fix(plexus-utils2): CVE-2025-67030

deepin-ci-robot · hudeng-go · Zeno-sole · commit a0f8c28057ac · 2026-04-30T11:07:55.000+08:00
Fix Directory Traversal (Zip Slip) vulnerability in Expand.java. Use getCanonicalPath() instead of getAbsolutePath() for proper path validation to prevent directory traversal attacks. Upstream: codehaus-plexus/plexus-utils@36ea352 Generated-By: glm-5.1 Co-Authored-By: hudeng <hudeng@deepin.org>
diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,9 @@
+plexus-utils2 (3.4.2-1deepin1) unstable; urgency=medium
+
+  * Fix CVE-2025-67030: Directory Traversal vulnerability in Expand.java
+
+ -- deepin-ci-robot <packages@deepin.org>  Mon, 27 Apr 2026 14:59:56 +0800
+
 plexus-utils2 (3.4.2-1) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/cve_2025_67030.patch b/debian/patches/cve_2025_67030.patch
@@ -0,0 +1,38 @@
+Description: Fix CVE-2025-67030: Directory Traversal vulnerability
+ Fix Zip Slip vulnerability in archive extraction by using getCanonicalPath()
+ instead of getAbsolutePath() for path validation.
+Author: Copilot <198982749+Copilot@users.noreply.github.com>
+Origin: upstream, https://github.com/codehaus-plexus/plexus-utils/commit/36ea3526309d2842075bf018d45152816a37fc98
+Bug: https://security-tracker.debian.org/tracker/CVE-2025-67030
+Forwarded: not-needed
+
+Index: github-plexus-utils2-67030/src/main/java/org/codehaus/plexus/util/Expand.java
+===================================================================
+--- github-plexus-utils2-67030.orig/src/main/java/org/codehaus/plexus/util/Expand.java
++++ github-plexus-utils2-67030/src/main/java/org/codehaus/plexus/util/Expand.java
+@@ -116,9 +116,23 @@ public class Expand
+     {
+         File f = FileUtils.resolveFile( dir, entryName );
+ 
+-        if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) )
++        try
++        {
++            String canonicalDirPath = dir.getCanonicalPath();
++            String canonicalFilePath = f.getCanonicalPath();
++
++            // Ensure the file is within the target directory
++            // We need to check that the canonical file path starts with the canonical directory path
++            // followed by a file separator to prevent path traversal attacks
++            if ( !canonicalFilePath.startsWith( canonicalDirPath + File.separator )
++                    && !canonicalFilePath.equals( canonicalDirPath ) )
++            {
++                throw new IOException( "Entry '" + entryName + "' outside the target directory." );
++            }
++        }
++        catch ( IOException e )
+         {
+-            throw new IOException( "Entry '" + entryName + "' outside the target directory." );
++            throw new IOException( "Failed to verify entry path for '" + entryName + "'", e );
+         }
+ 
+         try
diff --git a/debian/patches/series b/debian/patches/series
@@ -2,3 +2,4 @@
 02-propertyutils-compatibility.patch
 03-maven-plugin-testing-compatibility.patch
 06-ignore-jmh-benchmarks.patch
+cve_2025_67030.patch
