contrib/minizip: neutralize traversal attacks in miniunz cli

[mswilson]

Archive formats such as .zip files are generally susceptible to so-called "traversal attacks". This allows an attacker to craft an archive that writes to unexpected locations of the file system (e.g., /etc/shadow) if an unspecting root user were to unpack a malicious archive.

This patch neutralizes absolute paths such as /tmp/moo and deeply relative paths such as dummy/../../../../../../../../../../../../../../../../../tmp/moo

The Debian project requested CVE-2014-9485 be allocated for the first identified weakness. The fix was incomplete, resulting in a revised patch applied here. Since there wasn't an updated version released by Debian with the incomplete fix, I suggest we use this CVE to identify both issues.

Fixes: #907 Link: https://security.snyk.io/research/zip-slip-vulnerability Link: https://bugs.debian.org/774321 Link: https://bugs.debian.org/776831 Link: https://nvd.nist.gov/vuln/detail/CVE-2014-9485 Reported-by: Jakub Wilk jwilk@debian.org Fixed-by: Michael Gilbert mgilbert@debian.org

[madler]

Applied. Thanks.

[Neustradamus]

Merged commit:

• https://github.com/madler/zlib/commit/14a5f8f266c16c87ab6c086fc52b770b27701e01

[Neustradamus]

Zlib 1.3.1 has been released (2024-01-22):

• https://github.com/madler/zlib/releases/tag/v1.3.1
• https://zlib.net/