Bug#799326: marked as done (zlib-bin: miniunzip unzips paths starting with ../)

Sat, 26 Sep 2015 20:15:58 -0700 

Your message dated Sat, 26 Sep 2015 23:09:56 -0400
with message-id 
<CANTw=MMUq5a7_RkPxE2NMJ_=cchs4tvw1gzujvuej7klayt...@mail.gmail.com>
and subject line Re: Bug#799326: zlib-bin: miniunzip unzips paths starting with 
../
has caused the Debian Bug report #799326,
regarding zlib-bin: miniunzip unzips paths starting with ../
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
799326: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799326
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: zlib-bin
Version: 1:1.2.7.dfsg-13
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

I'm using miniunzip as replacement for info zip, as miniunzip seems
to be the only program in debian gnu/linux that can properly unpack
international filenames (presumably by treating them as binary, which is
better than info-zip, which mangles them so the original names are lost).

Unfortunately, miniunzip contains at least one big security problem,
namely it unpacks filenames starting with ../ (and presumably filenames
with embedded /../ components).

That means a malicious zip file containing e.g. ../../home/user/.profile
or ../../../../../etc/passwd could overwrite files not intended for overwriting.

I haven't tested wether miniunzip also unpacks filenames starting with /.

In these cases, miniunzip should remove the initial ../ or /, and probably
fail when it ecounters embedded /../ components.


-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable'), (500, 'testing'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.4-040104-generic (SMP w/12 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages zlib-bin depends on:
ii  libc6   2.19-18+deb8u1
ii  zlib1g  1:1.2.8.dfsg-2+b1

zlib-bin recommends no packages.

zlib-bin suggests no packages.

-- no debconf information

-- debsums errors found:
prelink: /opt/bin/leaplogin: Could not find one of the dependencies
prelink: /opt/bin/gvpectrl.n900: Dependency tracing failed
prelink: /opt/bin/netscape: Could not find one of the dependencies
prelink: /opt/bin/cem: Could not find one of the dependencies
prelink: /opt/bin/shgenSBRDF: Could not find one of the dependencies
prelink: /opt/bin/Grimrock: Could not find one of the dependencies
prelink: /opt/bin/cadaverserver: Could not find one of the dependencies
prelink: /opt/bin/catrats: Could not find one of the dependencies
prelink: /opt/bin/pakx: Could not find one of the dependencies
prelink: /opt/bin/cadaverspyboss: Could not find one of the dependencies
prelink: /opt/bin/shrike: Could not find one of the dependencies
prelink: /opt/bin/shgenmap: Could not find one of the dependencies
prelink: /opt/bin/ccgo: Could not find one of the dependencies
prelink: /opt/bin/shgencubemap: Could not find one of the dependencies
prelink: /opt/bin/ndump: Could not find one of the dependencies
prelink: /opt/bin/pakc: Could not find one of the dependencies
prelink: /opt/bin/nstats: Could not find one of the dependencies
prelink: /opt/bin/v4l2info: Could not find one of the dependencies
prelink: /opt/bin/shsparse: Could not find one of the dependencies
prelink: /opt/bin/gtkpak: Could not find one of the dependencies
prelink: /opt/sbin/gvpe.n900: Dependency tracing failed
prelink: /opt/sbin/ssldecode: Could not find one of the dependencies
prelink: /opt/bin/leaplogin: Could not find one of the dependencies
prelink: /opt/bin/gvpectrl.n900: Dependency tracing failed
prelink: /opt/bin/netscape: Could not find one of the dependencies
prelink: /opt/bin/cem: Could not find one of the dependencies
prelink: /opt/bin/shgenSBRDF: Could not find one of the dependencies
prelink: /opt/bin/Grimrock: Could not find one of the dependencies
prelink: /opt/bin/cadaverserver: Could not find one of the dependencies
prelink: /opt/bin/catrats: Could not find one of the dependencies
prelink: /opt/bin/pakx: Could not find one of the dependencies
prelink: /opt/bin/cadaverspyboss: Could not find one of the dependencies
prelink: /opt/bin/shrike: Could not find one of the dependencies
prelink: /opt/bin/shgenmap: Could not find one of the dependencies
prelink: /opt/bin/ccgo: Could not find one of the dependencies
prelink: /opt/bin/shgencubemap: Could not find one of the dependencies
prelink: /opt/bin/ndump: Could not find one of the dependencies
prelink: /opt/bin/pakc: Could not find one of the dependencies
prelink: /opt/bin/nstats: Could not find one of the dependencies
prelink: /opt/bin/v4l2info: Could not find one of the dependencies
prelink: /opt/bin/shsparse: Could not find one of the dependencies
prelink: /opt/bin/gtkpak: Could not find one of the dependencies
prelink: /opt/sbin/gvpe.n900: Dependency tracing failed
prelink: /opt/sbin/ssldecode: Could not find one of the dependencies

--- End Message ---
--- Begin Message --- 
version: 1.1-5

--- End Message ---

Reply via email to