Package: unshield Version: 1.0-1 Tags: securityunshield is vulnerable to directory traversal via "../" sequences. As a proof of concept, unpacking the attached InstallShield archive creates a file in /tmp:
$ ls /tmp/moo
ls: cannot access /tmp/moo: No such file or directory
$ unshield x data1.cab
Cabinet: data1.cab
extracting:
./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
-------- -------
1 files
$ ls /tmp/moo
/tmp/moo
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages unshield depends on:
ii libc6 2.19-13
ii libunshield0 1.0-1
ii zlib1g 1:1.2.8.dfsg-2+b1
--
Jakub Wilk
data1.cab
Description: Binary data
data1.hdr
Description: Binary data
