oss-sec mailing list archives
Re: cve request: miniunzip directory traversal
From: Alexander Cherepanov <cherepan () mccme ru>
Date: Thu, 01 Jan 2015 13:04:49 +0300
On 2015-01-01 00:44, Michael Gilbert wrote:
Jakub Wilk discovered a directory traversal issue in the miniunzip tool [0], which is part of minizip [1]. Attached is a proposed solution.
Attached patch seems to deal with absolute paths only. What about relative ones?
$ touch ../file $ zip test.zip ../file adding: ../file (stored 0%) $ rm ../file $ miniunzip test.zip MiniUnz 1.01b, demo of zLib + Unz package written by Gilles Vollant more info at http://www.winimage.com/zLibDll/unzip.html test.zip opened extracting: ../file $ ls ../file ../file -- Alexander Cherepanov
Current thread:
- Re: cve request: miniunzip directory traversal Alexander Cherepanov (Jan 01)
- <Possible follow-ups>
- Re: cve request: miniunzip directory traversal cve-assign (Jan 03)