Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost,stegozor%gmail.com@localhost
Subject: Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
From: stegozor <stegozor%gmail.com@localhost>
Date: Tue, 6 Oct 2020 20:05:01 +0000 (UTC)

The following reply was made to PR pkg/55684; it has been noted by GNATS.

From: stegozor <stegozor%gmail.com@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: pkg-manager%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost
Subject: Re: pkg/55684 (Absolute & relative directory traversal with
 archivers/zoo)
Date: Tue, 6 Oct 2020 23:02:58 +0300

 On 4.10.2020 21:28, Joerg Sonnenberger wrote:
 > 
 > This doesn't seem to be correct. It should remove "../" from the start
 > of the path and "/../" anywhere else. foo../ is a valid path name.
 > 
 > Joerg

 I gave unzoo a whirl on my FreeBSD VM, and unlike NetBSD's unzoo, it
 doesn't seem to be susceptible to directory traversal. With
 traversal.zoo, it simply extracts it in the working directory instead of
 putting the moo file in /tmp/ like NetBSD's unzoo and with
 traversal-relative.zoo, it crashes with a segfault. (FreeBSD's zoo, on
 the other hand, has the same traversal vulnerability). By the way,
 should I file another PR for unzoo or can it be taken care of in this one?

 I also tested with unar which is available in FreeBSD and it extracts
 the files with no traversal. You can find a shell log below that shows
 the results. Hope this can provide some useful additional information.

 [stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
 traversal-relative.zoo	traversal.zoo
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ unzoo -x traversal.zoo
 unzoo: skipped root directory path component in ''
 tmp/moo 	-- extracted as binary
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
 tmp			traversal-relative.zoo	traversal.zoo
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ unzoo -x traversal-relative.zoo
 unzoo: skipped "../" path component in ''
 Segmentation fault (core dumped)
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
 tmp			traversal.zoo
 traversal-relative.zoo	unzoo.core
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ unar traversal.zoo
 traversal.zoo: 2020-10-04 20:01:04.783 unar[1175:100226] No local time
 zone specified.
 2020-10-04 20:01:04.783 unar[1175:100226] Using time zone with absolute
 offset 0.
 Zoo
   /tmp/moo  (4 B)... OK.
 Successfully extracted to "./_tmp_moo".
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ unar traversal-relative.zoo
 traversal-relative.zoo: 2020-10-04 20:01:31.145 unar[1176:100226] No
 local time zone specified.
 2020-10-04 20:01:31.146 unar[1176:100226] Using time zone with absolute
 offset 0.
 Zoo
   ../moo  (4 B)... OK.
 Successfully extracted to "./__Parent__".
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
 __Parent__		tmp			traversal.zoo
 _tmp_moo		traversal-relative.zoo	unzoo.core
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ freebsd-version
 12.2-BETA3
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ uname -a
 FreeBSD localhost 12.2-BETA3 FreeBSD 12.2-BETA3 r366133 GENERIC  amd64

Prev by Date: Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
Next by Date: pkg/55698: devel/nss fails to install on Solaris 11
Previous by Thread: Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
Next by Thread: Re: pkg/54622 (lang/rust fails on NetBSD 8.1 on sparc64)
Indexes:

Home | Main Index | Thread Index | Old Index