Add advisory for self_update ZIP Slip path traversal

crates/self_update/RUSTSEC-0000-0000.md

@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "self_update"
+date = "2026-02-23"
+url = "https://github.com/jaemk/self_update/issues/91"
+categories = ["file-disclosure"]
+keywords = ["zip-slip", "path-traversal", "arbitrary-file-write"]
+
+[affected.functions]
+"self_update::Extract::extract_into" = ["*"]
+"self_update::Extract::extract_file" = ["*"]
+
+[versions]
+patched = []
+unaffected = []
+```
+
+# Path traversal in self_update ZIP extraction (ZIP Slip)
+
+`self_update::Extract::extract_into()` and `extract_file()` use `zip::ZipFile::name()` to construct output file paths without any sanitization. The `name()` method returns the raw filename from the ZIP archive, which may contain path traversal sequences like `../`.
+
+An attacker who controls the contents of a ZIP archive (e.g., via a compromised GitHub release or MITM on the download) can write files to arbitrary locations outside the intended extraction directory.
+
+The `zip` crate provides `mangled_name()` which sanitizes path components, but `self_update` does not use it. The tar extraction path is not affected because the `tar` crate validates paths internally.