unalz contains a flaw that allows a remote attacker to write to files outside of the archive path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied within the archive file.
Upgrade to version 0.55 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
The 'unalz' tool contains a vulnerability in the handling of pathnames for archived files.
By specifying a path for an archived item that points outside the expected destination directory, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem, possibly including paths containing system binaries and other sensitive or confidential information.
Presumably, an attacker could use this to create or overwrite binaries in any desired location, using the privileges of the invoking user.
Version 0.53 is vulnerable; other versions may also be affected.
An exploit is not required.
The vendor has released version 0.55 to address this issue.