Date: Thu, 01 Jan 2015 13:04:49 +0300 From: Alexander Cherepanov <cherepan@...me.ru> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: cve request: miniunzip directory traversal On 2015-01-01 00:44, Michael Gilbert wrote: > Jakub Wilk discovered a directory traversal issue in the miniunzip > tool , which is part of minizip . Attached is a proposed > solution. Attached patch seems to deal with absolute paths only. What about relative ones? $ touch ../file $ zip test.zip ../file adding: ../file (stored 0%) $ rm ../file $ miniunzip test.zip MiniUnz 1.01b, demo of zLib + Unz package written by Gilles Vollant more info at http://www.winimage.com/zLibDll/unzip.html test.zip opened extracting: ../file $ ls ../file ../file -- Alexander Cherepanov
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ