severity 448437 grave thanks Erich Schubert wrote: > Package: unp > Version: 1.0.12 > Severity: important > Tags: security > > unp doesn't escape filenames properly. Try this: > > touch empty > zip \`ls\`.zip empty > unp \`ls\`.zip > > and it will give you a directory listing. > > This means that any application using 'unp' for a generic decompression > utility might be vulnerable to a filename-based injection attack. > > Maybe increase the severity level?
Indeed. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]