Описание
sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)
Impact
Given specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:
This would have a potential to overwrite /root/.ssh/authorized_keys. Within sbt's main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(...) directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1
Patches
The problem has been patched in https://github.com/sbt/io/pull/360 sbt 1.9.7 is available with the fix.
Workarounds
A workaround might be use some other library to unzip.
References
Пакеты
org.scala-sbt:sbt
>= 0.3.4, < 1.9.7
1.9.7
org.scala-sbt:io_2.12
>= 1.0.0, < 1.9.7
1.9.7
org.scala-sbt:io_2.13
>= 1.0.0, < 1.9.7
1.9.7
org.scala-sbt:io_3
>= 1.0.0, < 1.9.7
1.9.7
Связанные уязвимости
sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.
