OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Zip slip vulnerability issue?


Greetings!

I was pinged with an inquiry about the recent path validation
vulnerability in zip and its relevance to ODF.

The vulnerability requires:

1) a malicious archive

2) zip extraction software that does not do path validation

The crux of the issue, as I understand it, is that some extractors
permit arbitrary file paths to be written on extraction of zip contents.
That is content can be written outside of the file hierarchy in the zip
file. Yikes!

For more, see:
https://www.helpnetsecurity.com/2018/06/05/zip-slip-vulnerability/,
listing of vulnerable apps:
https://github.com/snyk/zip-slip-vulnerability, or the original research
paper: https://snyk.io/research/zip-slip-vulnerability.

I suspect this is more of an issue for implementations of ODF that the
format but bouncing it to the TC for broader review.

Hope everyone is at the start of a great week!

Patrick

-- 
Patrick Durusau
patrick@durusau.net
Technical Advisory Board, OASIS (TAB)
Editor, OpenDocument Format TC (OASIS), Project Editor ISO/IEC 26300
Co-Editor, ISO/IEC 13250-1, 13250-5 (Topic Maps)

Another Word For It (blog): http://tm.durusau.net
Homepage: http://www.durusau.net
Twitter: patrickDurusau 


Attachment: signature.asc
Description: OpenPGP digital signature



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]