Date: Mon, 23 Feb 2015 02:38:05 -0500 (EST) From: cve-assign@...re.org To: ch3root@...nwall.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: cabextract -- directory traversal -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > it removes leading slashes from filenames but does it before possibly > decoding UTF-8 and doesn't check for invalid UTF-8 > The issue was reported to Stuart Caie today and fixed in less than 4h: > http://sourceforge.net/p/libmspack/code/217/ Your report seems to be about the need for the "/* remove leading slashes */" code to occur after (not before) the "/* get next UTF-8 character */" code. Is this the only vulnerability being reported, or is the stated behavior of "This doesn't reject bad UTF-8 with overlong encodings, but does re-encode it as valid UTF-8" an independent vulnerability? > /* special case if there's only one file - just take the first slash */ > > if (c == '\\') return 0; /* backslash = MS-DOS */ > > isunix = unix_path_seperators(cab->files); > > sep = (isunix) ? '/' : '\\'; /* the path-seperator */ > > while (*fname == sep) fname++; What happens if the .cab archive contains only one file, and \/tmp/abs is the filename? - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU6thCAAoJEKllVAevmvmschIH/jvsovXKOb3R8XToivGmAJG4 raI0rK3IgcvAk3UbH+N9Ss6rSvx4XO4U5NWKWZmTIT8NENOmCR6OffRpyodmNkV0 1yeyTt0YsVaOz35vmyh/GIf9VtsMB1XsUK8Z4V7aAnCr8qsJmzKRwD2tqaKu+m5j D5Zq3QsIXaEOzXTjrQsCJpSzaGKoKG9jjW3xXC8hdrqBl3V8qbXGVIAQ3a5yOexb Crx38WncATW1C3wDpQ7g8E6VZ22sbYEJSs2ebm36KCUGtRq6zGZQJjy1ajokpiKM lTIKtOGN03YAG1EpWPWKEp4cLKYVffhB1pe9pQAh6nTPYg/9CKZzQRCL7Ya8m2s= =ok2P -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ