Critical Zip Slip flaw affects thousands of software projects

Hand-made archive file processing software libraries may have left thousands of open source projects vulnerable to remote command execution. 

The widespread Zip Slip archive extraction bug was disclosed today by security firm Snyk, which reports it affects Apache Hadoop and projects from HP, Amazon, Oracle and others via software libraries that developers have hand-crafted so their software can process .zip archive files. 

This functionality is often added because some ecosystems, such as Java, don’t provide a central software library that enables full extraction of archive files. So, developers build their own and share them on developer communities such as StackOverflow. 

According to Snyck, this sharing of private or public code has resulted in the common error multiplying across various projects. Besides .zip, it can also affect other archive formats such as .tar, .jar, .war, .cpio, .apk, .rar, and 7z.

The attacker needs to use a specially crafted archive file containing extra directory paths that wouldn’t normally be present if the archive file was created using standard tools.