[Secure-testing-team] Bug#799326: zlib-bin: miniunzip unzips paths starting with ../

Marc Lehmann debian-reportbug at plan9.de
Thu Sep 17 21:27:36 UTC 2015 

Package: zlib-bin
Version: 1:1.2.7.dfsg-13
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

I'm using miniunzip as replacement for info zip, as miniunzip seems
to be the only program in debian gnu/linux that can properly unpack
international filenames (presumably by treating them as binary, which is
better than info-zip, which mangles them so the original names are lost).

Unfortunately, miniunzip contains at least one big security problem,
namely it unpacks filenames starting with ../ (and presumably filenames
with embedded /../ components).

That means a malicious zip file containing e.g. ../../home/user/.profile
or ../../../../../etc/passwd could overwrite files not intended for overwriting.

I haven't tested wether miniunzip also unpacks filenames starting with /.

In these cases, miniunzip should remove the initial ../ or /, and probably
fail when it ecounters embedded /../ components.


-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.4-040104-generic (SMP w/12 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages zlib-bin depends on:
ii  libc6   2.19-18+deb8u1
ii  zlib1g  1:1.2.8.dfsg-2+b1

zlib-bin recommends no packages.

zlib-bin suggests no packages.

-- no debconf information

-- debsums errors found:
prelink: /opt/bin/leaplogin: Could not find one of the dependencies
prelink: /opt/bin/gvpectrl.n900: Dependency tracing failed
prelink: /opt/bin/netscape: Could not find one of the dependencies
prelink: /opt/bin/cem: Could not find one of the dependencies
prelink: /opt/bin/shgenSBRDF: Could not find one of the dependencies
prelink: /opt/bin/Grimrock: Could not find one of the dependencies
prelink: /opt/bin/cadaverserver: Could not find one of the dependencies
prelink: /opt/bin/catrats: Could not find one of the dependencies
prelink: /opt/bin/pakx: Could not find one of the dependencies
prelink: /opt/bin/cadaverspyboss: Could not find one of the dependencies
prelink: /opt/bin/shrike: Could not find one of the dependencies
prelink: /opt/bin/shgenmap: Could not find one of the dependencies
prelink: /opt/bin/ccgo: Could not find one of the dependencies
prelink: /opt/bin/shgencubemap: Could not find one of the dependencies
prelink: /opt/bin/ndump: Could not find one of the dependencies
prelink: /opt/bin/pakc: Could not find one of the dependencies
prelink: /opt/bin/nstats: Could not find one of the dependencies
prelink: /opt/bin/v4l2info: Could not find one of the dependencies
prelink: /opt/bin/shsparse: Could not find one of the dependencies
prelink: /opt/bin/gtkpak: Could not find one of the dependencies
prelink: /opt/sbin/gvpe.n900: Dependency tracing failed
prelink: /opt/sbin/ssldecode: Could not find one of the dependencies
prelink: /opt/bin/leaplogin: Could not find one of the dependencies
prelink: /opt/bin/gvpectrl.n900: Dependency tracing failed
prelink: /opt/bin/netscape: Could not find one of the dependencies
prelink: /opt/bin/cem: Could not find one of the dependencies
prelink: /opt/bin/shgenSBRDF: Could not find one of the dependencies
prelink: /opt/bin/Grimrock: Could not find one of the dependencies
prelink: /opt/bin/cadaverserver: Could not find one of the dependencies
prelink: /opt/bin/catrats: Could not find one of the dependencies
prelink: /opt/bin/pakx: Could not find one of the dependencies
prelink: /opt/bin/cadaverspyboss: Could not find one of the dependencies
prelink: /opt/bin/shrike: Could not find one of the dependencies
prelink: /opt/bin/shgenmap: Could not find one of the dependencies
prelink: /opt/bin/ccgo: Could not find one of the dependencies
prelink: /opt/bin/shgencubemap: Could not find one of the dependencies
prelink: /opt/bin/ndump: Could not find one of the dependencies
prelink: /opt/bin/pakc: Could not find one of the dependencies
prelink: /opt/bin/nstats: Could not find one of the dependencies
prelink: /opt/bin/v4l2info: Could not find one of the dependencies
prelink: /opt/bin/shsparse: Could not find one of the dependencies
prelink: /opt/bin/gtkpak: Could not find one of the dependencies
prelink: /opt/sbin/gvpe.n900: Dependency tracing failed
prelink: /opt/sbin/ssldecode: Could not find one of the dependencies

More information about the Secure-testing-team mailing list