Update dependency SharpZipLib to v1.3.3 [SECURITY] #2
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.3.0
->1.3.3
GitHub Vulnerability Alerts
CVE-2021-32840
SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry
../evil.txt
may be extracted in the parent directory ofdestFolder
. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.CVE-2021-32841
SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.3.0 and prior to version 1.3.3, a check was added if the destination file is under destination directory. However, it is not enforced that
destDir
ends with slash. If thedestDir
is not slash terminated like/home/user/dir
it is possible to create a file with a name thats begins with the destination directory, i.e./home/user/dir.sh
. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 contains a patch for this vulnerability.CVE-2021-32842
SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.0.0 and prior to version 1.3.3, a check was added if the destination file is under a destination directory. However, it is not enforced that
_baseDirectory
ends with slash. If the _baseDirectory is not slash terminated like/home/user/dir
it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e./home/user/dir.sh
. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 fixed this vulnerability.Release Notes
icsharpcode/SharpZipLib (SharpZipLib)
v1.3.3
Another minor release, containing security fixes and smaller bugfixes.
Fixes:
bzip2
use explicit feature defs for vectorized memory move by Jackson Woodtar
create translated files in temp by nils måsénSmaller changes:
Other changes (not related to library code):
zip
fix ZipStrings typo by Friedrich von Neverv1.3.2
Another minor release, containing security fixes and smaller bugfixes.
Additionally, this version will have an additional target framework, .NET Standard 2.1, which will see some speed improvements when
used in newer versions of .NET (Core), mainly in Bzip2.
Features
Smaller fixes and optimizations
Other changes (not related to library code)
v1.3.1
Minor release, mainly to address the incorrect file version of v1.3.0, but also contains some security fixes and performance improvements.
Highlights
FileVersion
andAssemblyVersion
ZipFile
andZip*Stream
sFeatures
Fixes
Other changes (not related to library code)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.