Zip Slip Vulnerability in FlightCrew #52
Description
Summary
FlightCrew v0.9.2 and older are vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip Slip'.
Impact
This vulnerability can be used to write files to arbitrary locations and could potentially result in granting an attacker remote access or arbitrary code execution.
This is a medium severity issue for Sigil users, but may have greater impact on third-party software that uses FlightCrew as a library.
Steps to Reproduce
-
Download the attached "zip-slip.zip"
-
On a linux system, process the epub using flightcrew-cli.
flightcrew-cli --input-file zip-slip.zip -
Check for the existence of "/tmp/evil.txt" with the contents "this is an evil
one".
Futher Reading
For more information on zip-slip vulnerabilities, see https://snyk.io/research/zip-slip-vulnerability