14a5f8f266
Archive formats such as .zip files are generally susceptible to so-called "traversal attacks". This allows an attacker to craft an archive that writes to unexpected locations of the file system (e.g., /etc/shadow) if an unspecting root user were to unpack a malicious archive. This patch neutralizes absolute paths such as /tmp/moo and deeply relative paths such as dummy/../../../../../../../../../../tmp/moo The Debian project requested CVE-2014-9485 be allocated for the first identified weakness. The fix was incomplete, resulting in a revised patch applied here. Since there wasn't an updated version released by Debian with the incomplete fix, I suggest we use this CVE to identify both issues. Link: https://security.snyk.io/research/zip-slip-vulnerability Link: https://bugs.debian.org/774321 Link: https://bugs.debian.org/776831 Link: https://nvd.nist.gov/vuln/detail/CVE-2014-9485 Reported-by: Jakub Wilk <jwilk@debian.org> Fixed-by: Michael Gilbert <mgilbert@debian.org> |
||
---|---|---|
.. | ||
ada | ||
blast | ||
delphi | ||
dotzlib | ||
gcc_gvmat64 | ||
infback9 | ||
iostream | ||
iostream2 | ||
iostream3 | ||
minizip | ||
nuget | ||
pascal | ||
puff | ||
testzlib | ||
untgz | ||
vstudio | ||
README.contrib |
All files under this contrib directory are UNSUPPORTED. They were provided by users of zlib and were not tested by the authors of zlib. Use at your own risk. Please contact the authors of the contributions for help about these, not the zlib authors. Thanks. ada/ by Dmitriy Anisimkov <anisimkov@yahoo.com> Support for Ada See http://zlib-ada.sourceforge.net/ blast/ by Mark Adler <madler@alumni.caltech.edu> Decompressor for output of PKWare Data Compression Library (DCL) delphi/ by Cosmin Truta <cosmint@cs.ubbcluj.ro> Support for Delphi and C++ Builder dotzlib/ by Henrik Ravn <henrik@ravn.com> Support for Microsoft .Net and Visual C++ .Net gcc_gvmat64/by Gilles Vollant <info@winimage.com> GCC Version of x86 64-bit (AMD64 and Intel EM64t) code for x64 assembler to replace longest_match() and inflate_fast() infback9/ by Mark Adler <madler@alumni.caltech.edu> Unsupported diffs to infback to decode the deflate64 format iostream/ by Kevin Ruland <kevin@rodin.wustl.edu> A C++ I/O streams interface to the zlib gz* functions iostream2/ by Tyge Løvset <Tyge.Lovset@cmr.no> Another C++ I/O streams interface iostream3/ by Ludwig Schwardt <schwardt@sun.ac.za> and Kevin Ruland <kevin@rodin.wustl.edu> Yet another C++ I/O streams interface minizip/ by Gilles Vollant <info@winimage.com> Mini zip and unzip based on zlib Includes Zip64 support by Mathias Svensson <mathias@result42.com> See http://www.winimage.com/zLibDll/minizip.html pascal/ by Bob Dellaca <bobdl@xtra.co.nz> et al. Support for Pascal puff/ by Mark Adler <madler@alumni.caltech.edu> Small, low memory usage inflate. Also serves to provide an unambiguous description of the deflate format. testzlib/ by Gilles Vollant <info@winimage.com> Example of the use of zlib untgz/ by Pedro A. Aranda Gutierrez <paag@tid.es> A very simple tar.gz file extractor using zlib vstudio/ by Gilles Vollant <info@winimage.com> Building a minizip-enhanced zlib with Microsoft Visual Studio Includes vc11 from kreuzerkrieg and vc12 from davispuh