mholt/archiver Path Traversal Vulnerability Allowing Zip Slip Exploitation

A Path Traversal vulnerability, known as 'Zip Slip', has been discovered in the mholt/archiver library for Go. This vulnerability arises when a crafted ZIP file containing path traversal symlinks is processed using the archiver.Unarchive function. The flaw allows the ZIP file to be extracted in a manner that overwrites files on the system with the same privileges as the application executing the extraction. This could lead to the unintentional modification of sensitive files, with potential consequences such as privilege escalation or code execution. It's important to note that a similar issue was previously identified with TAR files, which has not been officially addressed.

Impact

Exploitation of this vulnerability could result in unauthorized file overwrites, allowing for the modification of sensitive files and potentially leading to privilege escalation or code execution, depending on the overwritten files and the context in which the application runs.

Reproduction

To reproduce this vulnerability, create a ZIP file that includes path traversal symlinks. Then, use the archiver.Unarchive function to extract the ZIP file, specifying the output directory. The extraction will overwrite files in the output directory with the same privileges as the application, potentially leading to unauthorized modifications of sensitive files.

Remediation

Users are advised to transition to the mholt/archives project, which addresses this vulnerability and offers an improved API. The initial release of mholt/archives, version 0.1.0, removes the vulnerable Unarchive() functionality.