Bug 1635888 – CVE-2018-17828 zziplib: directory traversal in unzzip_cat in the bins/unzzipcat-mem.c

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1635888 - (CVE-2018-17828) CVE-2018-17828 zziplib: directory traversal in unzzip_cat in the bins/unzzipcat-mem.c

Summary:	CVE-2018-17828 zziplib: directory traversal in unzzip_cat in the bins/unzzipc...

Status:	NEW

Aliases:	CVE-2018-17828

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180925,repor...
Keywords:	Security

Depends On:	1635889 1635890 1641635
Blocks:	1635891
	Show dependency tree / graph

Reported:	2018-10-03 16:36 EDT by Laura Pardo
Modified:	2018-10-24 14:06 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was discovered that zziplib is vulnerable to a directory traversal flaw in most of its unzip binaries, including unzip-mem, unzzipcat-mem, unzzipcat-big, unzzipcat-mix, and unzzipcat-zip. An attacker may use this flaw to write files outside the intended target directory, overwriting existing files, or creating new ones.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Laura Pardo 2018-10-03 16:36:19 EDT

A flaw was found in ZZIPlib 0.13.69. A directory traversal vulnerability allows attackers to overwrite arbitrary files via a .. (dot dot) in a zip file, because of the function unzzip_cat in the bins/unzzipcat-mem.c file. 


References:
https://github.com/gdraheim/zziplib/issues/62

Comment 1 Laura Pardo 2018-10-03 16:36:47 EDT

Created zziplib tracking bugs for this issue:

Affects: fedora-all [bug 1635889]

Comment 3 Riccardo Schirone 2018-10-22 07:13:12 EDT

Upstream patch:
https://github.com/gdraheim/zziplib/commit/f609ae8971f3c0ce64d38276b778001d0bbfc84b

Comment 4 Riccardo Schirone 2018-10-22 07:17:04 EDT

The same flaw is present in unzzipcat-big.c, unzzipcat-mix.c and unzzipcat-zip.c.

Comment 5 Riccardo Schirone 2018-10-22 07:46:14 EDT

The same problem is also present in unzip-mem.c.

Proposed patch for unzip-mem.c:
https://github.com/gdraheim/zziplib/files/2482517/patch.txt

Note You need to log in before you can comment on or make changes to this bug.