Bug 1205138 (CVE-2022-37865) - VUL-0: CVE-2022-37865: apache-ivy: Apache Ivy allow create/overwrite any file on the system
Summary: VUL-0: CVE-2022-37865: apache-ivy: Apache Ivy allow create/overwrite any file...
Status: RESOLVED FIXED
Alias: CVE-2022-37865
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/347165/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-37865:8.0:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-07 12:33 UTC by Gianluca Gabrielli
Modified: 2024-05-03 09:07 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2022-11-07 12:33:02 UTC 
Description:

With Apache Ivy 2.4.0 an optional packaging attribute has been
introduced that allows artifacts to be unpacked on the fly if they used
pack200 or zip packaging.

For artifacts using the "zip", "jar" or "war" packaging Ivy prior to
2.5.1 doesn't verify the target path when extracting the archive. An
archive containing absolute paths or paths that try to traverse
"upwards"...

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37865
https://seclists.org/oss-sec/2022/q4/121
Comment 1 David Anes 2022-11-07 16:47:54 UTC 
We need to apply this commit to older versions:
* https://github.com/apache/ant-ivy/commit/03b6b8c3ae27406fadb3b3539b51294af246aafa

Newest version was already sent to Factory this morning.
Comment 3 David Anes 2022-11-11 17:27:14 UTC 
Everything done on all codestreams. Sending back to security team for review.
Comment 5 Robert Frohl 2024-05-03 09:07:20 UTC 
done, closing