Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zip Slip Vulnerability Affects Thousands of Projects (theregister.co.uk)

Posted by BeauHD on from the heads-up dept.

Yhcrana writes: Considering the video in the story makes it pretty simple, this is not something I would like to have happen. Apparently it is a flaw in the libraries that are being used by Oracle, Apache, and others. The Register reports: "Booby-trapped archive files can exploit vulnerabilities in a swath of software to overwrite documents and data elsewhere on a computer's file system -- and potentially execute malicious code. Specifically, the flaws, dubbed "Zip Slip" by its discoverers at security outfit Snyk, is a path traversal flaw that can potentially be exploited to perform arbitrary code execution attacks. It affects .zip, .bz2, .tar, .xz, .war, .cpio, and .7z archives.

The bugs, according to Snyk, lie in code that unpacks compressed archives, hence the "Zip Slip" title. When software does not properly check and sanitize file names within the archive, attackers can set the destination path for an unpacked file to an existing folder or file elsewhere on a system. When that file is extracted, it will overwrite the existing data in that same path."

3 of 127 comments (clear)

  1. Re:archive vs compressor by dgatwood · · Score: 3, Informative

    GNU tar rejects '..' path parts automatically, as does FreeBSD's tar. Does anybody actually still use cpio, other than for extracting the guts of really old OS X installer packages (pre-xar)?

    Either way, I can't quite decide who to blame:

    • App developers for rolling their own code when existing libraries exist.
    • Sun/Oracle for not making it so trivial to integrate C code that nobody would try to write their own implementation for something as ugly as ZIP.
    • Open source and free software advocates for license terms that make people afraid to reuse code that works.
    • Lawyers, because.

    In any case, I don't allow any .Net or Java code anywhere near my computers, so I don't care even slightly. All the C implementations have been secure for decades.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. Re:Holy Moly! This is some seriously creepy sh*t! by msauve · · Score: 5, Informative

    Oh, people have thought of it. The issue has been known for years. The only thing that's surprising is that there's still software which allows it, which can only be due to incompetence. Heck, here's a security book describing the vector (directory traversal) dating to 1996, and it was known long before then.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  3. Re:archive vs compressor by dgatwood · · Score: 5, Informative

    Holy crap! I just looked at GNU tar's version history. The docs have said that it skips ".." members since IIRC the late 1990s, but apparently it never actually worked, and they just fixed it in 2016!

    *redacted swearing*

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.