[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#25611: 26.0.50; dired-do-compress unpacks .tgz files

From: Mike Kupfer
Subject: bug#25611: 26.0.50; dired-do-compress unpacks .tgz files
Date: Mon, 06 Mar 2017 09:28:53 -0800

Hi Oleh,

Oleh Krehel wrote:

> > It occurs to me that this could be considered a security vulnerability.
> > If the .tgz file is (unintentionally) unpacked in $HOME and contains a
> > .ssh/authorized_keys, that could give an attacker access to the victim's
> > account.
> The file is uncompressed into a directory with the same name. So the
> file would have to be ~/.ssh.tar.gz. If a user presses "Z" on that
> file, it's pretty clear what will happen, same as with "C" on e.g. an
> `authorized_keys' file somewhere.

That might be the intended usage, but my testing[1] shows that there's
no enforcement.  I created by hand a Desktop.tgz by doing

    tar cf Desktop.tar Desktop .ssh/known_hosts

and then compressing Desktop.tar.  (I don't use an authorized_keys file
on the system that I ran the test on.)  I moved Desktop.tgz to a temp
directory and then pressed "Z" on it.  It unpacked Desktop okay, but it
also created .ssh/known_hosts.

I also tried editing one of the files in <temp_dir>/Desktop and redoing
"Z" on Desktop.tgz.  That silently overwrote my change.

So I think two changes are needed: one to eliminate the security risk,
the second to protect against accidental data loss.

The security risk would be closed by ensuring that foo.<suffix> only
unpacks into "foo".  This could be done by checking the table of
contents of the tar file and erroring out if anything is amiss.  Another
approach would be to invoke tar as "tar xf ... foo".  The first approach
gives better feedback to the user if there is something amiss with the
tar file, but it'll take more code.  (GNU tar, at least, protects
against things like foo/../.ssh/mumble; I don't know about other
variants of tar.)

To protect against accidental data loss, I recommend erroring out if
"foo" already exists, or asking the user for confirmation before


[1] Emacs master, changeset 18c47695 from 21 February, running on Debian

reply via email to

[Prev in Thread] Current Thread [Next in Thread]