Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250811022220.GR2576@qaa.vinc17.org>
Date: Mon, 11 Aug 2025 04:22:20 +0200
From: Vincent Lefevre <vincent@...c17.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2025-55188: 7-Zip: Arbitrary file write on
 extraction, may lead to code execution

On 2025-08-09 22:55:14 -0700, lunbun wrote:
> If, say, the archive is extracted to `/tmp` and the CWD is `/tmp`, then
> yes, the best an attacker can do is guess the user's login name.

There are other issues with /tmp. If I understand correctly,
the attacker could create /tmp/config.guess and /tmp/install-sh
executable files. Then if the user compiles a libtool-based
library under a subdirectory of /tmp, one of these files could
be executed:

  https://debbugs.gnu.org/cgi/bugreport.cgi?bug=21951

And what about the /run/user/1000 directory? (In Debian,
the UID of the main user always seems to be 1000.)

-- 
Vincent Lefèvre <vincent@...c17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.