Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Feb 2015 02:38:05 -0500 (EST)
From: cve-assign@...re.org
To: ch3root@...nwall.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: cabextract -- directory traversal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> it removes leading slashes from filenames but does it before possibly
> decoding UTF-8 and doesn't check for invalid UTF-8

> The issue was reported to Stuart Caie today and fixed in less than 4h:

> http://sourceforge.net/p/libmspack/code/217/

Your report seems to be about the need for the "/* remove leading
slashes */" code to occur after (not before) the "/* get next UTF-8
character */" code. Is this the only vulnerability being reported, or
is the stated behavior of "This doesn't reject bad UTF-8 with overlong
encodings, but does re-encode it as valid UTF-8" an independent
vulnerability?

> /* special case if there's only one file - just take the first slash */
> 
> if (c == '\\') return 0; /* backslash = MS-DOS */
> 
> isunix = unix_path_seperators(cab->files);
> 
> sep   = (isunix) ? '/'  : '\\'; /* the path-seperator */
> 
>  while (*fname == sep) fname++;

What happens if the .cab archive contains only one file, and \/tmp/abs
is the filename?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU6thCAAoJEKllVAevmvmschIH/jvsovXKOb3R8XToivGmAJG4
raI0rK3IgcvAk3UbH+N9Ss6rSvx4XO4U5NWKWZmTIT8NENOmCR6OffRpyodmNkV0
1yeyTt0YsVaOz35vmyh/GIf9VtsMB1XsUK8Z4V7aAnCr8qsJmzKRwD2tqaKu+m5j
D5Zq3QsIXaEOzXTjrQsCJpSzaGKoKG9jjW3xXC8hdrqBl3V8qbXGVIAQ3a5yOexb
Crx38WncATW1C3wDpQ7g8E6VZ22sbYEJSs2ebm36KCUGtRq6zGZQJjy1ajokpiKM
lTIKtOGN03YAG1EpWPWKEp4cLKYVffhB1pe9pQAh6nTPYg/9CKZzQRCL7Ya8m2s=
=ok2P
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ