From bb6b6080f53e48dd9f64ad82ba46265076f1a799 Mon Sep 17 00:00:00 2001
From: Michael Gilbert <mgilbert@debian.org>
Date: Sat, 14 May 2022 03:40:09 +0800
Subject: [PATCH] fix directory traversal issues in miniunzip

bug-debian: https://bugs.debian.org/774321
bug-debian: https://bugs.debian.org/776831

Gbp-Pq: Name traversal.patch
---
 miniunz.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/miniunz.c b/miniunz.c
index 3aeafdb..d3be1cf 100644
--- a/miniunz.c
+++ b/miniunz.c
@@ -355,6 +355,20 @@ int do_extract_currentfile(uf,popt_extract_without_path,popt_overwrite,password)
         else
             write_filename = filename_withoutpath;
 
+        if (write_filename[0]!='\0')
+        {
+            const char* relative_check = write_filename;
+            while (relative_check[1]!='\0')
+            {
+                if (relative_check[0]=='.' && relative_check[1]=='.')
+                    write_filename = relative_check;
+                relative_check++;
+            }
+        }
+
+        while (write_filename[0]=='/' || write_filename[0]=='.')
+            write_filename++;
+
         err = unzOpenCurrentFilePassword(uf,password);
         if (err!=UNZ_OK)
         {