Thanks for reporting this issue - this would appear to have potential security implications, however as it is already public I see no reason to keep this private - if a CVE were to be assigned then this could be fixed via a security update by the security team, otherwise this would be fixed via the normal SRU process[1]. As such, please feel free to file a CVE request with MITRE[2] and if one is assigned, please update this bug report with the CVE ID and we can fix it via the security team.
[1] https://wiki.ubuntu.com/StableReleaseUpdates [2] https://cve.mitre.org/cve/request_id.html ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libarchive in Ubuntu. https://bugs.launchpad.net/bugs/1830629 Title: Errors when extracting ZIP files. It can not differentiate between files and directories Status in libarchive package in Ubuntu: New Bug description: The specific version included in Ubuntu 18.04 (libarchive 3.2.2) is the only version that presents the problem. This version has a known problem when reading file entries in ZIP files, where it incorrectly identifies directories and files entries. It has been confirmed that the previous and following versions (3.3.1+) do not have this problem and the library handles the ZIP files correctly. Is it possible to include a newer version of libarchive (3.3.1+) in Bionic? This problem is seriously affecting some of our systems. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1830629/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp