Greetings! I was pinged with an inquiry about the recent path validation vulnerability in zip and its relevance to ODF. The vulnerability requires: 1) a malicious archive 2) zip extraction software that does not do path validation The crux of the issue, as I understand it, is that some extractors permit arbitrary file paths to be written on extraction of zip contents. That is content can be written outside of the file hierarchy in the zip file. Yikes! For more, see:
https://www.helpnetsecurity.com/2018/06/05/zip-slip-vulnerability/ , listing of vulnerable apps:
https://github.com/snyk/zip-slip-vulnerability , or the original research paper:
https://snyk.io/research/zip-slip-vulnerability . I suspect this is more of an issue for implementations of ODF that the format but bouncing it to the TC for broader review. Hope everyone is at the start of a great week! Patrick -- Patrick Durusau
patrick@durusau.net Technical Advisory Board, OASIS (TAB) Editor, OpenDocument Format TC (OASIS), Project Editor ISO/IEC 26300 Co-Editor, ISO/IEC 13250-1, 13250-5 (Topic Maps) Another Word For It (blog):
http://tm.durusau.net Homepage:
http://www.durusau.net Twitter: patrickDurusau Attachment: signature.asc Description: OpenPGP digital signature