Closed
Description
Impact
This vulnerability could allow the attacker to write a file to an arbitrary directory.
How to reproduce
On the latest version (0.1.19) and the master branch of zip:
To reproduce the issue, you may try to extract this crafted zip file, which contains two files good.txt and ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt. After extraction, you will find evil.txt is at /tmp, which should be at ./tmp.
Here is the [PoC repo] (https://github.com/jiahao42/PoC/tree/master/zip%40kuba--).
Root cause
This root cause is that zip doesn't normalize the path in mz_zip_reader_file_stat in miniz.h.
Patch
#124 should be able to fix the problem.