Debian Bug report logs - #277522
cabextract directory traversal if files in cabinet contain "../"

version graph

Package: cabextract; Maintainer for cabextract is Eric Sharkey <sharkey@debian.org>; Source for cabextract is src:cabextract.

Reported by: Mikko Rapeli <mikko.rapeli@iki.fi>

Date: Wed, 20 Oct 2004 16:48:01 UTC

Severity: grave

Tags: security

Found in version 0.2-2

Fixed in version cabextract/1.1-1

Done: Eric Sharkey <sharkey@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#277522; Package cabextract. Full text and rfc822 format available.

Acknowledgement sent to Mikko Rapeli <mikko.rapeli@iki.fi>:
New Bug report received and forwarded. Copy sent to Eric Sharkey <sharkey@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Mikko Rapeli <mikko.rapeli@iki.fi>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cabextract directory traversal if files in cabinet contain "../"
Date: Wed, 20 Oct 2004 19:42:43 +0300
Package: cabextract
Version: 0.2-2
Severity: grave
Tags: security
Justification: user security hole

Hello,

I just noticed from cabextract's upstream changelogs ( 
http://www.kyz.uklinux.net/cabextract.php#changes ) , that the latest
version contains a fix for this typical directory traversal of archived
filenames having "../" in them. 

The cabextract version 1.0 in testing and unstable can propably be
upgraded to the latest upstream version of 1.1, but for the stable
version this seems much more tricky.

The fix seems to be following (copy-paste from a diff, not likely to
apply as such and vi does funny things too, sigh):

--- cabextract-1.0/src/cabextract.c     2004-03-09 21:05:04.000000000 +0200
+++ cabextract-1.1/src/cabextract.c     2004-10-17 23:16:23.000000000 +0300

@@ -727,6 +752,16 @@
       else if (lower)      c = (unsigned char) tolower((int) c);
     } while ((*p++ = c));
   }
+
+  /* search for "../" in cab filename part and change to "xx/".  This
+   * prevents any unintended directory traversal. */
+  for (p = &name[dir ? strlen(dir)+1 : 0]; *p; p++) {
+    if ((p[0] == '.') && (p[1] == '.') && (p[2] == '/')) {
+      p[0] = p[1] = 'x';
+      p += 2;
+    }
+  }
+
    return (char *) name;
   }		   

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux nalle 2.4.18-1-586tsc #1 Wed Apr 14 17:57:38 UTC 2004 i586
Locale: LANG=C, LC_CTYPE=fi_FI@euro

Versions of packages cabextract depends on:
ii  libc6                         2.2.5-11.5 GNU C Library: Shared libraries an




Information forwarded to debian-bugs-dist@lists.debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#277522; Package cabextract. Full text and rfc822 format available.

Acknowledgement sent to Eric Sharkey <sharkey@netrics.com>:
Extra info received and forwarded to list. Copy sent to Eric Sharkey <sharkey@debian.org>. Full text and rfc822 format available.

Message #10 received at 277522@bugs.debian.org (full text, mbox):

From: Eric Sharkey <sharkey@netrics.com>
To: Mikko Rapeli <mikko.rapeli@iki.fi>, 277522@bugs.debian.org
Subject: Re: Bug#277522: cabextract directory traversal if files in cabinet contain "../"
Date: Wed, 20 Oct 2004 12:57:15 -0400
> I just noticed from cabextract's upstream changelogs ( 
> http://www.kyz.uklinux.net/cabextract.php#changes )

Thanks.

I'll fix this ASAP.

Eric



Reply sent to Eric Sharkey <sharkey@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Mikko Rapeli <mikko.rapeli@iki.fi>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 277522-close@bugs.debian.org (full text, mbox):

From: Eric Sharkey <sharkey@debian.org>
To: 277522-close@bugs.debian.org
Subject: Bug#277522: fixed in cabextract 1.1-1
Date: Wed, 20 Oct 2004 14:32:11 -0400
Source: cabextract
Source-Version: 1.1-1

We believe that the bug you reported is fixed in the latest version of
cabextract, which is due to be installed in the Debian FTP archive:

cabextract_1.1-1.diff.gz
  to pool/main/c/cabextract/cabextract_1.1-1.diff.gz
cabextract_1.1-1.dsc
  to pool/main/c/cabextract/cabextract_1.1-1.dsc
cabextract_1.1-1_i386.deb
  to pool/main/c/cabextract/cabextract_1.1-1_i386.deb
cabextract_1.1.orig.tar.gz
  to pool/main/c/cabextract/cabextract_1.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 277522@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eric Sharkey <sharkey@debian.org> (supplier of updated cabextract package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 20 Oct 2004 14:04:05 -0400
Source: cabextract
Binary: cabextract
Architecture: source i386
Version: 1.1-1
Distribution: unstable
Urgency: low
Maintainer: Eric Sharkey <sharkey@debian.org>
Changed-By: Eric Sharkey <sharkey@debian.org>
Description: 
 cabextract - a program to extract Microsoft Cabinet files
Closes: 277522
Changes: 
 cabextract (1.1-1) unstable; urgency=low
 .
   * New upstream
   * upstream change Closes: #277522
Files: 
 aafd9f0ef74d994b2451d473569860b3 569 utils optional cabextract_1.1-1.dsc
 f4b729c0be7d288660f4fc167de199a1 187495 utils optional cabextract_1.1.orig.tar.gz
 74ce0d255ac43d04c23b4c1bf3fde704 2142 utils optional cabextract_1.1-1.diff.gz
 e54114db30673f03d62628ad07591a6c 44802 utils optional cabextract_1.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBdqlIclUlAyIk+rwRAgY2AKC46bv4M5w8+O4SvXYIImSPUypv/QCgpeLy
EJTdr3MR3F2xrW1Y8bLW0fE=
=Hq5t
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 13:08:47 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.