This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
Re: Directory traversal in `ar`
- From: Mark Wielaard <mjw at redhat dot com>
- To: elfutils-devel at lists dot fedorahosted dot org
- Date: Mon, 29 Dec 2014 01:00:48 +0100
- Subject: Re: Directory traversal in `ar`
On Sun, Dec 28, 2014 at 11:00:48PM +0300, Alexander Cherepanov wrote:
> >Is your example something that is actually produced by another ar
> >implementation? Or is it an example of a bad long file name that
> >we don't handle properly?
>
> Yes, this is a constructed example of a malicious file. An attempt to
> extract the contents of the archive will lead to creation of a file in the
> root directory. It's usually agreed that unpackers and similar tools should
> not by default touch files outside the working directory. The danger is in
> overwriting sensitive files by an unconscious user or by an automatic
> process.
>
> For similar examples please see
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131 (tar),
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4651 (patch). And I
> recently reported the same problem in binutils:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737 .
>
> In case of elfutils the danger is mitigated by the fact that AFAICT only one
> '/' is possible in a filename and only in the leading position. Hence only
> files in the root directory can be written with this attack and only when ar
> is executed by root.
Aha. I should have immediately guessed you were looking for something
malicious :) Thanks for the explanation. And yes, the only '/' possible
without your patch is at the start of the long name.
> >BTW. For patches we require people to follow the guidelines in the
> >CONTRIBUTING file (in particular we require a Signed-off-by line):
> >https://git.fedorahosted.org/cgit/elfutils.git/tree/CONTRIBUTING
>
> Sorry, a better patch attached.
The patch looks perfect and I agree with your analysis.
Pushed as is to master.
Thanks,
Mark