{"id":"MGASA-2018-0362","summary":"Updated quazip packages fix security vulnerability","details":"Updated quazip packages fix security vulnerability:\n\nA vulnerability has been found in the way developers have implemented the\narchive extraction of files. An arbitrary file write vulnerability, that\ncan be achieved using a specially crafted zip archive (affects other\narchives as well, bzip2, tar,xz, war, cpio, 7z), that holds path traversal\nfilenames. So when the filename gets concatenated to the target extraction\ndirectory, the final path ends up outside of the target folder. Of course\nif an executable or a configuration file is overwritten with a file\ncontaining malicious code, the problem can turn into an arbitrary code\nexecution issue quite easily. This affects multiple libraries that lacks of\na high level APIs that provide the archive extraction functionality\n(CVE-2018-1002209).\n","modified":"2026-02-04T02:50:34.430699Z","published":"2018-08-31T21:11:59Z","related":["CVE-2018-1002209"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0362.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23446"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TMQZPZKZJRQ6ESHXO5LCLIBYWOJX4HAX/"}],"affected":[{"package":{"name":"quazip","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/quazip?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.7.6-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0362.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}