[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY] bug in contains_dot_dot routine
From: |
Mark J Cox |
Subject: |
[SECURITY] bug in contains_dot_dot routine |
Date: |
Mon, 27 May 2002 11:44:58 +0100 (BST) |
We've recently been looking at the vulnerability mentioned on bugtraq
nearly a year ago:
"Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows
local users overwrite arbitrary files during archive extraction via a tar
file whose filenames contain a .. (dot dot)."
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267
This was fixed by the routine contains_dot_dot in misc.c in tar, which
catches the case where a tar file contains an entry such as "../foo"
However during testing of 1.13.25 we found that we could still trigger
this problem with an entry such as "./../foo" and this is due to a logic
error in misc.c
I've attached a small patch that fixes this (I didn't spend time looking
to see if multiple ISSLASH are already stripped, if so you could optimize
the patch further)
Cheers, Mark
--
Mark J Cox / Red Hat / OpenSSL / Apache Software Foundation
address@hidden // T: +44 798 061 3110 // F: +44 870 1319174
tmp1.patch
Description: Text document
- [SECURITY] bug in contains_dot_dot routine,
Mark J Cox <=