On Wed, 02 Oct 2002, Michael Salmon wrote:
A directory traversal vulnerability in unzip version 5.42 and earlier, as well as GNU tar 1.13.19 and earlier, allows attackers to overwrite arbitrary files during archive extraction via a ".." (dot dot) in an extracted filename. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-1267 and CAN-2001-1268 to this issue.
In addition, unzip version 5.42 and earlier also allows attackers to overwrite arbitrary files during archive extraction via filenames in the archive that begin with the "/" (slash) character. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-1269 to this issue.
It doesn't seem much of a problem unless you are running as root and don't look check the contents first.
The Workaround section in the bugtraq db includes "List content of archive before extraction if archive was obtained from untrusted source (but have in mind that name of the file can be with something like ../^H^H^H - do not trust your eyes, use some program)." Did anyone publish a script to do this - I am afraid my own scripting abilities are not enough ?? dproc