dzip is vulnerable to a directory traversal attack when unpacking specially crafted .dz files.
Created attachment 59225 [details] PoC exploit 1. Get the PoC.dz file 2. Extract, like here: bash-2.05b$ ./dzip -x PoC.dz PoC.dz created using v2.9 extracting ./../../exploited_file 3. 2 directories up, you can find a file called exploit_file with a "w0000t" string in it
Stefan, could you make sure upstream is alive and aware of this ?
so.... you can overwrite your own files with a special .dz file?
Contacted one of the upstream guys. Mr.Bones.: no, overwriting most likely won't work "./../../exploited_file exists; will not overwrite"
So what's the exploit?
dzip offers an option to force the overwriting of files, so if an attacker tricks a user to use this option, files will be overwritten.
Mr Bones: directory traversal is the exploit, ie you send someone a file that creates ../../../../../../../../home/foo/.profile, if you google for "tar directory traversal" or "zip directory traversal" and so on you can see some examples in other archiving utilities.
I'm not impressed. rm has some neat options that if you can trick a user into using can cause massive data lose as well.
I tend to agree that if it doesn't overwrite files unless a specific option is provided it could be considered WONTFIX/DUMB_USER_REQUIRED_TO_EXPLOIT. That said, we issued GLSAs for worse than that.
<DerCorny> are you going to patch it? <@Radix37> probably eventually... i already have a lot of new things in an unfinished new version
Created attachment 59339 [details, diff] dzip-2.9-scrub-names.patch seems to work for me ... please review
Patch seems fine so far.
Auditors, please have a look at the patch...
SpanKY: Tavis had a look and likes it. Please push it in the ebuild.
done, and stabilized for x86
Ready for GLSA
GLSA 200506-03