			val entry = from.getNextEntry
@@ -205,19 +211,20 @@ object IO
 				val name = entry.getName
 				if(filter.accept(name))
 				{
 -					val target = new File(toDirectory, name)
 +                                        val target = toDirectory.resolve(name)
 +                                        validateExtractPath(name, target)
 					//log.debug("Extracting zip entry '" + name + "' to '" + target + "'")
 					if(entry.isDirectory)
 -						createDirectory(target)
 +                                                createDirectory(target.toFile)
 					else
 					{
 						set += target
 						translate("Error extracting zip entry '" + name + "' to '" + target + "': ") {
 -							fileOutputStream(false)(target) { out => transfer(from, out) }
 +                                                        fileOutputStream(false)(target.toFile) { out => transfer(from, out) }
 						}
 					}
 					if(preserveLastModified)
 -						target.setLastModified(entry.getTime)
 +                                                target.toFile.setLastModified(entry.getTime)
 				}
 				else
 				{
@@ -228,7 +235,7 @@ object IO
 			}
 		}
 		next()
 -		Set() ++ set
 +                (Set() ++ set).map(_.toFile)
 	}
 	/** Retrieves the content of the given URL and writes it to the given File. */
 -- 
 2.43.0
--- a/sbt.spec
+++ b/sbt.spec
@ -45,7 +45,7 @@
 Name:                sbt
 Version:             %{sbt_version}
-Release:             5
+Release:             6
 Summary:             The simple build tool for Scala and Java projects
 BuildArch:           noarch
@ -59,6 +59,7 @@ Patch2:              sbt-0.13.1-ivy-2.3.0.patch
 Patch3:              sbt-0.13.1-ivy-docs.patch
 Patch4:              sbt-0.13.1-sxr.patch
 Patch5:              sbt-0.13.1-ivy-2.4.0.patch
 Patch6:              CVE-2023-46122.patch
 # sbt-ghpages plugin
 Source1:             https://github.com/sbt/sbt-ghpages/archive/v%{sbt_ghpages_version}.tar.gz
@ -353,6 +354,7 @@ sbt is the simple build tool for Scala and Java projects.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch6 -p1
 %if !%{do_proper}
 %patch4 -p1
@ -689,6 +691,9 @@ done
 %doc README.md LICENSE NOTICE
 %changelog
 * Wed Jun 26 2024 yaoxin <yao_xin001@hoperun.com> - 0.13.1-6
 - Fix CVE-2023-46122
 * Fri Apr 19 2024 Dingli Zhang <dingli@iscas.ac.cn> - 0.13.1-5
 - Add missing files for bootstrap