1.9.7
Highlights
- sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in
IO.unzip
. This was discovered and reported by Kenji Yoshida (@xuwei-k), and fixed by @eed3si9n in io#360.
Zip Slip (arbitrary file write) vulnerability
See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.
Path traversal vulnerabilty was discovered in IO.unzip
code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.
Given a specially crafted zip or JAR file, IO.unzip
allows writing of arbitrary file. The follow is an example of a malicious entry:
+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
When executed on some path with six levels, IO.unzip
could then overwrite a file under /root/
. sbt main uses IO.unzip
only in pullRemoteCache
and Resolvers.remote
, however, many projects use IO.unzip(...)
directly to implement custom tasks and tests.
Non-determinism from AutoPlugins loading
We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.
sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @eed3si9n in #7404.
Other updates and fixes
- Updates Coursier to 2.1.7 by @regiskuckaertz in #7392
- Updates Swoval to 2.1.12 by @eatkins in io#353.
- Fixes
.sbtopts
support forsbt
runner script on Windows by @ptrdom in #7393 - Adds documentation on
scriptedSbt
key by @mdedetrich in #7383 - Includes the URL in
dependencyBrowseTree
log by @mkurz in #7396