Bug 1185717 (CVE-2015-1386)

Summary: CVE-2015-1386 unshield: directory traversal
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andreas.bierfert, pere
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 21:06:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1185718, 1185719    
Bug Blocks:    

Description Kurt Seifried 2015-01-26 05:50:41 UTC
Jakub Wilk reports:

Package: unshield
Version: 1.0-1
Tags: security

unshield is vulnerable to directory traversal via "../" sequences. As a 
proof of concept, unpacking the attached InstallShield archive creates a 
file in /tmp:

$ ls /tmp/moo
ls: cannot access /tmp/moo: No such file or directory

$ unshield x data1.cab
Cabinet: data1.cab
 extracting: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
--------  -------
         1 files

$ ls /tmp/moo
/tmp/moo


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Comment 1 Kurt Seifried 2015-01-26 05:52:22 UTC
Created unshield tracking bugs for this issue:

Affects: fedora-all [bug 1185718]
Affects: epel-all [bug 1185719]

Comment 2 Petter Reinholdtsen 2016-08-03 19:27:38 UTC
This issue is reported upstream as https://github.com/twogood/unshield/issues/42 .  Still unsolved upstream.