Subject: unzoo: directory traversal security bug Package: unzoo Version: 4.4-2 Severity: important Tags: security
Hello, unzoo suffers from an old security bug that hasn't been patched. When unpacking .zoo archives, there's no check for "../.." constructs in the file names, which makes it possible to unpack to arbitrary locations in the file system. Read more here: http://secunia.com/advisories/12857/ http://securitytracker.com/alerts/2004/Oct/1011673.html http://www.securityfocus.com/bid/11417/info/ // Ulf Härnhammar -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.8-2-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages unzoo depends on: ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an -- no debconf information
