This is the mail archive of the elfutils-devel@sourceware.org mailing list for the elfutils project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Directory traversal in `ar`


On Sun, Dec 28, 2014 at 11:00:48PM +0300, Alexander Cherepanov wrote:
> >Is your example something that is actually produced by another ar
> >implementation? Or is it an example of a bad long file name that
> >we don't handle properly?
> 
> Yes, this is a constructed example of a malicious file. An attempt to
> extract the contents of the archive will lead to creation of a file in the
> root directory. It's usually agreed that unpackers and similar tools should
> not by default touch files outside the working directory. The danger is in
> overwriting sensitive files by an unconscious user or by an automatic
> process.
> 
> For similar examples please see
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131 (tar),
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4651 (patch). And I
> recently reported the same problem in binutils:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737 .
> 
> In case of elfutils the danger is mitigated by the fact that AFAICT only one
> '/' is possible in a filename and only in the leading position. Hence only
> files in the root directory can be written with this attack and only when ar
> is executed by root.

Aha. I should have immediately guessed you were looking for something
malicious :) Thanks for the explanation. And yes, the only '/' possible
without your patch is at the start of the long name.

> >BTW. For patches we require people to follow the guidelines in the
> >CONTRIBUTING file (in particular we require a Signed-off-by line):
> >https://git.fedorahosted.org/cgit/elfutils.git/tree/CONTRIBUTING
> 
> Sorry, a better patch attached.

The patch looks perfect and I agree with your analysis.
Pushed as is to master.

Thanks,

Mark

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]