zlib/contrib
Matt Wilson 14a5f8f266 Neutralize zip file traversal attacks in miniunz.
Archive formats such as .zip files are generally susceptible to
so-called "traversal attacks". This allows an attacker to craft
an archive that writes to unexpected locations of the file system
(e.g., /etc/shadow) if an unspecting root user were to unpack a
malicious archive.

This patch neutralizes absolute paths such as /tmp/moo and deeply
relative paths such as dummy/../../../../../../../../../../tmp/moo

The Debian project requested CVE-2014-9485 be allocated for the
first identified weakness. The fix was incomplete, resulting in a
revised patch applied here. Since there wasn't an updated version
released by Debian with the incomplete fix, I suggest we use this
CVE to identify both issues.

Link: https://security.snyk.io/research/zip-slip-vulnerability
Link: https://bugs.debian.org/774321
Link: https://bugs.debian.org/776831
Link: https://nvd.nist.gov/vuln/detail/CVE-2014-9485
Reported-by: Jakub Wilk <jwilk@debian.org>
Fixed-by: Michael Gilbert <mgilbert@debian.org>
2024-01-17 15:08:08 -08:00
..
ada Fix typos in contrib/ada. 2023-08-14 08:17:22 -07:00
blast Correct typo in blast.c. 2021-01-17 21:50:08 -08:00
delphi zlib 1.3 2023-08-18 01:45:36 -07:00
dotzlib Fix random typos over several source and text files. 2024-01-17 13:49:11 -08:00
gcc_gvmat64 zlib 1.2.4-pre1 2011-09-09 23:32:36 -07:00
infback9 Correct repeated words in source file comments and a readme. 2023-11-14 18:44:32 -08:00
iostream zlib 1.2.0.5 2011-09-09 23:22:37 -07:00
iostream2 zlib 1.2.0.5 2011-09-09 23:22:37 -07:00
iostream3 Fix random typos over several source and text files. 2024-01-17 13:49:11 -08:00
minizip Neutralize zip file traversal attacks in miniunz. 2024-01-17 15:08:08 -08:00
nuget Update version and date in contrib/nuget. 2023-08-19 23:17:29 -07:00
pascal Change version number on develop branch to 1.3.0.1. 2023-08-18 13:23:07 -07:00
puff Fix some typos. 2022-08-23 15:35:13 -07:00
testzlib Match sign of printf directive to sign of argument in testzlib. 2023-07-29 23:58:11 -07:00
untgz Add license to contrib/untgz. 2023-08-17 17:10:12 -07:00
vstudio Update version numbers and year in contrib/vstudio/vc17. 2023-08-19 17:13:12 -07:00
README.contrib Fix typo in contrib readme. 2022-08-28 13:13:17 -07:00

All files under this contrib directory are UNSUPPORTED. They were
provided by users of zlib and were not tested by the authors of zlib.
Use at your own risk. Please contact the authors of the contributions
for help about these, not the zlib authors. Thanks.


ada/        by Dmitriy Anisimkov <anisimkov@yahoo.com>
        Support for Ada
        See http://zlib-ada.sourceforge.net/

blast/      by Mark Adler <madler@alumni.caltech.edu>
        Decompressor for output of PKWare Data Compression Library (DCL)

delphi/     by Cosmin Truta <cosmint@cs.ubbcluj.ro>
        Support for Delphi and C++ Builder

dotzlib/    by Henrik Ravn <henrik@ravn.com>
        Support for Microsoft .Net and Visual C++ .Net

gcc_gvmat64/by Gilles Vollant <info@winimage.com>
        GCC Version of x86 64-bit (AMD64 and Intel EM64t) code for x64
        assembler to replace longest_match() and inflate_fast()

infback9/   by Mark Adler <madler@alumni.caltech.edu>
        Unsupported diffs to infback to decode the deflate64 format

iostream/   by Kevin Ruland <kevin@rodin.wustl.edu>
        A C++ I/O streams interface to the zlib gz* functions

iostream2/  by Tyge Løvset <Tyge.Lovset@cmr.no>
        Another C++ I/O streams interface

iostream3/  by Ludwig Schwardt <schwardt@sun.ac.za>
            and Kevin Ruland <kevin@rodin.wustl.edu>
        Yet another C++ I/O streams interface

minizip/    by Gilles Vollant <info@winimage.com>
        Mini zip and unzip based on zlib
        Includes Zip64 support by Mathias Svensson <mathias@result42.com>
        See http://www.winimage.com/zLibDll/minizip.html

pascal/     by Bob Dellaca <bobdl@xtra.co.nz> et al.
        Support for Pascal

puff/       by Mark Adler <madler@alumni.caltech.edu>
        Small, low memory usage inflate.  Also serves to provide an
        unambiguous description of the deflate format.

testzlib/   by Gilles Vollant <info@winimage.com>
        Example of the use of zlib

untgz/      by Pedro A. Aranda Gutierrez <paag@tid.es>
        A very simple tar.gz file extractor using zlib

vstudio/    by Gilles Vollant <info@winimage.com>
        Building a minizip-enhanced zlib with Microsoft Visual Studio
        Includes vc11 from kreuzerkrieg and vc12 from davispuh