Merge PR "[AUTO-CHERRYPICK] [High] patch plexus-utils for CVE-2025-67030 - branch main" #16362

CBL-Mariner-Bot · jykanase · web-flow · commit f7cf32a16ca6 · 2026-03-30T09:17:27.000-07:00
Co-authored-by: jykanase &lt;v-jykanase@microsoft.com&gt;
diff --git a/SPECS/plexus-utils/CVE-2025-67030.patch b/SPECS/plexus-utils/CVE-2025-67030.patch
@@ -0,0 +1,201 @@
+From: Copilot <198982749+Copilot@users.noreply.github.com>
+Date: Sun, 9 Nov 2025 12:32:38 +0100
+Subject: [PATCH] Fix Zip Slip vulnerability in archive extraction (#296)
+
+---------
+Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
+Co-authored-by: slachiewicz <6705942+slachiewicz@users.noreply.github.com>
+
+Upstream Patch Reference: https://github.com/codehaus-plexus/plexus-utils/commit/6d780b3378829318ba5c2d29547e0012d5b29642.patch
+---
+ .../java/org/codehaus/plexus/util/Expand.java |  18 ++-
+ .../org/codehaus/plexus/util/ExpandTest.java  | 148 ++++++++++++++++++
+ 2 files changed, 162 insertions(+), 4 deletions(-)
+ create mode 100644 src/test/java/org/codehaus/plexus/util/ExpandTest.java
+
+diff --git a/src/main/java/org/codehaus/plexus/util/Expand.java b/src/main/java/org/codehaus/plexus/util/Expand.java
+index 3d3e98a..512ee83 100644
+--- a/src/main/java/org/codehaus/plexus/util/Expand.java
++++ b/src/main/java/org/codehaus/plexus/util/Expand.java
+@@ -136,10 +136,20 @@ protected void extractFile( File srcF, File dir, InputStream compressedInputStre
+     {
+         File f = FileUtils.resolveFile( dir, entryName );
+ 
+-        if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) )
+-        {
+-            throw new IOException( "Entry '" + entryName + "' outside the target directory." );
+-        }
++        try {
++            String canonicalDirPath = dir.getCanonicalPath();
++            String canonicalFilePath = f.getCanonicalPath();
++
++            // Ensure the file is within the target directory
++            // We need to check that the canonical file path starts with the canonical directory path
++            // followed by a file separator to prevent path traversal attacks
++            if (!canonicalFilePath.startsWith(canonicalDirPath + File.separator)
++                    && !canonicalFilePath.equals(canonicalDirPath)) {
++                throw new IOException("Entry '" + entryName + "' outside the target directory.");
++            }
++        } catch (IOException e) {
++            throw new IOException("Failed to verify entry path for '" + entryName + "'", e);
++	}
+ 
+         try
+         {
+diff --git a/src/test/java/org/codehaus/plexus/util/ExpandTest.java b/src/test/java/org/codehaus/plexus/util/ExpandTest.java
+new file mode 100644
+index 0000000..46e3d0e
+--- /dev/null
++++ b/src/test/java/org/codehaus/plexus/util/ExpandTest.java
+@@ -0,0 +1,148 @@
++package org.codehaus.plexus.util;
++
++/*
++ * Copyright The Codehaus Foundation.
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *     http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++import java.io.File;
++import java.nio.file.Files;
++import java.util.zip.ZipEntry;
++import java.util.zip.ZipOutputStream;
++
++import org.junit.jupiter.api.Test;
++
++import static org.junit.jupiter.api.Assertions.assertFalse;
++import static org.junit.jupiter.api.Assertions.assertThrows;
++import static org.junit.jupiter.api.Assertions.assertTrue;
++
++/**
++ * Test for {@link Expand}.
++ */
++class ExpandTest extends FileBasedTestCase {
++
++    @Test
++    void testZipSlipVulnerabilityWithParentDirectory() throws Exception {
++        File tempDir = getTestDirectory();
++        File zipFile = new File(tempDir, "malicious.zip");
++        File targetDir = new File(tempDir, "extract");
++        targetDir.mkdirs();
++
++        // Create a malicious zip with path traversal
++        try (ZipOutputStream zos = new ZipOutputStream(Files.newOutputStream(zipFile.toPath()))) {
++            ZipEntry entry = new ZipEntry("../../evil.txt");
++            zos.putNextEntry(entry);
++            zos.write("malicious content".getBytes());
++            zos.closeEntry();
++        }
++
++        Expand expand = new Expand();
++        expand.setSrc(zipFile);
++        expand.setDest(targetDir);
++
++        // This should throw an exception, not extract the file
++        assertThrows(Exception.class, () -> expand.execute());
++
++        // Verify the file was not created outside the target directory
++        File evilFile = new File(tempDir, "evil.txt");
++        assertFalse(evilFile.exists(), "File should not be extracted outside target directory");
++    }
++
++    @Test
++    void testZipSlipVulnerabilityWithAbsolutePath() throws Exception {
++        File tempDir = getTestDirectory();
++        File zipFile = new File(tempDir, "malicious-absolute.zip");
++        File targetDir = new File(tempDir, "extract-abs");
++        targetDir.mkdirs();
++
++        // Create a malicious zip with absolute path
++        File evilTarget = new File("/tmp/evil-absolute.txt");
++        try (ZipOutputStream zos = new ZipOutputStream(Files.newOutputStream(zipFile.toPath()))) {
++            ZipEntry entry = new ZipEntry(evilTarget.getAbsolutePath());
++            zos.putNextEntry(entry);
++            zos.write("malicious content".getBytes());
++            zos.closeEntry();
++        }
++
++        Expand expand = new Expand();
++        expand.setSrc(zipFile);
++        expand.setDest(targetDir);
++
++        // This should throw an exception, not extract the file
++        assertThrows(Exception.class, () -> expand.execute());
++
++        // Verify the file was not created at the absolute path
++        assertFalse(evilTarget.exists(), "File should not be extracted to absolute path");
++    }
++
++    @Test
++    void testZipSlipVulnerabilityWithSimilarDirectoryName() throws Exception {
++        File tempDir = getTestDirectory();
++        File zipFile = new File(tempDir, "malicious-similar.zip");
++        File targetDir = new File(tempDir, "extract");
++        targetDir.mkdirs();
++
++        // Create a directory with a similar name to test prefix matching vulnerability
++        File similarDir = new File(tempDir, "extract-evil");
++        similarDir.mkdirs();
++
++        // Create a malicious zip that tries to exploit prefix matching
++        // If targetDir is /tmp/extract, this tries to write to /tmp/extract-evil/file.txt
++        String maliciousPath = "../extract-evil/evil.txt";
++        try (ZipOutputStream zos = new ZipOutputStream(Files.newOutputStream(zipFile.toPath()))) {
++            ZipEntry entry = new ZipEntry(maliciousPath);
++            zos.putNextEntry(entry);
++            zos.write("malicious content".getBytes());
++            zos.closeEntry();
++        }
++
++        Expand expand = new Expand();
++        expand.setSrc(zipFile);
++        expand.setDest(targetDir);
++
++        // This should throw an exception, not extract the file
++        assertThrows(Exception.class, () -> expand.execute());
++
++        // Verify the file was not created in the similar directory
++        File evilFile = new File(similarDir, "evil.txt");
++        assertFalse(evilFile.exists(), "File should not be extracted to directory with similar name");
++    }
++
++    @Test
++    void testNormalZipExtraction() throws Exception {
++        File tempDir = getTestDirectory();
++        File zipFile = new File(tempDir, "normal.zip");
++        File targetDir = new File(tempDir, "extract-normal");
++        targetDir.mkdirs();
++
++        // Create a normal zip
++        try (ZipOutputStream zos = new ZipOutputStream(Files.newOutputStream(zipFile.toPath()))) {
++            ZipEntry entry = new ZipEntry("subdir/normal.txt");
++            zos.putNextEntry(entry);
++            zos.write("normal content".getBytes());
++            zos.closeEntry();
++        }
++
++        Expand expand = new Expand();
++        expand.setSrc(zipFile);
++        expand.setDest(targetDir);
++
++        // This should succeed
++        expand.execute();
++
++        // Verify the file was created in the correct location
++        File normalFile = new File(targetDir, "subdir/normal.txt");
++        assertTrue(normalFile.exists(), "File should be extracted to correct location");
++    }
++}
+-- 
+2.45.4
+
diff --git a/SPECS/plexus-utils/plexus-utils.spec b/SPECS/plexus-utils/plexus-utils.spec
@@ -16,7 +16,7 @@ Summary:        Plexus Common Utilities
 #
 Name:           plexus-utils
 Version:        3.3.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -25,6 +25,7 @@ URL:            https://codehaus-plexus.github.io/plexus-utils/
 Source0:        https://github.com/codehaus-plexus/%{name}/archive/%{name}-%{version}.tar.gz
 Source1:        %{name}-build.xml
 Source2:        http://apache.org/licenses/LICENSE-2.0.txt
+Patch0:         CVE-2025-67030.patch
 BuildRequires:  ant
 BuildRequires:  fdupes
 BuildRequires:  javapackages-local-bootstrap
@@ -45,7 +46,7 @@ Group:          Documentation/HTML
 Javadoc for %{name}.
 
 %prep
-%setup -q -n %{name}-%{name}-%{version}
+%autosetup -p1 -n %{name}-%{name}-%{version}
 
 cp %{SOURCE1} build.xml
 cp %{SOURCE2} .
@@ -77,6 +78,9 @@ cp -pr target/site/apidocs/* %{buildroot}%{_javadocdir}/%{name}/
 %{_javadocdir}/%{name}
 
 %changelog
+* Mon Mar 30 2026 Jyoti kanase <v-jykanase@microsoft.com> - 3.3.0-4
+- Patch for CVE-2025-67030
+
 * Fri Mar 17 2023 Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com> - 3.3.0-3
 - Moved from extended to core
 - License verified
