Package: unp Version: 1.0.12 Severity: important Tags: security unp doesn't escape filenames properly. Try this:
touch empty zip \`ls\`.zip empty unp \`ls\`.zip and it will give you a directory listing. This means that any application using 'unp' for a generic decompression utility might be vulnerable to a filename-based injection attack. Maybe increase the severity level? -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.22-2-686 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash unp depends on no packages. Versions of packages unp recommends: ii bzip2 1.0.3-7 high-quality block-sorting file co -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
