This vulnerability could allow the attacker to write a file to an arbitrary directory.
How to reproduce
On the latest version (0.1.19) and the master branch of zip:
To reproduce the issue, you may try to extract this crafted zip file, which contains two files good.txt and ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt. After extraction, you will find evil.txt is at /tmp, which should be at ./tmp.
@kuba--@jiahao42
This issue only happens on API zip_extract( ). Am I right?
API zip_entry_open( ) and zip_entry_fread( ) , The full name of the archive file must be specified.
so the file path designated by programmers,It's should not wrong. @jiahao42
It's been a long time. Are you still working on #124 .
If you stoped, I think I can help.
Impact
This vulnerability could allow the attacker to write a file to an arbitrary directory.
How to reproduce
On the latest version (0.1.19) and the master branch of zip:
To reproduce the issue, you may try to extract this crafted zip file, which contains two files
good.txtand../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt. After extraction, you will findevil.txtis at/tmp, which should be at./tmp.Here is the [PoC repo] (https://github.com/jiahao42/PoC/tree/master/zip%40kuba--).
Root cause
This root cause is that zip doesn't normalize the path in mz_zip_reader_file_stat in
miniz.h.Patch
#124 should be able to fix the problem.
The text was updated successfully, but these errors were encountered: