Candidate: CVE-2018-17828
PublicDate: 2018-10-01 08:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17828
Description:
 Directory traversal vulnerability in ZZIPlib 0.13.69 allows attackers to
 overwrite arbitrary files via a .. (dot dot) in a zip file, because of the
 function unzzip_cat in the bins/unzzipcat-mem.c file.
Ubuntu-Description:
Notes:
 mdeslaur> these tools aren't installed in the binary package
 mdeslaur> see upstream bug for patch to unzip-mem too
Bugs:
 https://github.com/gdraheim/zziplib/issues/62
Priority: negligible
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N [5.5 MEDIUM]


Patches_zziplib:
 upstream: https://github.com/gdraheim/zziplib/commit/f609ae8971f3c0ce64d38276b778001d0bbfc84b
upstream_zziplib: needs-triage
precise/esm_zziplib: DNE
trusty_zziplib: ignored (reached end-of-life)
trusty/esm_zziplib: DNE (trusty was needed)
xenial_zziplib: ignored (end of standard support, was needed)
esm-infra/xenial_zziplib: needed
bionic_zziplib: needed
cosmic_zziplib: ignored (reached end-of-life)
disco_zziplib: ignored (reached end-of-life)
eoan_zziplib: ignored (reached end-of-life)
focal_zziplib: needed
groovy_zziplib: ignored (reached end-of-life)
hirsute_zziplib: ignored (reached end-of-life)
impish_zziplib: needed
jammy_zziplib: needed
devel_zziplib: needed