From c9c7be4df91e767634d20edda840ce1e4ba4fa0f Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Wed, 26 Jun 2024 18:16:41 +0800
Subject: [PATCH] Fix CVE-2023-46122

(cherry picked from commit f720dd62b903cdc9accc4a29cfe67d201294e2ef)
---
 CVE-2023-46122.patch | 93 ++++++++++++++++++++++++++++++++++++++++++++
 sbt.spec             |  7 +++-
 2 files changed, 99 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-46122.patch

diff --git a/CVE-2023-46122.patch b/CVE-2023-46122.patch
new file mode 100644
index 0000000..43bc2c4
--- /dev/null
+++ b/CVE-2023-46122.patch
@@ -0,0 +1,93 @@
+Refer:
+https://github.com/sbt/io/commit/124538348db0713c80793cb57b915f97ec13188a
+https://build.opensuse.org/projects/SUSE:SLE-15-SP2:Update/packages/sbt/files/sbt-CVE-2023-46122.patch?expand=1
+
+From f928cdd8aebc5a2b85c326cc267e698229e0b7b2 Mon Sep 17 00:00:00 2001
+From: Eugene Yokota <eed3si9n@gmail.com>
+Date: Sun, 22 Oct 2023 04:42:16 -0400
+Subject: [PATCH] Fixes zip-slip vulnerability
+
+Fixes https://github.com/sbt/io/issues/358
+Ref codehaus-plexus/plexus-archiver 87
+
+**Problem**
+IO.unzip currently has zip-slip vulnerability, which can write arbitrary
+files on the machine using specially crafted zip archive that holds path
+traversal file names.
+
+**Solution**
+This replicates the fix originally sent to plex-archiver by Snyk Team.
+
+---
+ util/io/src/main/scala/sbt/IO.scala | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/util/io/src/main/scala/sbt/IO.scala b/util/io/src/main/scala/sbt/IO.scala
+index ed97657..f09d561 100644
+--- a/util/io/src/main/scala/sbt/IO.scala
++++ b/util/io/src/main/scala/sbt/IO.scala
+@@ -10,6 +10,7 @@ import java.io.{BufferedReader, ByteArrayOutputStream, BufferedWriter, File, Fil
+ import java.io.{ObjectInputStream, ObjectStreamClass}
+ import java.net.{URI, URISyntaxException, URL}
+ import java.nio.charset.Charset
++import java.nio.file.{ Path => NioPath, _ }
+ import java.util.Properties
+ import java.util.jar.{Attributes, JarEntry, JarFile, JarInputStream, JarOutputStream, Manifest}
+ import java.util.zip.{CRC32, GZIPOutputStream, ZipEntry, ZipFile, ZipInputStream, ZipOutputStream}
+@@ -190,11 +191,16 @@ object IO
+ 	def unzipStream(from: InputStream, toDirectory: File, filter: NameFilter = AllPassFilter, preserveLastModified: Boolean = true): Set[File] =
+ 	{
+ 		createDirectory(toDirectory)
+-		zipInputStream(from) { zipInput => extract(zipInput, toDirectory, filter, preserveLastModified) }
++                zipInputStream(from) { zipInput => extract(zipInput, toDirectory.toPath, filter, preserveLastModified) }
+ 	}
+-	private def extract(from: ZipInputStream, toDirectory: File, filter: NameFilter, preserveLastModified: Boolean) =
++        private def extract(from: ZipInputStream, toDirectory: NioPath, filter: NameFilter, preserveLastModified: Boolean) =
+ 	{
+-		val set = new HashSet[File]
++                val set = new HashSet[NioPath]
++                val canonicalDirPath = toDirectory.normalize().toString
++                def validateExtractPath(name: String, target: NioPath): Unit =
++                  if (!target.normalize().toString.startsWith(canonicalDirPath)) {
++                    throw new RuntimeException(s"Entry ($name) is outside of the target directory")
++                  }
+ 		def next()
+ 		{
+ 			val entry = from.getNextEntry
+@@ -205,19 +211,20 @@ object IO
+ 				val name = entry.getName
+ 				if(filter.accept(name))
+ 				{
+-					val target = new File(toDirectory, name)
++                                        val target = toDirectory.resolve(name)
++                                        validateExtractPath(name, target)
+ 					//log.debug("Extracting zip entry '" + name + "' to '" + target + "'")
+ 					if(entry.isDirectory)
+-						createDirectory(target)
++                                                createDirectory(target.toFile)
+ 					else
+ 					{
+ 						set += target
+ 						translate("Error extracting zip entry '" + name + "' to '" + target + "': ") {
+-							fileOutputStream(false)(target) { out => transfer(from, out) }
++                                                        fileOutputStream(false)(target.toFile) { out => transfer(from, out) }
+ 						}
+ 					}
+ 					if(preserveLastModified)
+-						target.setLastModified(entry.getTime)
++                                                target.toFile.setLastModified(entry.getTime)
+ 				}
+ 				else
+ 				{
+@@ -228,7 +235,7 @@ object IO
+ 			}
+ 		}
+ 		next()
+-		Set() ++ set
++                (Set() ++ set).map(_.toFile)
+ 	}
+ 
+ 	/** Retrieves the content of the given URL and writes it to the given File. */
+-- 
+2.43.0
+
diff --git a/sbt.spec b/sbt.spec
index 5ad8e33..ed505a9 100644
--- a/sbt.spec
+++ b/sbt.spec
@@ -45,7 +45,7 @@
 
 Name:                sbt
 Version:             %{sbt_version}
-Release:             2
+Release:             3
 Summary:             The simple build tool for Scala and Java projects
 
 BuildArch:           noarch
@@ -59,6 +59,7 @@ Patch2:              sbt-0.13.1-ivy-2.3.0.patch
 Patch3:              sbt-0.13.1-ivy-docs.patch
 Patch4:              sbt-0.13.1-sxr.patch
 Patch5:              sbt-0.13.1-ivy-2.4.0.patch
+Patch6:              CVE-2023-46122.patch
 
 # sbt-ghpages plugin
 Source1:             https://github.com/sbt/sbt-ghpages/archive/v%{sbt_ghpages_version}.tar.gz
@@ -148,6 +149,7 @@ sbt is the simple build tool for Scala and Java projects.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch6 -p1
 
 %if !%{do_proper}
 %patch4 -p1
@@ -477,6 +479,9 @@ done
 %doc README.md LICENSE NOTICE
 
 %changelog
+* Wed Jun 26 2024 yaoxin <yao_xin001@hoperun.com> - %{sbt_version}-3
+- Fix CVE-2023-46122
+
 * Sat Dec 12 2020 wangxiao <wangxiao65@huawei.com> - %{sbt_version}-2
 - delete unuse file
 
-- 
Gitee