Erlang OTP Absolute Path Traversal Vulnerability in Zip Module

A path traversal vulnerability has been identified in the zip module of Erlang OTP, specifically in the standard library (stdlib) versions 2.0 through 7.0.1, 6.2.2.1, and 5.2.3.4. The vulnerability allows for absolute path traversal and file manipulation when using certain functions to extract files from a zip archive. The issue arises because the zip module does not properly sanitize filenames, allowing maliciously crafted zip files to overwrite arbitrary files on the system by specifying absolute paths. This vulnerability affects OTP versions 17.0 through 28.0.1, as well as the aforementioned stdlib versions.

Impact

Exploitation of this vulnerability could lead to unauthorized file manipulation, including overwriting critical system files or application data, potentially causing application failures or system instability.

Reproduction

To reproduce this vulnerability, create a zip archive that includes absolute file paths, ensuring the archive is maliciously corrupted by the inclusion of these paths. Then, use the zip module's extract functions to extract the files to disk without the 'memory' option, which would otherwise prevent the exploitation.

Remediation

Users can upgrade to Erlang OTP versions 28.0.1, 27.3.4.1, or 26.2.5.13, all of which include the necessary patch. Instructions for upgrading can be found in the Erlang/OTP documentation.