Red Hat Bugzilla – Bug 156269
CAN-2005-1228 directory traversal bug
Last modified: 2007-11-30 17:11:05 EST
+++ This bug was initially created as a clone of Bug #156266 +++
A directory traversal bug exists in multiple versions of gzip. When
compressing a file, gzip saves its original name but not its path inside
the compressed file. When using gunzip's "-N" option, the original name
found inside the compressed file will be used as the name to save the
decompressed file with. "gunzip -N" doesn't check if the original name inside
the compressed file has any "/" characters in it. This makes it possible to
create a malicious compressed file that when decompressed with "gunzip -N"
will create a file at an arbitrary location in the file system.
Created attachment 113840 [details]
I used Ulf Harnhammar.
I fixed this problem in devel (gzip-1.3.5-5).
(Gunzip remove any directory prefix if you use -N and in compressed input file
contain name with "/" characters.)