From ${URL} : Jakub Wilk reports: Package: unshield Version: 1.0-1 Tags: security unshield is vulnerable to directory traversal via "../" sequences. As a proof of concept, unpacking the attached InstallShield archive creates a file in /tmp: $ ls /tmp/moo ls: cannot access /tmp/moo: No such file or directory $ unshield x data1.cab Cabinet: data1.cab extracting: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo -------- ------- 1 files $ ls /tmp/moo /tmp/moo -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This is still unresolved upstream: https://github.com/twogood/unshield/issues/42 I am going to commit a new version of this package anyway; then, when a fix is released, it should be easy to do another bump.
This is fixed in v1.4, which I've just added to the tree. I can remove the old versions after stabilization.
@ Arches, please test and mark stable: =app-arch/unshield-1.4
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
The old versions have been removed.
@ Arches & maintainer(s): Thank you for your work. GLSA Vote: No