Bug 1215973 (CVE-2023-37460)

Summary: VUL-0: CVE-2023-37460: plexus-archiver: Arbitrary File Creation in AbstractUnArchiver
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: fstrba, rfrohl, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373420/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-37460:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-05 13:20:03 UTC 
Plexis Archiver is a collection of Plexus components to create archives or
extract archives to a directory with a unified `Archiver`/`UnArchiver` API.
Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might
lead to an arbitrary file creation and possibly remote code execution. When
extracting an archive with an entry that already exists in the destination
directory as a symbolic link whose target does not exist - the `resolveFile()`
function will return the symlink's source instead of its target, which will pass
the verification that ensures the file will not be extracted outside of the
destination directory. Later `Files.newOutputStream()`, that follows symlinks by
default,  will actually write the entry's content to the symlink's target.
Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an
arbitrary file creation and possibly remote code execution. Version 4.8.0
contains a patch for this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37460
Comment 2 Fridrich Strba 2023-10-06 13:53:11 UTC 
I can submit upgrade quite quickly but once upgraded the plexus-archiver, the following packages need to be upgraded too:
- maven-archiver
- maven-assembly-plugin
- maven-dependency-plugin
- maven-jar-plugin
- maven-javadoc-plugin
- maven-plugin-tools
and
- tycho
Comment 6 Maintenance Automation 2024-02-21 08:36:23 UTC 
SUSE-RU-2024:0560-1: An update that solves one vulnerability can now be installed.

Category: recommended (moderate)
Bug References: 1215973
CVE References: CVE-2023-37460
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): maven-archiver-3.6.1-150200.3.7.3, objectweb-asm-9.6-150200.3.11.3, maven-plugin-tools-3.9.0-150200.3.7.3, maven-compiler-plugin-3.11.0-150200.3.7.1, plexus-compiler-2.14.2-150200.3.9.2, maven-common-artifact-filters-3.3.2-150200.3.7.3, plexus-archiver-4.8.0-150200.3.7.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): maven-archiver-3.6.1-150200.3.7.3, objectweb-asm-9.6-150200.3.11.3, maven-plugin-tools-3.9.0-150200.3.7.3, maven-compiler-plugin-3.11.0-150200.3.7.1, plexus-compiler-2.14.2-150200.3.9.2, maven-common-artifact-filters-3.3.2-150200.3.7.3, plexus-archiver-4.8.0-150200.3.7.2
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): maven-archiver-3.6.1-150200.3.7.3, objectweb-asm-9.6-150200.3.11.3, maven-plugin-tools-3.9.0-150200.3.7.3, maven-compiler-plugin-3.11.0-150200.3.7.1, plexus-compiler-2.14.2-150200.3.9.2, maven-common-artifact-filters-3.3.2-150200.3.7.3, plexus-archiver-4.8.0-150200.3.7.2
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): maven-archiver-3.6.1-150200.3.7.3, objectweb-asm-9.6-150200.3.11.3, maven-plugin-tools-3.9.0-150200.3.7.3, maven-compiler-plugin-3.11.0-150200.3.7.1, plexus-compiler-2.14.2-150200.3.9.2, maven-common-artifact-filters-3.3.2-150200.3.7.3, plexus-archiver-4.8.0-150200.3.7.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): maven-archiver-3.6.1-150200.3.7.3, objectweb-asm-9.6-150200.3.11.3, maven-plugin-tools-3.9.0-150200.3.7.3, maven-compiler-plugin-3.11.0-150200.3.7.1, plexus-compiler-2.14.2-150200.3.9.2, maven-common-artifact-filters-3.3.2-150200.3.7.3, plexus-archiver-4.8.0-150200.3.7.2
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): maven-archiver-3.6.1-150200.3.7.3, objectweb-asm-9.6-150200.3.11.3, maven-plugin-tools-3.9.0-150200.3.7.3, maven-compiler-plugin-3.11.0-150200.3.7.1, plexus-compiler-2.14.2-150200.3.9.2, maven-common-artifact-filters-3.3.2-150200.3.7.3, plexus-archiver-4.8.0-150200.3.7.2
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): maven-archiver-3.6.1-150200.3.7.3, objectweb-asm-9.6-150200.3.11.3, maven-plugin-tools-3.9.0-150200.3.7.3, maven-compiler-plugin-3.11.0-150200.3.7.1, plexus-compiler-2.14.2-150200.3.9.2, maven-common-artifact-filters-3.3.2-150200.3.7.3, plexus-archiver-4.8.0-150200.3.7.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): maven-archiver-3.6.1-150200.3.7.3, objectweb-asm-9.6-150200.3.11.3, maven-plugin-tools-3.9.0-150200.3.7.3, maven-compiler-plugin-3.11.0-150200.3.7.1, plexus-compiler-2.14.2-150200.3.9.2, maven-common-artifact-filters-3.3.2-150200.3.7.3, plexus-archiver-4.8.0-150200.3.7.2
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): maven-archiver-3.6.1-150200.3.7.3, objectweb-asm-9.6-150200.3.11.3, maven-plugin-tools-3.9.0-150200.3.7.3, maven-compiler-plugin-3.11.0-150200.3.7.1, plexus-compiler-2.14.2-150200.3.9.2, maven-common-artifact-filters-3.3.2-150200.3.7.3, plexus-archiver-4.8.0-150200.3.7.2
SUSE Manager Proxy 4.3 (src): objectweb-asm-9.6-150200.3.11.3
SUSE Manager Retail Branch Server 4.3 (src): objectweb-asm-9.6-150200.3.11.3
SUSE Manager Server 4.3 (src): objectweb-asm-9.6-150200.3.11.3
SUSE Enterprise Storage 7.1 (src): maven-archiver-3.6.1-150200.3.7.3, objectweb-asm-9.6-150200.3.11.3, maven-plugin-tools-3.9.0-150200.3.7.3, maven-compiler-plugin-3.11.0-150200.3.7.1, plexus-compiler-2.14.2-150200.3.9.2, maven-common-artifact-filters-3.3.2-150200.3.7.3, plexus-archiver-4.8.0-150200.3.7.2
openSUSE Leap 15.5 (src): maven-dependency-analyzer-1.13.2-150200.3.7.2, maven-compiler-plugin-3.11.0-150200.3.7.1, maven-plugin-tools-3.9.0-150200.3.7.3, maven-dependency-plugin-3.6.0-150200.3.7.2, maven-compiler-plugin-bootstrap-3.11.0-150200.3.7.1, maven-common-artifact-filters-3.3.2-150200.3.7.3, maven-plugin-plugin-3.9.0-150200.3.7.5, maven-plugin-plugin-bootstrap-3.9.0-150200.3.7.1, plexus-archiver-4.8.0-150200.3.7.2, maven-enforcer-3.4.1-150200.3.7.2, objectweb-asm-9.6-150200.3.11.3, maven-archiver-3.6.1-150200.3.7.3, plexus-compiler-2.14.2-150200.3.9.2, maven-assembly-plugin-3.6.0-150200.3.7.2, maven-dependency-tree-3.2.1-150200.3.7.2
Basesystem Module 15-SP5 (src): objectweb-asm-9.6-150200.3.11.3
Development Tools Module 15-SP5 (src): maven-archiver-3.6.1-150200.3.7.3, maven-plugin-tools-3.9.0-150200.3.7.3, plexus-archiver-4.8.0-150200.3.7.2, maven-compiler-plugin-3.11.0-150200.3.7.1, maven-common-artifact-filters-3.3.2-150200.3.7.3, plexus-compiler-2.14.2-150200.3.9.2
SUSE Manager Server 4.3 Module 4.3 (src): objectweb-asm-9.6-150200.3.11.3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): maven-archiver-3.6.1-150200.3.7.3, objectweb-asm-9.6-150200.3.11.3, maven-plugin-tools-3.9.0-150200.3.7.3, maven-compiler-plugin-3.11.0-150200.3.7.1, plexus-compiler-2.14.2-150200.3.9.2, maven-common-artifact-filters-3.3.2-150200.3.7.3, plexus-archiver-4.8.0-150200.3.7.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): maven-archiver-3.6.1-150200.3.7.3, objectweb-asm-9.6-150200.3.11.3, maven-plugin-tools-3.9.0-150200.3.7.3, maven-compiler-plugin-3.11.0-150200.3.7.1, plexus-compiler-2.14.2-150200.3.9.2, maven-common-artifact-filters-3.3.2-150200.3.7.3, plexus-archiver-4.8.0-150200.3.7.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Fridrich Strba 2024-03-05 11:49:39 UTC 
Fixed for all supported codestreams, even ALP, just not sure why it is not mentioned by the bot.
Please, close
Comment 8 Robert Frohl 2024-06-05 14:02:20 UTC 
done, closing