Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unzip: Directory traversal vulnerability may lead to command execution / privilege escalation #3992

Open
bcoles opened this issue Nov 8, 2020 · 1 comment
Labels

Comments

@bcoles
Copy link
Collaborator

bcoles commented Nov 8, 2020

Same issue as #3991 in tar.

lol

This could also be used to gain command execution on the host, or elevate privileges to the anon user from a lower privileged user, in the event that anon extracts a malicious tar file.

Command execution via /etc/shellrc (as root) or /home/anon/.config/Terminal.ini (as anon).

bblenard pushed a commit to bblenard/serenity that referenced this issue Mar 10, 2021
This change validates the filenames within a tar/zip archive during
extraction. If the filename within a the archive is outside of the
current working directory the file will be skipped and not extracted
onto the host system.

Closes SerenityOS#3991
Closes SerenityOS#3992
@bblenard
Copy link

Also commented on this issue but I'll cross post here:

Opened a PR to fix this issue. Trying to get my feet wet with Serenity/C++ so let me know if I'm doing something silly :)

bblenard pushed a commit to bblenard/serenity that referenced this issue Mar 10, 2021
This change validates the filenames within a tar/zip archive during
extraction. If the filename within a the archive is outside of the
current working directory the file will be skipped and not extracted
onto the host system.

Closes SerenityOS#3991
Closes SerenityOS#3992
bblenard pushed a commit to bblenard/serenity that referenced this issue Mar 12, 2021
This change validates the filenames within a tar/zip archive during
extraction. If the filename within a the archive is outside of the
current working directory the file will be skipped and not extracted
onto the host system.

Closes SerenityOS#3991
Closes SerenityOS#3992
bblenard pushed a commit to bblenard/serenity that referenced this issue Mar 18, 2021
This change validates the filenames within a tar/zip archive during
extraction. If the filename within a the archive is outside of the
current working directory the file will be skipped and not extracted
onto the host system.

Closes SerenityOS#3991
Closes SerenityOS#3992
bblenard pushed a commit to bblenard/serenity that referenced this issue Mar 18, 2021
This change validates the filenames within a tar/zip archive during
extraction. If the filename within a the archive is outside of the
current working directory the file will be skipped and not extracted
onto the host system.

Closes SerenityOS#3991
Closes SerenityOS#3992
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants