Bug 1185717 (CVE-2015-1386) - CVE-2015-1386 unshield: directory traversal
Summary: CVE-2015-1386 unshield: directory traversal
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-1386
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1185719 1185718
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-26 05:50 UTC by Kurt Seifried
Modified: 2019-09-29 13:27 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-10 21:06:31 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2015-01-26 05:50:41 UTC
Jakub Wilk reports:

Package: unshield
Version: 1.0-1
Tags: security

unshield is vulnerable to directory traversal via "../" sequences. As a 
proof of concept, unpacking the attached InstallShield archive creates a 
file in /tmp:

$ ls /tmp/moo
ls: cannot access /tmp/moo: No such file or directory

$ unshield x data1.cab
Cabinet: data1.cab
 extracting: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
--------  -------
         1 files

$ ls /tmp/moo
/tmp/moo


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Comment 1 Kurt Seifried 2015-01-26 05:52:22 UTC
Created unshield tracking bugs for this issue:

Affects: fedora-all [bug 1185718]
Affects: epel-all [bug 1185719]

Comment 2 Petter Reinholdtsen 2016-08-03 19:27:38 UTC
This issue is reported upstream as https://github.com/twogood/unshield/issues/42 .  Still unsolved upstream.


Note You need to log in before you can comment on or make changes to this bug.