* Jakub Wilk <jw...@debian.org>, 2015-01-02, 23:16:
Either the fix for CVE-2005-2349 (bug #309594) wasn't complete, or it bit-rotted, because Zoo is still susceptible to directory traversal:
To clarify, #309594 discussed only relative path traversal (via ".." sequences), but AFAICS the patch[0] tries to address also absolute path traversal.
And, despite the patch, Zoo is currently susceptible to relative directory traversal, too:
$ zoo x traversal-relative.zoo Zoo: ../moo -- skipped
$ ls -l ../moo -rw-r--r-- 1 jwilk users 4 Jan 5 2015 ../moo
[0] https://sources.debian.net/src/zoo/2.10-27/debian/patches/02-traversal-directory.patch/ -- Jakub Wilk
traversal-relative.zoo
Description: Binary data