The miniunz CLI that is part of contrib/minizip is vulnerable to traversal attack

madler / zlib

A massively spiffy yet delicately unobtrusive compression library.

http://zlib.net/

Other

5.55k stars 2.42k forks source link

The miniunz CLI that is part of contrib/minizip is vulnerable to traversal attack #907

Closed mswilson closed 7 months ago

mswilson commented 7 months ago

When I was investigating publicly known vulnerabilities in #868 I discovered that Debian patched their copy of minizip (which is compiled from the zlib source distribution) to neutralize some traversal attacks. The original CVE allocated for this issue was CVE-2014-9485, and the current patch that Debian carries downstream is here: https://sources.debian.org/patches/zlib/1:1.3.dfsg-3/CVE-2014-9485-miniunzip.patch/

mswilson commented 7 months ago

Test case .zip file from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774321 attached: traversal.zip

Second test case .zip file from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776831 attached: traversal2.zip

Neustradamus commented 7 months ago

cc: @madler, @gvollant.

Linked to:

https://github.com/madler/zlib/pull/908

Neustradamus commented 7 months ago

Zlib 1.3.1 has been released (2024-01-22):