security vulnerability in `archive` <= 3.3.7

grpc / grpc-dart

The Dart language implementation of gRPC.

https://pub.dev/packages/grpc

Apache License 2.0

835 stars 256 forks source link

security vulnerability in `archive` <= 3.3.7 #677

Closed mockturtl closed 8 months ago

mockturtl commented 8 months ago

GitHub's Dependabot notified me of security vulnerabilities in archive, which is used by GzipCodec.

An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.

An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.

Details, CVE: https://pub.dev/packages/archive/changelog#338---september-02-2023

You may wish to consider bumping the version constraint to archive: ^3.3.8.

mraleph commented 8 months ago

These vulnerabilities don't affect grpc because there are no files extracted to disk or archives being traversed.