[SECURITY] bug in contains_dot

bug-gnu-utils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY] bug in contains_dot_dot routine

From:	Mark J Cox
Subject:	[SECURITY] bug in contains_dot_dot routine
Date:	Mon, 27 May 2002 11:44:58 +0100 (BST)

We've recently been looking at the vulnerability mentioned on bugtraq
nearly a year ago:

"Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows
local users overwrite arbitrary files during archive extraction via a tar
file whose filenames contain a .. (dot dot)."  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267

This was fixed by the routine contains_dot_dot in misc.c in tar, which
catches the case where a tar file contains an entry such as "../foo"

However during testing of 1.13.25 we found that we could still trigger
this problem with an entry such as "./../foo" and this is due to a logic
error in misc.c

I've attached a small patch that fixes this (I didn't spend time looking
to see if multiple ISSLASH are already stripped, if so you could optimize
the patch further)

Cheers, Mark
--
Mark J Cox / Red Hat / OpenSSL / Apache Software Foundation
address@hidden // T: +44 798 061 3110 // F: +44 870 1319174

tmp1.patch
Description: Text document

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY] bug in contains_dot_dot routine, Mark J Cox <=
- Re: [SECURITY] bug in contains_dot_dot routine, Paul Eggert, 2002/05/28
  - Re: [SECURITY] bug in contains_dot_dot routine, Mark J Cox, 2002/05/28
    - Re: [SECURITY] bug in contains_dot_dot routine, Paul Eggert, 2002/05/28
    - Re: [SECURITY] bug in contains_dot_dot routine, Mark J Cox, 2002/05/31

Prev by Date: Re: binutils 2.12 fails to bootstrap on sunos 4.1.4
Next by Date: Low Cost Easy to Use Conferencing
Previous by thread: binutils 2.12 fails to bootstrap on sunos 4.1.4
Next by thread: Re: [SECURITY] bug in contains_dot_dot routine
Index(es):
- Date
- Thread