Control: retitle -1 unshield: CVE-2015-1386: directory traversal Hi,
On Sun, Jan 25, 2015 at 11:14:46AM +0100, Jakub Wilk wrote: > Package: unshield > Version: 1.0-1 > Tags: security > > unshield is vulnerable to directory traversal via "../" sequences. As a > proof of concept, unpacking the attached InstallShield archive creates a > file in /tmp: > > $ ls /tmp/moo > ls: cannot access /tmp/moo: No such file or directory > > $ unshield x data1.cab > Cabinet: data1.cab > extracting: > ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo > -------- ------- > 1 files > > $ ls /tmp/moo > /tmp/moo This issue got CVE-2015-1386, could you please include this CVE reference in your changelog, when you fix the issue. See https://marc.info/?l=oss-security&m=142243243804156&w=2 for the assignment. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
