+++ This bug was initially created as a clone of Bug #156266 +++ A directory traversal bug exists in multiple versions of gzip. When compressing a file, gzip saves its original name but not its path inside the compressed file. When using gunzip's "-N" option, the original name found inside the compressed file will be used as the name to save the decompressed file with. "gunzip -N" doesn't check if the original name inside the compressed file has any "/" characters in it. This makes it possible to create a malicious compressed file that when decompressed with "gunzip -N" will create a file at an arbitrary location in the file system. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255
Created attachment 113840 [details] Used patch. I used Ulf Harnhammar. I fixed this problem in devel (gzip-1.3.5-5). (Gunzip remove any directory prefix if you use -N and in compressed input file contain name with "/" characters.) Ivana Varekova