debcrafters-packages team mailing list archive

Thread
Date

[Bug 1916081] Re: Insecure Chaining of Flags T and TT

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Skia <1916081@xxxxxxxxxxxxxxxxxx>
Date: Wed, 07 May 2025 10:15:35 -0000
Reply-to: Bug 1916081 <1916081@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 2093024 ***
    https://bugs.launchpad.net/bugs/2093024

** This bug has been marked a duplicate of bug 2093024
   [SRU] zip crashes when using options -T and -TT

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to zip in Ubuntu.
https://bugs.launchpad.net/bugs/1916081

Title:
  Insecure Chaining of Flags T and TT

Status in zip package in Ubuntu:
  Confirmed

Bug description:
  Description:
  In Zip for Linux, the “-TT” flag can be used to run arbitrary system commands. Due to the dangerous nature of this flag, it must always be used at the same time as the “-T” flag. By using a flag chaining attack, attackers that should only be able to insert just 1 flag in a zip command can insert both the “-T” and “-TT” flag and potentially execute malicious code.

  Proof of Concept and in depth explanation can be found in the attached
  PDF file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zip/+bug/1916081/+subscriptions