GNOME Bugzilla – Bug 742331
Directory traversal in gcab
Last modified: 2015-01-05 23:11:04 UTC
This is forwarded from https://bugs.debian.org/774580
gcab suffers from a directory traversal bug: it doesn't filter leading slashes from paths in CAB files.
Created attachment 293730 [details] [review]
Avoid path traversal
The attached patch fixes this, at the cost of ugly paths when faced with relative traversals. At least all the CAB's contents can be extracted, without overwriting anything outside the extraction path.
Attachment 293730 [details] pushed as 0ccdf56 - Avoid path traversal
thanks for the patch
This has been assigned CVE-2015-0552 (see https://security-tracker.debian.org/tracker/CVE-2015-0552 for more info along with links to the various security trackers).