-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Directory traversal vulnerability in zziplib 0.13.69 #62
Comments
Other "zip/unzip" programs just delete any "../" components from the path. Should zziplib do the same? |
Proposed solution:
} |
Hey, unzip-mem (single z) seems to have the same problem. |
https://nvd.nist.gov/vuln/detail/CVE-2018-17828 points to this ticket, and it seems to have open questions. Can you please fix this? |
Directory traversal vulnerability in zziplib 0.13.69 allows attackers to overwrite arbitrary files via a .. (dot dot) in an zip file.
$unzzip-mem evil.zip
evil.zip
Relevant code in function unzzip_cat in Unzzipcat-mem.c:
static int unzzip_cat (int argc, char ** argv, int extract)
{
......
if (argc == 2)
{ /* print directory list /
ZZIP_MEM_ENTRY entry = zzip_mem_disk_findfirst(disk);
DBG2("findfirst %p\n", entry);
for (; entry ; entry = zzip_mem_disk_findnext(disk, entry))
{
char name = zzip_mem_entry_to_name (entry);*
FILE* out = stdout;
if (extract) out = create_fopen(name, "wb", 1); //no checkout here
if (! out) {
if (errno != EISDIR) {
DBG3("can not open output file %i %s", errno, strerror(errno));
done = EXIT_ERRORS;
}
continue;
}
unzzip_mem_disk_cat_file (disk, name, out);
if (extract) fclose(out);
}
}
......
}
static FILE* create_fopen(char* name, char* mode, int subdirs)
{
if (subdirs)
{
char* p = strrchr(name, '/');
if (p) {
char* dir_name = _zzip_strndup(name, p-name);
makedirs(dir_name);
free (dir_name);
}
}
return fopen(name, mode);
}
static void unzzip_mem_disk_cat_file(ZZIP_MEM_DISK* disk, char* name, FILE* out)
{
ZZIP_DISK_FILE* file = zzip_mem_disk_fopen (disk, name);
if (file)
{
char buffer[1025]; int len;
while ((len = zzip_mem_disk_fread (buffer, 1, 1024, file)))
{
fwrite (buffer, 1, len, out);
}
zzip_mem_disk_fclose (file);
}
}
The text was updated successfully, but these errors were encountered: