Re: CVE Request: cabextract -- directory traversal

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> it removes leading slashes from filenames but does it before possibly
> decoding UTF-8 and doesn't check for invalid UTF-8

> The issue was reported to Stuart Caie today and fixed in less than 4h:

> http://sourceforge.net/p/libmspack/code/217/

Your report seems to be about the need for the "/* remove leading
slashes */" code to occur after (not before) the "/* get next UTF-8
character */" code. Is this the only vulnerability being reported, or
is the stated behavior of "This doesn't reject bad UTF-8 with overlong
encodings, but does re-encode it as valid UTF-8" an independent
vulnerability?

> /* special case if there's only one file - just take the first slash */
>
> if (c == '\\') return 0; /* backslash = MS-DOS */
>
> isunix = unix_path_seperators(cab->files);
>
> sep   = (isunix) ? '/'  : '\\'; /* the path-seperator */
>
>  while (*fname == sep) fname++;

What happens if the .cab archive contains only one file, and \/tmp/abs
is the filename?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU6thCAAoJEKllVAevmvmschIH/jvsovXKOb3R8XToivGmAJG4
raI0rK3IgcvAk3UbH+N9Ss6rSvx4XO4U5NWKWZmTIT8NENOmCR6OffRpyodmNkV0
1yeyTt0YsVaOz35vmyh/GIf9VtsMB1XsUK8Z4V7aAnCr8qsJmzKRwD2tqaKu+m5j
D5Zq3QsIXaEOzXTjrQsCJpSzaGKoKG9jjW3xXC8hdrqBl3V8qbXGVIAQ3a5yOexb
Crx38WncATW1C3wDpQ7g8E6VZ22sbYEJSs2ebm36KCUGtRq6zGZQJjy1ajokpiKM
lTIKtOGN03YAG1EpWPWKEp4cLKYVffhB1pe9pQAh6nTPYg/9CKZzQRCL7Ya8m2s=
=ok2P
-----END PGP SIGNATURE-----