Dzip: Directory traversal vulnerability — GLSA 200506-03

Dzip is vulnerable to a directory traversal attack.

Affected packages

games-util/dzip on all architectures
Affected versions < 2.9-r1
Unaffected versions >= 2.9-r1

Background

Dzip is a compressor and uncompressor especially made for demo recordings of id's Quake.

Description

Dzip is vulnerable to a directory traversal attack when extracting archives.

Impact

An attacker could exploit this vulnerability by creating a specially crafted archive to extract files to arbitrary locations.

Workaround

There is no known workaround at this time.

Resolution

All Dzip users should upgrade to the latest available version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=games-utils/dzip-2.9-r1"

References

Release date
June 06, 2005

Latest revision
May 22, 2006: 02

Severity
normal

Exploitable
remote

Bugzilla entries