Fix CVE-2023-46122

(cherry picked from commit 4ffa881ba0a8f81c77215b43d73af8019d835ae9)
2024-06-26 18:10:46 +08:00 · 2024-06-26 18:10:46 +08:00 · b6d8944139
commit b6d8944139
parent ec6d0607ca
2 changed files with 99 additions and 1 deletions
--- a/CVE-2023-46122.patch
+++ b/CVE-2023-46122.patch
@ -0,0 +1,93 @@
+Refer:
+https://github.com/sbt/io/commit/124538348db0713c80793cb57b915f97ec13188a
+https://build.opensuse.org/projects/SUSE:SLE-15-SP2:Update/packages/sbt/files/sbt-CVE-2023-46122.patch?expand=1
+
+From f928cdd8aebc5a2b85c326cc267e698229e0b7b2 Mon Sep 17 00:00:00 2001
+From: Eugene Yokota <eed3si9n@gmail.com>
+Date: Sun, 22 Oct 2023 04:42:16 -0400
+Subject: [PATCH] Fixes zip-slip vulnerability
+
+Fixes https://github.com/sbt/io/issues/358
+Ref codehaus-plexus/plexus-archiver 87
+
+**Problem**
+IO.unzip currently has zip-slip vulnerability, which can write arbitrary
+files on the machine using specially crafted zip archive that holds path
+traversal file names.
+
+**Solution**
+This replicates the fix originally sent to plex-archiver by Snyk Team.
+
+---
+ util/io/src/main/scala/sbt/IO.scala | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/util/io/src/main/scala/sbt/IO.scala b/util/io/src/main/scala/sbt/IO.scala
+index ed97657..f09d561 100644
+--- a/util/io/src/main/scala/sbt/IO.scala
+++ b/util/io/src/main/scala/sbt/IO.scala
+@@ -10,6 +10,7 @@ import java.io.{BufferedReader, ByteArrayOutputStream, BufferedWriter, File, Fil
+ import java.io.{ObjectInputStream, ObjectStreamClass}
+ import java.net.{URI, URISyntaxException, URL}
+ import java.nio.charset.Charset
+import java.nio.file.{ Path => NioPath, _ }
+ import java.util.Properties
+ import java.util.jar.{Attributes, JarEntry, JarFile, JarInputStream, JarOutputStream, Manifest}
+ import java.util.zip.{CRC32, GZIPOutputStream, ZipEntry, ZipFile, ZipInputStream, ZipOutputStream}
+@@ -190,11 +191,16 @@ object IO
+ 	def unzipStream(from: InputStream, toDirectory: File, filter: NameFilter = AllPassFilter, preserveLastModified: Boolean = true): Set[File] =
+ 	{
+ 		createDirectory(toDirectory)
+-		zipInputStream(from) { zipInput => extract(zipInput, toDirectory, filter, preserveLastModified) }
+                zipInputStream(from) { zipInput => extract(zipInput, toDirectory.toPath, filter, preserveLastModified) }
+ 	}
+-	private def extract(from: ZipInputStream, toDirectory: File, filter: NameFilter, preserveLastModified: Boolean) =
+        private def extract(from: ZipInputStream, toDirectory: NioPath, filter: NameFilter, preserveLastModified: Boolean) =
+ 	{
+-		val set = new HashSet[File]
+                val set = new HashSet[NioPath]
+                val canonicalDirPath = toDirectory.normalize().toString
+                def validateExtractPath(name: String, target: NioPath): Unit =
+                  if (!target.normalize().toString.startsWith(canonicalDirPath)) {
+                    throw new RuntimeException(s"Entry ($name) is outside of the target directory")
+                  }
+ 		def next()
+ 		{
+ 			val entry = from.getNextEntry
+@@ -205,19 +211,20 @@ object IO
+ 				val name = entry.getName
+ 				if(filter.accept(name))
+ 				{
+-					val target = new File(toDirectory, name)
+                                        val target = toDirectory.resolve(name)
+                                        validateExtractPath(name, target)
+ 					//log.debug("Extracting zip entry '" + name + "' to '" + target + "'")
+ 					if(entry.isDirectory)
+-						createDirectory(target)
+                                                createDirectory(target.toFile)
+ 					else
+ 					{
+ 						set += target
+ 						translate("Error extracting zip entry '" + name + "' to '" + target + "': ") {
+-							fileOutputStream(false)(target) { out => transfer(from, out) }
+                                                        fileOutputStream(false)(target.toFile) { out => transfer(from, out) }
+ 						}
+ 					}
+ 					if(preserveLastModified)
+-						target.setLastModified(entry.getTime)
+                                                target.toFile.setLastModified(entry.getTime)
+ 				}
+ 				else
+ 				{
+@@ -228,7 +235,7 @@ object IO
+ 			}
+ 		}
+ 		next()
+-		Set() ++ set
+                (Set() ++ set).map(_.toFile)
+ 	}
+ 
+ 	/** Retrieves the content of the given URL and writes it to the given File. */
+-- 
+2.43.0
+
--- a/sbt.spec
+++ b/sbt.spec
@ -45,7 +45,7 @@

 Name:                sbt
 Version:             %{sbt_version}
-Release:             5
+Release:             6
 Summary:             The simple build tool for Scala and Java projects

 BuildArch:           noarch
@ -59,6 +59,7 @@ Patch2:              sbt-0.13.1-ivy-2.3.0.patch
 Patch3:              sbt-0.13.1-ivy-docs.patch
 Patch4:              sbt-0.13.1-sxr.patch
 Patch5:              sbt-0.13.1-ivy-2.4.0.patch
+Patch6:              CVE-2023-46122.patch

 # sbt-ghpages plugin
 Source1:             https://github.com/sbt/sbt-ghpages/archive/v%{sbt_ghpages_version}.tar.gz
@ -353,6 +354,7 @@ sbt is the simple build tool for Scala and Java projects.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch6 -p1

 %if !%{do_proper}
 %patch4 -p1
@ -689,6 +691,9 @@ done
 %doc README.md LICENSE NOTICE

 %changelog
+* Wed Jun 26 2024 yaoxin <yao_xin001@hoperun.com> - 0.13.1-6
+- Fix CVE-2023-46122
+
 * Fri Apr 19 2024 Dingli Zhang <dingli@iscas.ac.cn> - 0.13.1-5
 - Add missing files for bootstrap