Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)

To: gnats-bugs%netbsd.org@localhost
Subject: Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
From: stegozor <stegozor%gmail.com@localhost>
Date: Tue, 6 Oct 2020 23:02:58 +0300

On 4.10.2020 21:28, Joerg Sonnenberger wrote:
> 
> This doesn't seem to be correct. It should remove "../" from the start
> of the path and "/../" anywhere else. foo../ is a valid path name.
> 
> Joerg

I gave unzoo a whirl on my FreeBSD VM, and unlike NetBSD's unzoo, it
doesn't seem to be susceptible to directory traversal. With
traversal.zoo, it simply extracts it in the working directory instead of
putting the moo file in /tmp/ like NetBSD's unzoo and with
traversal-relative.zoo, it crashes with a segfault. (FreeBSD's zoo, on
the other hand, has the same traversal vulnerability). By the way,
should I file another PR for unzoo or can it be taken care of in this one?

I also tested with unar which is available in FreeBSD and it extracts
the files with no traversal. You can find a shell log below that shows
the results. Hope this can provide some useful additional information.

[stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
traversal-relative.zoo	traversal.zoo
[stegozor@localhost ~/zoo_stuff/zoo_test]$ unzoo -x traversal.zoo
unzoo: skipped root directory path component in ''
tmp/moo 	-- extracted as binary
[stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
tmp			traversal-relative.zoo	traversal.zoo
[stegozor@localhost ~/zoo_stuff/zoo_test]$ unzoo -x traversal-relative.zoo
unzoo: skipped "../" path component in ''
Segmentation fault (core dumped)
[stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
tmp			traversal.zoo
traversal-relative.zoo	unzoo.core
[stegozor@localhost ~/zoo_stuff/zoo_test]$ unar traversal.zoo
traversal.zoo: 2020-10-04 20:01:04.783 unar[1175:100226] No local time
zone specified.
2020-10-04 20:01:04.783 unar[1175:100226] Using time zone with absolute
offset 0.
Zoo
  /tmp/moo  (4 B)... OK.
Successfully extracted to "./_tmp_moo".
[stegozor@localhost ~/zoo_stuff/zoo_test]$ unar traversal-relative.zoo
traversal-relative.zoo: 2020-10-04 20:01:31.145 unar[1176:100226] No
local time zone specified.
2020-10-04 20:01:31.146 unar[1176:100226] Using time zone with absolute
offset 0.
Zoo
  ../moo  (4 B)... OK.
Successfully extracted to "./__Parent__".
[stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
__Parent__		tmp			traversal.zoo
_tmp_moo		traversal-relative.zoo	unzoo.core
[stegozor@localhost ~/zoo_stuff/zoo_test]$ freebsd-version
12.2-BETA3
[stegozor@localhost ~/zoo_stuff/zoo_test]$ uname -a
FreeBSD localhost 12.2-BETA3 FreeBSD 12.2-BETA3 r366133 GENERIC  amd64

References:
- Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
  - From: Martin Husemann
- Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
  - From: Joerg Sonnenberger

Prev by Date: pkg/55696: pkgsrc/audio/csound6 fails to build
Next by Date: Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
Previous by Thread: Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
Next by Thread: Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
Indexes:

Home | Main Index | Thread Index | Old Index