Update dependency SharpZipLib to v1.3.3 [SECURITY]

[renovate-demo]

This PR contains the following updates:

Package	Type	Update	Change
SharpZipLib	nuget	patch	1.3.0 -> 1.3.3

GitHub Vulnerability Alerts

CVE-2021-32840

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.

CVE-2021-32841

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.3.0 and prior to version 1.3.3, a check was added if the destination file is under destination directory. However, it is not enforced that destDir ends with slash. If the destDir is not slash terminated like /home/user/dir it is possible to create a file with a name thats begins with the destination directory, i.e. /home/user/dir.sh. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 contains a patch for this vulnerability.

CVE-2021-32842

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.0.0 and prior to version 1.3.3, a check was added if the destination file is under a destination directory. However, it is not enforced that _baseDirectory ends with slash. If the _baseDirectory is not slash terminated like /home/user/dir it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. /home/user/dir.sh. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 fixed this vulnerability.

---

Release Notes

icsharpcode/SharpZipLib (SharpZipLib)

v1.3.3

Another minor release, containing security fixes and smaller bugfixes.

Fixes:

• 🐛 specialized tar extract traversal by nils måsén
• 🐛 [#​635] bzip2 use explicit feature defs for vectorized memory move by Jackson Wood
• 🐛 [#​645] tar create translated files in temp by nils måsén

Smaller changes:

• 🔨 [#​604] Move the Password property from DeflaterOutputStream into ZipOutputStream by Richard Webb
• 🔨 [#​625] Make BZip2Constants static instead of sealed by Richard Webb
• 🔨 [#​626] make a couple of private functions static by Richard Webb

Other changes (not related to library code):

• 📚 [#​648] zip fix ZipStrings typo by Friedrich von Never
• 🚨 add tests for tar path traversal by nils måsén
• ⚙️ add codeql analysis by nils måsén
• 🚨 [#​636] Fix unstable tests and switch to dotcover by nils måsén
• 🚨 [#​634] add an async version of the WriteZipOutputStream benchmark by Richard Webb
• ⚙️ [#​628] Limit code coverage to windows CI by nils måsén
• 🚨 [#​627] fix the expected/actual value ordering in unit tests by Richard Webb

v1.3.2

Another minor release, containing security fixes and smaller bugfixes.
Additionally, this version will have an additional target framework, .NET Standard 2.1, which will see some speed improvements when
used in newer versions of .NET (Core), mainly in Bzip2.

Features

• [#​611] Bzip input stream simple vectorization by Konrad Kruczyński
• [#​351] Add support for Filename field in GZip by nils måsén

Smaller fixes and optimizations

• [#​579] Implement very simple ReadAsync in ZipAESStream by Richard Webb
• [#​587] Remove supported method checks from ZipEntry.CompressionMethod setter by Richard Webb
• [#​593] Simplify DropPathRoot and fix out of bounds issue by nils måsén
• [#​575] Replace uses of new T[0] with Array.Empty<T> by Richard Webb
• [#​583] Restore entry times on FastZip extract by nils måsén
• [#​517] Throw exception on Store+Descriptor entries by nils måsén
• [#​578] Fix typos in the StreamDecodingException doc comments by Richard Webb
• [#​577] Throw ZipException in ZipAESStream instead of generic Exception by Richard Webb
• [#​510] Build the test bootstrapper app as netcoreapp3.1 instead of netcoreapp2.0 by Richard Webb
• [#​546] Make pure private functions static by Richard Webb
• [#​554] Skip CRC calculation for AES zip entries by nils måsén
• [#​605] Suppress CA1707 warnings in the Constants classes by Richard Webb
• [#​549] Add .NET Standard 2.1 target framework by Cédric Luthi

Other changes (not related to library code)

• [#​586] Convert VB sample projects to PackageReference format by Richard Webb
• [#​533] Convert the C# sample projects to PackageReference format by Richard Webb
• [#​457] add basic async unit tests for the inflator/deflator streams by Richard Webb
• [#​588] Add a simple async read test for ZipFile by Richard Webb
• [#​621] unify PR/push CI build actions by nils måsén
• [#​616] Change the build status badge to reference github actions by Richard Webb
• [#​603] pass CreateZip tests that are within time tolerance by nils måsén
• [#​602] Update test/coverage packages and push to codecov by nils måsén
• [#​601] pass tests that are within time tolerance by nils måsén
• [#​599] Use net46 as CI target framework for windows tests by nils måsén
• [#​594] Remove the local nuget.config files from the test projects by Richard Webb
• [#​553] Remove broken codacy integration by nils måsén
• [#​542] Build and publish documentation on release by nils måsén

v1.3.1

Minor release, mainly to address the incorrect file version of v1.3.0, but also contains some security fixes and performance improvements.

Highlights

• Correct FileVersion and AssemblyVersion
• Security fixes for ZipFile and Zip*Streams
• Improved CRC32 performance
• BZip2 compression support for Zip files

Features

• [#​355] Wire up BZip2 compression support for Zip files by Richard Webb

Fixes

• [#​475] Fix updating zips with descriptor entries by Richard Webb & nils måsén
• [#​516] Improve CRC32 performance by Nelson Gomez
• [#​538] Use RNGCryptoServiceProvider for crypto headers by nils måsén
• [#​539] Use securely generated random temporary file names by nils måsén
• [#​509] Make PutNextEntry throw if the entry is AES and no password has been set by Richard Webb

Other changes (not related to library code)

• [#​541] Update csproj for new release by nils måsén
• [#​530] Fix Codacy Workflows by nils måsén
• [#​529] Add release workflow by nils måsén
• [#​511] Move the 7zip helper functions into their own class for easier reuse by Richard Webb
• [#​525] Update the sample projects to use the v1.3 release by Richard Webb
• [#​522] Use PackageIcon instead of PackageIconUrl in csproj by nils måsén
• [#​523] Fix Codacy workflows by nils måsén

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.