Bug#774453: zoo: directory traversal
Control: severity -1 serious Rationale: The package is currently without maintainer (QA maintained) and has this open for several years. Thus either for buster the issue is fixed or not included. Alternatively, but has still high popcon, remove zoo from the archive? Regards, Salvatore
Bug#774453: zoo: directory traversal
* Jakub Wilk , 2015-01-02, 23:16: Either the fix for CVE-2005-2349 (bug #309594) wasn't complete, or it bit-rotted, because Zoo is still susceptible to directory traversal: To clarify, #309594 discussed only relative path traversal (via ".." sequences), but AFAICS the patch[0] tries to address also absolute path traversal. And, despite the patch, Zoo is currently susceptible to relative directory traversal, too: $ zoo x traversal-relative.zoo Zoo: ../moo -- skipped $ ls -l ../moo -rw-r--r-- 1 jwilk users 4 Jan 5 2015 ../moo [0] https://sources.debian.net/src/zoo/2.10-27/debian/patches/02-traversal-directory.patch/ -- Jakub Wilk traversal-relative.zoo Description: Binary data
Bug#774453: zoo: directory traversal
Package: zoo Version: 2.10-27+b1 Tags: security Either the fix for CVE-2005-2349 (bug #309594) wasn't complete, or it bit-rotted, because Zoo is still susceptible to directory traversal: $ pwd /home/jwilk $ zoo x traversal.zoo Zoo: /tmp/moo -- extracted $ ls -l /tmp/moo -rw-r--r-- 1 jwilk users 4 Jan 5 2015 /tmp/moo The script I used to create the test case is available at: https://bitbucket.org/jwilk/path-traversal-samples -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages zoo depends on: ii libc6 2.19-13 -- Jakub Wilk traversal.zoo Description: Binary data