Google Git
Sign in
goma / zlib / 14a5f8f266c16c87ab6c086fc52b770b27701e01
commit14a5f8f266c16c87ab6c086fc52b770b27701e01[log] [tgz]
authorMatt Wilson <msw@amazon.com>Wed Jan 17 14:46:18 2024 -0800
committerMark Adler <madler@alumni.caltech.edu>Wed Jan 17 15:08:08 2024 -0800
treeef3a7752a686dd5784a2a695204a6a3b4eca17b6
parent44dc43ab047d65febed972a17b0e3bf7e994e8f2 [diff]
Neutralize zip file traversal attacks in miniunz.

Archive formats such as .zip files are generally susceptible to
so-called "traversal attacks". This allows an attacker to craft
an archive that writes to unexpected locations of the file system
(e.g., /etc/shadow) if an unspecting root user were to unpack a
malicious archive.

This patch neutralizes absolute paths such as /tmp/moo and deeply
relative paths such as dummy/../../../../../../../../../../tmp/moo

The Debian project requested CVE-2014-9485 be allocated for the
first identified weakness. The fix was incomplete, resulting in a
revised patch applied here. Since there wasn't an updated version
released by Debian with the incomplete fix, I suggest we use this
CVE to identify both issues.

Link: https://security.snyk.io/research/zip-slip-vulnerability
Link: https://bugs.debian.org/774321
Link: https://bugs.debian.org/776831
Link: https://nvd.nist.gov/vuln/detail/CVE-2014-9485
Reported-by: Jakub Wilk <jwilk@debian.org>
Fixed-by: Michael Gilbert <mgilbert@debian.org>
1 file changed
tree: ef3a7752a686dd5784a2a695204a6a3b4eca17b6
  1. .github/
  2. amiga/
  3. contrib/
  4. doc/
  5. examples/
  6. msdos/
  7. nintendods/
  8. old/
  9. os400/
  10. qnx/
  11. test/
  12. watcom/
  13. win32/
  14. .gitignore
  15. adler32.c
  16. ChangeLog
  17. CMakeLists.txt
  18. compress.c
  19. configure
  20. crc32.c
  21. crc32.h
  22. deflate.c
  23. deflate.h
  24. FAQ
  25. gzclose.c
  26. gzguts.h
  27. gzlib.c
  28. gzread.c
  29. gzwrite.c
  30. INDEX
  31. infback.c
  32. inffast.c
  33. inffast.h
  34. inffixed.h
  35. inflate.c
  36. inflate.h
  37. inftrees.c
  38. inftrees.h
  39. LICENSE
  40. make_vms.com
  41. Makefile
  42. Makefile.in
  43. README
  44. treebuild.xml
  45. trees.c
  46. trees.h
  47. uncompr.c
  48. zconf.h
  49. zconf.h.cmakein
  50. zconf.h.in
  51. zlib.3
  52. zlib.3.pdf
  53. zlib.h
  54. zlib.map
  55. zlib.pc.cmakein
  56. zlib.pc.in
  57. zutil.c
  58. zutil.h