severity 448437 grave
thanks

Erich Schubert wrote:
> Package: unp
> Version: 1.0.12
> Severity: important
> Tags: security
> 
> unp doesn't escape filenames properly. Try this:
> 
> touch empty
> zip \`ls\`.zip empty
> unp \`ls\`.zip
> 
> and it will give you a directory listing.
> 
> This means that any application using 'unp' for a generic decompression
> utility might be vulnerable to a filename-based injection attack.
> 
> Maybe increase the severity level?

Indeed.

Cheers,
        Moritz



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to