GNU bug report logs - #72283
Path traversal in gzip's -S option

Previous Next

Package: gzip;

Reported by: Alex Stumpf <gnu <at> AlexStumpf.de>

Date: Thu, 25 Jul 2024 00:40:01 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 72283 in the body.
You can then email your comments to 72283 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gzip <at> gnu.org:
bug#72283; Package gzip. (Thu, 25 Jul 2024 00:40:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Alex Stumpf <gnu <at> AlexStumpf.de>:
New bug report received and forwarded. Copy sent to bug-gzip <at> gnu.org. (Thu, 25 Jul 2024 00:40:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Alex Stumpf <gnu <at> AlexStumpf.de>
To: bug-gzip <at> gnu.org
Subject: Path traversal in gzip's -S option
Date: Wed, 24 Jul 2024 23:59:33 +0200

Hi,

I just stumbled upon a "feature" that was probably not intended with the 
-S parameter:

  $ cat /tmp/importantfile
  important content
  $ gzip -f -k -S .d/../../tmp/importantfile /etc/ld.so.conf
  $ cat /tmp/importantfile
  <gzipped content of /etc/ld.so.conf>
  $

I.e., it is possible to create/overwrite files at arbitrary locations 
(provided the user has write permission) just by using gzip parameters. 
This is not an issue for systems with regular shell access, but e.g. 
someone who sets up a restricted shell or allows execution of gzip via a 
web interface might not expect that behavior.

The command works because there is both an /etc/ld.so.conf file as well 
as an /etc/ld.so.conf.d/ directory. So the resulting filename
/etc/ld.so.conf.d/../../tmp/importantfile is a valid path.

It's up to you whether you consider this a fix-worthy bug, but I think 
it wouldn't hurt to test whether compressed and uncompressed files are 
in the same directory.

Cheers
 Alex
Reply sent to Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility. (Thu, 25 Jul 2024 02:17:02 GMT) Full text and rfc822 format available.
Notification sent to Alex Stumpf <gnu <at> AlexStumpf.de>:
bug acknowledged by developer. (Thu, 25 Jul 2024 02:17:02 GMT) Full text and rfc822 format available.

Message #10 received at 72283-done <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Alex Stumpf <gnu <at> AlexStumpf.de>
Cc: 72283-done <at> debbugs.gnu.org
Subject: Re: bug#72283: Path traversal in gzip's -S option
Date: Wed, 24 Jul 2024 19:16:40 -0700

[Message part 1 (text/plain, inline)]
On 2024-07-24 14:59, Alex Stumpf wrote:
> It's up to you whether you consider this a fix-worthy bug,

Thanks for reporting that. It's bad behavior, and worth a fix. I 
installed the attached and am closing the bug report.
[0001-gzip-reject-suffixes-containing.patch (text/x-patch, attachment)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 22 Aug 2024 11:24:12 GMT) Full text and rfc822 format available.
This bug report was last modified 100 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.