oss-sec mailing list archives
Re: CVE Request: cabextract -- directory traversal
From: cve-assign () mitre org
Date: Mon, 23 Feb 2015 02:38:05 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
it removes leading slashes from filenames but does it before possibly decoding UTF-8 and doesn't check for invalid UTF-8
The issue was reported to Stuart Caie today and fixed in less than 4h:
http://sourceforge.net/p/libmspack/code/217/
Your report seems to be about the need for the "/* remove leading slashes */" code to occur after (not before) the "/* get next UTF-8 character */" code. Is this the only vulnerability being reported, or is the stated behavior of "This doesn't reject bad UTF-8 with overlong encodings, but does re-encode it as valid UTF-8" an independent vulnerability?
/* special case if there's only one file - just take the first slash */ if (c == '\\') return 0; /* backslash = MS-DOS */ isunix = unix_path_seperators(cab->files); sep = (isunix) ? '/' : '\\'; /* the path-seperator */ while (*fname == sep) fname++;
What happens if the .cab archive contains only one file, and \/tmp/abs is the filename? - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU6thCAAoJEKllVAevmvmschIH/jvsovXKOb3R8XToivGmAJG4 raI0rK3IgcvAk3UbH+N9Ss6rSvx4XO4U5NWKWZmTIT8NENOmCR6OffRpyodmNkV0 1yeyTt0YsVaOz35vmyh/GIf9VtsMB1XsUK8Z4V7aAnCr8qsJmzKRwD2tqaKu+m5j D5Zq3QsIXaEOzXTjrQsCJpSzaGKoKG9jjW3xXC8hdrqBl3V8qbXGVIAQ3a5yOexb Crx38WncATW1C3wDpQ7g8E6VZ22sbYEJSs2ebm36KCUGtRq6zGZQJjy1ajokpiKM lTIKtOGN03YAG1EpWPWKEp4cLKYVffhB1pe9pQAh6nTPYg/9CKZzQRCL7Ya8m2s= =ok2P -----END PGP SIGNATURE-----
Current thread:
- CVE Request: cabextract -- directory traversal Alexander Cherepanov (Feb 18)
- Re: CVE Request: cabextract -- directory traversal cve-assign (Feb 22)
- Re: Re: CVE Request: cabextract -- directory traversal Alexander Cherepanov (Feb 23)
- Re: CVE Request: cabextract -- directory traversal cve-assign (Feb 23)
- Re: Re: CVE Request: cabextract -- directory traversal Alexander Cherepanov (Feb 23)
- Re: CVE Request: cabextract -- directory traversal cve-assign (Feb 22)