search

microsoft / react-native-code-push

React Native module for CodePush
http://appcenter.ms
Other
8.99k stars 1.48k forks source link

Update ZipArchive to 2.5.5 to fix two security issues #2748

Closed BergQuester closed 2 months ago

BergQuester commented 2 months ago

Steps to Reproduce

  1. ZipArchive has two known vulnerabilities in the version currently used (2.2.2)
    1. CVE-2022-36943: Arbitrary file write affecting ZipArchive version 2.5.3 and earlier.
    2. CVE-2023-39136: DoS via unhandled _sanitizedPath edge case affecting ZipArchive version 2.5.4 and earlier.

Expected Behavior

A version of ZipArchive is used that does not contain these vulnerabilities

Actual Behavior

The current version used is unpatched

There is a PR that was closed that updated ZipArchive to a patched version: https://github.com/microsoft/react-native-code-push/pull/2709

DmitriyKirakosyan commented 2 months ago

@BergQuester, thank you for your report! I've reopened the PR. We’ll keep you updated in this thread once it’s merged and released!

DmitriyKirakosyan commented 2 months ago

@BergQuester, please note that this update will require the minimum iOS versions to be set to 15.5 or higher, as it is a requirement of ZipArchive 2.5.5. You can update this by modifying your podfile, see this comment.

MikhailSuendukov commented 2 months ago

A fix for this issue was released with the AppCenter SDK ReactNative v9.0.0, so I'm closing this issue.