Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2024-48510 #21

Merged
merged 1 commit into from
Nov 22, 2024
Merged

Fix CVE-2024-48510 #21

merged 1 commit into from
Nov 22, 2024

Conversation

Foorcee
Copy link

@Foorcee Foorcee commented Nov 18, 2024

Fix for a Directory Traversal vulnerability in DotNetZip (CVE-2024-48510) that affects version 1.16.0 and earlier. This issue allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component. The fix is based on the patch provided by the original author.

https://gist.github.com/thomas-chauchefoin-bentley-systems/855218959116f870f08857cce2aec731

@dos-ise
Copy link

dos-ise commented Nov 20, 2024

Great Work! Migrated from DotNetZip to ProDotNetZip just for this upcoming fix.

@StuartBow
Copy link

Hello, great work on fixing this. Do you know when this will be available for us to update within our NuGet package? Thanks!

@jonreis
Copy link

jonreis commented Nov 22, 2024

@mihula thank you very much for creating this fork. Any timeline on when the pull request to resolve security vulnerability CVE-2024-48510 will be accepted? We have some customers who are waiting for a build of our product with that resolved.

@mihula mihula self-assigned this Nov 22, 2024
@mihula mihula merged commit 2965705 into mihula:main Nov 22, 2024
3 of 4 checks passed
@mihula
Copy link
Owner

mihula commented Nov 22, 2024
edited
Loading

Thanks!
Published in v1.19.0

Provided test was not "failing" on non-windows OS (and the build pipeline is set for ubuntu) so I change it a little bit and will think about it later.

@jonreis
Copy link

jonreis commented Nov 23, 2024

@mihula I cannot thank you enough for this. I would love to buy you a beer, or 2. Do you have a PayPal account I can contribute to? Best, Jon

@mihula
Copy link
Owner

mihula commented Nov 23, 2024

My pleasure. I am using dotnetzip in some of my project too (and that is the main reason of this fork) so I need it as well.

@denisglu
Copy link

denisglu commented Dec 4, 2024

@mihula thank you very much for keeping this up to date! Migrated from DotNetZip.Semverd because of the latest vulnerability.
However, having an issue with v1.19.0 - it now references .NET v9.0 libraries (System.Security.Permissions.dll and System.Text.Encoding.CodePages.dll) while our software is linked to .NET v8 shared runtime and the update to v9 is not an option. Dotnet goes a little weird when loading these two v9 dependencies.
As I understand there's no real reason to have these two references pointing to the latest v9 (especially since v8 EOL is later in time).
Is there any chance you that you will revert the references to version 8 and re-release the library in the foreseeable future?
Thanks!

@mihula
Copy link
Owner

mihula commented Dec 4, 2024

My point was to use the net standard only so net8/9 should be in tests only. Will look at it.

@denisglu
Copy link

denisglu commented Dec 4, 2024

My point was to use the net standard only so net8/9 should be in tests only. Will look at it.

Thanks! I can see these references are in ProDotNetZipNetStandard.csproj

@mihula
Copy link
Owner

mihula commented Dec 4, 2024

But those seems ok, aren't they?
https://www.nuget.org/packages/System.Security.Permissions/9.0.0?_src=template#supportedframeworks-body-tab
image

@denisglu
Copy link

denisglu commented Dec 5, 2024

Those are OK, yes, and actually are part of the .NET Desktop runtime. The problem is that ProDotNet assembly references their 9.0 version (which is the part of .NET 9 runtime) and when our app (which is linked to .NET 8.0 shared runtime) starts using ZipFile then dotnet throws this:

System.IO.FileNotFoundException: Could not load file or assembly 'System.Security.Permissions, Version=9.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51'. The system cannot find the file specified. File name: 'System.Security.Permissions, Version=9.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' at Ionic.Zip.SharedUtilities.ReadWithRetry(Stream s, Byte[] buffer, Int32 offset, Int32 count, String FileName) at Ionic.Zip.ZipEntry._WriteEntryData(Stream s) in /_/src/Zip/ZipEntry.Write.cs:line 1474 at Ionic.Zip.ZipEntry.Write(Stream s) in /_/src/Zip/ZipEntry.Write.cs:line 2186 at Ionic.Zip.ZipFile.Save() in /_/src/Zip/ZipFile.Save.cs:line 168 at Ionic.Zip.ZipFile.Save(String fileName) in /_/src/Zip/ZipFile.Save.cs:line 461

It wants 9.0 version and does not load it from the shared runtime v8.0, and it will not load it even if I add them to the app folder, since the app is on .NET 8.0.
I believe it would not throw if the references would be to version 8.0, since dotnet in this case normally wants/accepts the same version or newer.
The references were to v8.0 and were updated to v9.0 in v1.19.0:
image

If you could rollback this particular change, that would not break anything but will let it use with applications based on .NET 8 or later.
Thanks!

@mihula
Copy link
Owner

mihula commented Dec 5, 2024

Agreed. Lets downgrade it.

@mihula
Copy link
Owner

mihula commented Dec 5, 2024

https://github.com/mihula/ProDotNetZip/releases/tag/1.20.0

@denisglu
Copy link

denisglu commented Dec 5, 2024

Thanks a lot! You've really helped!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mihula mihula

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Foorcee @dos-ise @StuartBow @jonreis @mihula @denisglu