A flaw was found in ZZIPlib 0.13.69. A directory traversal vulnerability allows attackers to overwrite arbitrary files via a .. (dot dot) in a zip file, because of the function unzzip_cat in the bins/unzzipcat-mem.c file.
Created zziplib tracking bugs for this issue:
Affects: fedora-all [bug 1635889]
The same flaw is present in unzzipcat-big.c, unzzipcat-mix.c and unzzipcat-zip.c.
The same problem is also present in unzip-mem.c.
Proposed patch for unzip-mem.c: