clone 799326 -1 reassign minizip -1 kthxbye Assigining a copy to minizip which is the package containing minizip in current distributions, not deleting context as a result.
On Thu, Sep 17, 2015 at 11:27:36PM +0200, Marc Lehmann wrote: > Package: zlib-bin > Version: 1:1.2.7.dfsg-13 > Severity: grave > Tags: security > Justification: user security hole > > Dear Maintainer, > > I'm using miniunzip as replacement for info zip, as miniunzip seems > to be the only program in debian gnu/linux that can properly unpack > international filenames (presumably by treating them as binary, which is > better than info-zip, which mangles them so the original names are lost). > > Unfortunately, miniunzip contains at least one big security problem, > namely it unpacks filenames starting with ../ (and presumably filenames > with embedded /../ components). > > That means a malicious zip file containing e.g. ../../home/user/.profile > or ../../../../../etc/passwd could overwrite files not intended for > overwriting. > > I haven't tested wether miniunzip also unpacks filenames starting with /. > > In these cases, miniunzip should remove the initial ../ or /, and probably > fail when it ecounters embedded /../ components. > > -- System Information: > Debian Release: 8.2 > APT prefers stable > APT policy: (990, 'stable'), (500, 'unstable'), (500, 'testing'), (500, > 'oldstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.1.4-040104-generic (SMP w/12 CPU cores) > Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash > Init: systemd (via /run/systemd/system) > > Versions of packages zlib-bin depends on: > ii libc6 2.19-18+deb8u1 > ii zlib1g 1:1.2.8.dfsg-2+b1 > > zlib-bin recommends no packages. > > zlib-bin suggests no packages. > > -- no debconf information > > -- debsums errors found: > prelink: /opt/bin/leaplogin: Could not find one of the dependencies > prelink: /opt/bin/gvpectrl.n900: Dependency tracing failed > prelink: /opt/bin/netscape: Could not find one of the dependencies > prelink: /opt/bin/cem: Could not find one of the dependencies > prelink: /opt/bin/shgenSBRDF: Could not find one of the dependencies > prelink: /opt/bin/Grimrock: Could not find one of the dependencies > prelink: /opt/bin/cadaverserver: Could not find one of the dependencies > prelink: /opt/bin/catrats: Could not find one of the dependencies > prelink: /opt/bin/pakx: Could not find one of the dependencies > prelink: /opt/bin/cadaverspyboss: Could not find one of the dependencies > prelink: /opt/bin/shrike: Could not find one of the dependencies > prelink: /opt/bin/shgenmap: Could not find one of the dependencies > prelink: /opt/bin/ccgo: Could not find one of the dependencies > prelink: /opt/bin/shgencubemap: Could not find one of the dependencies > prelink: /opt/bin/ndump: Could not find one of the dependencies > prelink: /opt/bin/pakc: Could not find one of the dependencies > prelink: /opt/bin/nstats: Could not find one of the dependencies > prelink: /opt/bin/v4l2info: Could not find one of the dependencies > prelink: /opt/bin/shsparse: Could not find one of the dependencies > prelink: /opt/bin/gtkpak: Could not find one of the dependencies > prelink: /opt/sbin/gvpe.n900: Dependency tracing failed > prelink: /opt/sbin/ssldecode: Could not find one of the dependencies > prelink: /opt/bin/leaplogin: Could not find one of the dependencies > prelink: /opt/bin/gvpectrl.n900: Dependency tracing failed > prelink: /opt/bin/netscape: Could not find one of the dependencies > prelink: /opt/bin/cem: Could not find one of the dependencies > prelink: /opt/bin/shgenSBRDF: Could not find one of the dependencies > prelink: /opt/bin/Grimrock: Could not find one of the dependencies > prelink: /opt/bin/cadaverserver: Could not find one of the dependencies > prelink: /opt/bin/catrats: Could not find one of the dependencies > prelink: /opt/bin/pakx: Could not find one of the dependencies > prelink: /opt/bin/cadaverspyboss: Could not find one of the dependencies > prelink: /opt/bin/shrike: Could not find one of the dependencies > prelink: /opt/bin/shgenmap: Could not find one of the dependencies > prelink: /opt/bin/ccgo: Could not find one of the dependencies > prelink: /opt/bin/shgencubemap: Could not find one of the dependencies > prelink: /opt/bin/ndump: Could not find one of the dependencies > prelink: /opt/bin/pakc: Could not find one of the dependencies > prelink: /opt/bin/nstats: Could not find one of the dependencies > prelink: /opt/bin/v4l2info: Could not find one of the dependencies > prelink: /opt/bin/shsparse: Could not find one of the dependencies > prelink: /opt/bin/gtkpak: Could not find one of the dependencies > prelink: /opt/sbin/gvpe.n900: Dependency tracing failed > prelink: /opt/sbin/ssldecode: Could not find one of the dependencies >
signature.asc
Description: Digital signature
