CVE request: AusweisApp

[Hanno Böck <hanno () hboeck de>]

The "AusweisApp" is an official government application for the electronic ID
in germany.

The original version contained a vulnerability in the update function. It
didn't verify the host of the https connection and allowed to install
malicious files through a directory traversal vuln in the used unzip
routine.
I'm not sure if this makes one or two CVEs, as there are two "vulns" that
can only be used together to do malicious things.

Original source:
https://janschejbal.wordpress.com/2010/11/09/ausweisapp-gehackt-malware-uber-autoupdate/

Also, the versioning is a bit broken, the article claims that the version
was both 1.0.0 and 1.0.1 depending on the source, but the new "fixed" version
is also called 1.0:
https://www.ausweisapp.bund.de/

-- 
Hanno Böck              Blog:           http://www.hboeck.de/
GPG: 3DBD3B20           Jabber/Mail:    hanno () hboeck de

http://schokokeks.org - professional webhosting

Attachment: signature.asc
Description: This is a digitally signed message part.