Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=958221
Bug ID: 958221 Summary: plexus-utils: directory traversal in org.codehaus.plexus.util.Expand Product: Fedora Version: rawhide Component: plexus-utils Severity: unspecified Priority: unspecified Assignee: fnasser@redhat.com Reporter: fweimer@redhat.com QA Contact: extras-qa@fedoraproject.org CC: fnasser@redhat.com, java-sig-commits@lists.fedoraproject.org, mizdebsk@redhat.com Blocks: 958220 Category: ---
org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.
I think the class should just be deprecated and removed because there do not appear to be any users left (not even a test case).
https://bugzilla.redhat.com/show_bug.cgi?id=958221
Mikolaj Izdebski mizdebsk@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1009414
https://bugzilla.redhat.com/show_bug.cgi?id=958221
Mikolaj Izdebski mizdebsk@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Assignee|fnasser@redhat.com |mizdebsk@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=958221
Mikolaj Izdebski mizdebsk@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution|--- |UPSTREAM Last Closed| |2015-05-14 06:31:33
--- Comment #2 from Mikolaj Izdebski mizdebsk@redhat.com --- This is feature request and as such it has been forwarded upstream: http://jira.codehaus.org/browse/PLXUTILS-178
https://bugzilla.redhat.com/show_bug.cgi?id=958221
--- Comment #3 from Florian Weimer fweimer@redhat.com --- Re-reported upstream:
https://github.com/codehaus-plexus/plexus-utils/issues/4 https://github.com/sonatype/plexus-utils/issues/20
https://bugzilla.redhat.com/show_bug.cgi?id=958221
Mikolaj Izdebski mizdebsk@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|UPSTREAM |RAWHIDE
--- Comment #4 from Mikolaj Izdebski mizdebsk@redhat.com --- Fixed in upstream version 3.0.24
java-sig-commits@lists.stg.fedoraproject.org