Date: Wed, 18 Feb 2015 13:11:55 +0300 From: Alexander Cherepanov <ch3root@...nwall.com> To: oss-security@...ts.openwall.com Subject: CVE Request: cabextract -- directory traversal Hi! cabextract is susceptible to a directory traversal vulnerability. While extracting files from an archive, it removes leading slashes from filenames but does it before possibly decoding UTF-8 and doesn't check for invalid UTF-8. Hence an absolute filename can be shoved through by using overlong encoding for the leading slash (and setting utf8 attribute in the header). This can be exploited by a malicious archive to write files outside the current directory. Illustration: $ touch xxxxxxxxxx $ lcab xxxxxxxxxx test.cab $ sed -i 's|\x20\x00xxxxxxxxxx|\xa0\x00\xe0\x80\xaftmp/abs|g' test.cab $ rm xxxxxxxxxx $ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory $ ./cabextract test.cab Extracting cabinet: test.cab extracting /tmp/abs All done, no errors. $ ls /tmp/abs /tmp/abs In the sed command above, \xe0\x80\xaf is an overlong encoding for '/', \xa0\x00 are flags updated to include utf-8 flag. The issue was found in cabextract 1.4 and 2-byte encoding (\xc0\xaf) was enough to hide '/'. cabextract 1.5 tightened utf-8 checks and 3-byte encoding is now necessary. The issue was reported to Stuart Caie today and fixed in less than 4h: http://sourceforge.net/p/libmspack/code/217/ Another release of cabextract is expected in the next few days. Could CVE please be assigned? -- Alexander Cherepanov
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ