Skip to content

Directory traversal vulnerability when handling crafted zip file #123

Closed
@jiahao42

Description

@jiahao42

Impact

This vulnerability could allow the attacker to write a file to an arbitrary directory.

How to reproduce

On the latest version (0.1.19) and the master branch of zip:

To reproduce the issue, you may try to extract this crafted zip file, which contains two files good.txt and ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt. After extraction, you will find evil.txt is at /tmp, which should be at ./tmp.

Here is the [PoC repo] (https://github.com/jiahao42/PoC/tree/master/zip%40kuba--).

Root cause

This root cause is that zip doesn't normalize the path in mz_zip_reader_file_stat in miniz.h.

Patch

#124 should be able to fix the problem.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions