GNU bug report logs -
#72283
Path traversal in gzip's -S option
Previous Next
Reported by: Alex Stumpf <gnu <at> AlexStumpf.de>
Date: Thu, 25 Jul 2024 00:40:01 UTC
Severity: normal
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 72283 in the body.
You can then email your comments to 72283 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gzip <at> gnu.org
:
bug#72283
; Package
gzip
.
(Thu, 25 Jul 2024 00:40:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Alex Stumpf <gnu <at> AlexStumpf.de>
:
New bug report received and forwarded. Copy sent to
bug-gzip <at> gnu.org
.
(Thu, 25 Jul 2024 00:40:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi,
I just stumbled upon a "feature" that was probably not intended with the
-S parameter:
$ cat /tmp/importantfile
important content
$ gzip -f -k -S .d/../../tmp/importantfile /etc/ld.so.conf
$ cat /tmp/importantfile
<gzipped content of /etc/ld.so.conf>
$
I.e., it is possible to create/overwrite files at arbitrary locations
(provided the user has write permission) just by using gzip parameters.
This is not an issue for systems with regular shell access, but e.g.
someone who sets up a restricted shell or allows execution of gzip via a
web interface might not expect that behavior.
The command works because there is both an /etc/ld.so.conf file as well
as an /etc/ld.so.conf.d/ directory. So the resulting filename
/etc/ld.so.conf.d/../../tmp/importantfile is a valid path.
It's up to you whether you consider this a fix-worthy bug, but I think
it wouldn't hurt to test whether compressed and uncompressed files are
in the same directory.
Cheers
Alex
Reply sent
to
Paul Eggert <eggert <at> cs.ucla.edu>
:
You have taken responsibility.
(Thu, 25 Jul 2024 02:17:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Alex Stumpf <gnu <at> AlexStumpf.de>
:
bug acknowledged by developer.
(Thu, 25 Jul 2024 02:17:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 72283-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2024-07-24 14:59, Alex Stumpf wrote:
> It's up to you whether you consider this a fix-worthy bug,
Thanks for reporting that. It's bad behavior, and worth a fix. I
installed the attached and am closing the bug report.
[0001-gzip-reject-suffixes-containing.patch (text/x-patch, attachment)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Thu, 22 Aug 2024 11:24:12 GMT)
Full text and
rfc822 format available.
This bug report was last modified 100 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.