Impact
Given specially crafted zip or JAR file, IO.unzip
allows writing of arbitrary file. The follow is an example of a malicious entry:
+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
This would have a potential to overwrite /root/.ssh/authorized_keys
. Within sbt's main code, IO.unzip
is used in pullRemoteCache
task and Resolvers.remote
; however many projects use IO.unzip(...)
directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1
Patches
The problem has been patched in sbt/io#360
sbt 1.9.7 is available with the fix.
Workarounds
A workaround might be use some other library to unzip.
References
References
Impact
Given specially crafted zip or JAR file,
IO.unzip
allows writing of arbitrary file. The follow is an example of a malicious entry:This would have a potential to overwrite
/root/.ssh/authorized_keys
. Within sbt's main code,IO.unzip
is used inpullRemoteCache
task andResolvers.remote
; however many projects useIO.unzip(...)
directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1Patches
The problem has been patched in sbt/io#360
sbt 1.9.7 is available with the fix.
Workarounds
A workaround might be use some other library to unzip.
References
References