Bug 1100053 - (CVE-2018-10886) VUL-0: CVE-2018-10886: ant: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file
(CVE-2018-10886)
VUL-0: CVE-2018-10886: ant: arbitrary file write vulnerability / arbitrary co...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Jason Sikes
Security Team bot
https://smash.suse.de/issue/209433/
CVSSv3:RedHat:CVE-2018-10886:5.3:(A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-04 05:59 UTC by Marcus Meissner
Modified: 2021-02-10 01:32 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-07-04 05:59:49 UTC
A vulnerability has been found in the way developers have implemented the archive extraction of files. An arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar,xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder. Of course if an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily. This affects multiple libraries that lacks of a high level APIs that provide the archive extraction functionality.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1584407



https://github.com/apache/ant/commit/e56e54565804991c62ec76dad385d2bdda8972a7
https://github.com/apache/ant/commit/1a2b1e37e3616991588f21efa89c474dd6ff83ff
https://github.com/apache/ant/commit/f72406d53cfb3b3425cc9d000eea421a0e05d8fe
https://github.com/apache/ant/commit/857095da5153fd18504b46f276d84f1e76a66970
Comment 1 Tomáš Chvátal 2018-07-26 10:02:30 UTC
https://github.com/apache/ant/commit/6a41d62cb9ab4e640b72cb4de42a6c211dea645d
https://github.com/apache/ant/commit/5a8c37b271677587046bfd0fea18c1675d5a6300

Additional fixes, Please add me to CC if you think this is urgent as pedro is still out of the office.
Comment 7 Swamp Workflow Management 2018-09-11 06:18:58 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-09-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64140
Comment 10 Swamp Workflow Management 2018-09-21 16:08:31 UTC
SUSE-SU-2018:2789-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1100053
CVE References: CVE-2018-10886
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ant-1.7.1-20.11.5.1, ant-antlr-1.7.1-16.11.5.1
SUSE Linux Enterprise Server 11-SP4 (src):    ant-1.7.1-20.11.5.1, ant-antlr-1.7.1-16.11.5.1
Comment 11 Swamp Workflow Management 2018-09-24 16:12:26 UTC
SUSE-SU-2018:2838-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1100053
CVE References: CVE-2018-10886
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ant-1.9.4-3.3.1, ant-antlr-1.9.4-3.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    ant-1.9.4-3.3.1
Comment 12 Swamp Workflow Management 2018-09-26 10:11:57 UTC
SUSE-SU-2018:2866-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1100053
CVE References: CVE-2018-10886
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    ant-1.9.10-3.3.1, ant-antlr-1.9.10-3.3.1, ant-junit-1.9.10-3.3.1
Comment 13 Swamp Workflow Management 2018-09-27 13:21:39 UTC
openSUSE-SU-2018:2895-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1100053
CVE References: CVE-2018-10886
Sources used:
openSUSE Leap 15.0 (src):    ant-1.9.10-lp150.2.3.1, ant-antlr-1.9.10-lp150.2.3.1, ant-junit-1.9.10-lp150.2.3.1
Comment 15 Swamp Workflow Management 2020-05-20 16:13:41 UTC
SUSE-SU-2020:1351-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1100053,1133997,1134001
CVE References: CVE-2018-10886
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ant-1.9.4-3.6.1, ant-antlr-1.9.4-3.6.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ant-1.9.4-3.6.1, ant-antlr-1.9.4-3.6.1
SUSE Linux Enterprise Server 12-SP5 (src):    ant-1.9.4-3.6.1
SUSE Linux Enterprise Server 12-SP4 (src):    ant-1.9.4-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-05-20 16:16:42 UTC
SUSE-SU-2020:1352-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1100053,1133997,1134001
CVE References: CVE-2018-10886
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    ant-1.9.10-3.6.1, ant-antlr-1.9.10-3.6.1, ant-junit-1.9.10-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-05-23 22:15:30 UTC
openSUSE-SU-2020:0703-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1100053,1133997,1134001
CVE References: CVE-2018-10886
Sources used:
openSUSE Leap 15.1 (src):    ant-1.9.10-lp151.4.3.1, ant-antlr-1.9.10-lp151.4.3.1, ant-junit-1.9.10-lp151.4.3.1
Comment 18 Jason Sikes 2021-02-10 01:32:16 UTC
Fixed a while ago.