CVE-2014-9485

NameCVE-2014-9485
DescriptionDirectory traversal vulnerability in the do_extract_currentfile function in miniunz.c in miniunzip in minizip before 1.1-5 might allow remote attackers to write to arbitrary files via a crafted entry in a ZIP archive.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesELA-222-1
Debian Bugs774321, 776831

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
minizip (PTS)jessie1.1-5vulnerable
stretch (lts), stretch1.1-8+deb9u1fixed
buster (security), buster, buster (lts)1.1-8+deb10u1fixed
bullseye1.1-8+deb11u1fixed
bookworm1.1-8+deb12u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
minizipsourcejessie(unfixed)end-of-life
minizipsource(unstable)1.1-6low774321, 776831
zlibsourcewheezy1:1.2.7.dfsg-13+deb7u2ELA-222-1

Notes

https://github.com/madler/zlib/commit/14a5f8f266c16c87ab6c086fc52b770b27701e01 (v1.3.1)
Search for package or bug name: Reporting problems