ELF Tool Chain / Tickets / #474 ar(1) directory traversal

#474 ar(1) directory traversal

Milestone: 1.0

Status: closed

Owner: nobody

Labels: None

Resolution: Fixed

Component:

Priority:

Version:

Type:

Updated: 2015-02-24

Created: 2015-01-04

Creator: Alexander Cherepanov

Private: No

ar(1) has a directory traversal vulnerability -- it seems not to check extracted filenames at all:

:::text
$ printf '!<arch>\n%-48s%-10s`\n%-48s%-10s`\n' /tmp/file 0 ../file 0 > test.a
$ ./ar -xv test.a
x - /tmp/file
x - ../file

It's usually agreed that unpackers and similar tools should not by default touch files outside the working directory. The danger is in overwriting sensitive files by an unconscious user or by an automatic process. Both absolute and relative paths are dangerous.

For similar examples please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131 (tar), https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4651 (patch). And I recently reported the same problem in binutils: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737 .

Discussion

Ed Maste - 2015-01-13

Fix in my elftoolchain repo here: https://github.com/emaste/elftoolchain/commit/57c622d5ce8bb420bee8f10824c07ad0572e66ec

Review for FreeBSD: https://reviews.freebsd.org/D1524

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ed Maste - 2015-02-24

status: new --> closed

Milestone: 2.0 --> 1.0

Resolution: --> Fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ed Maste - 2015-02-24

Fixed in [r3169]

Related

Commit: [r3169]

Last edit: Ed Maste 2015-02-24

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

ar(1) directory traversal

BSD licensed ELF toolchain

Milestone

Searches

Help

#474 ar(1) directory traversal

Discussion

Related