gcab: CVE-2015-0552: directory traversal

Debian Bug report logs - #774580
gcab: CVE-2015-0552: directory traversal

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gcab: directory traversal

Date: Sun, 4 Jan 2015 18:12:01 +0100

[Message part 1 (text/plain, inline)]

Package: gcab
Version: 0.4-1
Tags: security

gcab is susceptible to directory traversal:

$ pwd
/home/jwilk

$ gcab -xv traversal.cab
\tmp\moo

$ ls -l /tmp/moo
-rw-r--r-- 1 jwilk users 4 Jan  4 17:58 /tmp/moo


The script I used to create the test case is available at:
https://bitbucket.org/jwilk/path-traversal-samples

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages gcab depends on:
ii  libc6          2.19-13
ii  libgcab-1.0-0  0.4-1
ii  libglib2.0-0   2.42.1-1

-- 
Jakub Wilk

[traversal.cab (application/x-cab, attachment)]

Message #10 received at 774580@bugs.debian.org (full text, mbox, reply):

From: Stephen Kitt <skitt@debian.org>

To: Jakub Wilk <jwilk@debian.org>, 774580@bugs.debian.org

Subject: Re: Bug#774580: gcab: directory traversal

Date: Mon, 5 Jan 2015 07:26:36 +0100

[Message part 1 (text/plain, inline)]

Hi Jakub,

On Sun, 4 Jan 2015 18:12:01 +0100, Jakub Wilk <jwilk@debian.org> wrote:
> gcab is susceptible to directory traversal:

Thanks for spotting this, I'm going to submit the following patch which
handles all your traversal cases (albeit in a somewhat ugly manner for
relative traversals):

diff --git a/libgcab/gcab-folder.c b/libgcab/gcab-folder.c
index a140e2c..f96e04f 100644
--- a/libgcab/gcab-folder.c
+++ b/libgcab/gcab-folder.c
@@ -362,9 +362,25 @@ gcab_folder_extract (GCabFolder *self,
                 fname[i] = '/';
 
         GFile *gfile = g_file_resolve_relative_path (path, fname);
-        GFile *parent = g_file_get_parent (gfile);
         g_free (fname);
 
+        if (!g_file_has_prefix(gfile, path)) {
+            // "Rebase" the file in the given path, to ensure we never escape it
+            char *rawpath = g_file_get_path(gfile);
+            if (rawpath != NULL) {
+                char *newpath = rawpath;
+                while (*newpath != 0 && *newpath == G_DIR_SEPARATOR) {
+                    newpath++;
+                }
+                GFile *newgfile = g_file_resolve_relative_path (path, newpath);
+                g_free (rawpath);
+                g_object_unref (gfile);
+                gfile = newgfile;
+            }
+        }
+
+        GFile *parent = g_file_get_parent (gfile);
+
         if (!g_file_make_directory_with_parents (parent, cancellable, &my_error)) {
             if (g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_EXISTS))
                 g_clear_error (&my_error);



Can you spot any issues there?

Regards,

Stephen

[Message part 2 (application/pgp-signature, inline)]

Message #13 received at 774580@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: 774580@bugs.debian.org

Subject: Re: Bug#774580: gcab: directory traversal

Date: Mon, 5 Jan 2015 12:17:02 +0100

Hi Stephen!

* Stephen Kitt <skitt@debian.org>, 2015-01-05, 07:26:
>I'm going to submit the following patch which handles all your 
>traversal cases (albeit in a somewhat ugly manner for relative 
>traversals):

As a data point, cabextract(1) replaces ".." components with "xx" on 
unpack, which is a different kind of ugly. :-)

>+            char *rawpath = g_file_get_path(gfile);
>+            if (rawpath != NULL) {

Hmm. I'm not familiar with GLib, so I wonder in what circumstances 
g_file_get_path() can return NULL. What happens in that case?

>Can you spot any issues there?

Apart from the doubts raised above, the patch looks good to me.

-- 
Jakub Wilk

Message #18 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jakub Wilk <jwilk@debian.org>, 774580@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#774580: gcab: directory traversal

Date: Mon, 5 Jan 2015 18:32:48 +0100

Control: retitle -1 gcab: CVE-2015-0552: directory traversal

Hi

CVE-2015-0552 was asigned to this issue.

Regards,
Salvatore

Message #30 received at 774580@bugs.debian.org (full text, mbox, reply):

From: Stephen Kitt <skitt@debian.org>

To: Jakub Wilk <jwilk@debian.org>

Cc: 774580@bugs.debian.org

Subject: Re: Bug#774580: gcab: directory traversal

Date: Tue, 6 Jan 2015 00:01:44 +0100

[Message part 1 (text/plain, inline)]

Hi Jakub,

On Mon, 5 Jan 2015 12:17:02 +0100, Jakub Wilk <jwilk@debian.org> wrote:
> * Stephen Kitt <skitt@debian.org>, 2015-01-05, 07:26:
> >I'm going to submit the following patch which handles all your 
> >traversal cases (albeit in a somewhat ugly manner for relative 
> >traversals):
> 
> As a data point, cabextract(1) replaces ".." components with "xx" on 
> unpack, which is a different kind of ugly. :-)

Indeed... My patch was accepted upstream so I'll stick with that!

> >+            char *rawpath = g_file_get_path(gfile);
> >+            if (rawpath != NULL) {
> 
> Hmm. I'm not familiar with GLib, so I wonder in what circumstances 
> g_file_get_path() can return NULL. What happens in that case?

GIO supports non-local filenames (for network files, e.g. via ssh), and when
manipulating those g_file_get_path() returns NULL. The rest of gcab doesn't
deal with this AFAICT so I added the test simply to avoid any risk of
introducing a null pointer dereference!

> >Can you spot any issues there?
> 
> Apart from the doubts raised above, the patch looks good to me.

Thanks!

Stephen

[Message part 2 (application/pgp-signature, inline)]

Message #35 received at 774580-close@bugs.debian.org (full text, mbox, reply):

From: Stephen Kitt <skitt@debian.org>

To: 774580-close@bugs.debian.org

Subject: Bug#774580: fixed in gcab 0.4-2

Date: Mon, 05 Jan 2015 23:34:14 +0000

Source: gcab
Source-Version: 0.4-2

We believe that the bug you reported is fixed in the latest version of
gcab, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774580@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Kitt <skitt@debian.org> (supplier of updated gcab package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 06 Jan 2015 00:14:58 +0100
Source: gcab
Binary: gcab libgcab-1.0-0 libgcab-1.0-0-dbg libgcab-dev libgcab-doc gir1.2-libgcab-1.0
Architecture: source amd64 all
Version: 0.4-2
Distribution: unstable
Urgency: medium
Maintainer: Stephen Kitt <skitt@debian.org>
Changed-By: Stephen Kitt <skitt@debian.org>
Description:
 gcab       - Microsoft Cabinet file manipulation tool
 gir1.2-libgcab-1.0 - Microsoft Cabinet file manipulation library - gir bindings
 libgcab-1.0-0 - Microsoft Cabinet file manipulation library
 libgcab-1.0-0-dbg - Microsoft Cabinet file manipulation library - debug files
 libgcab-dev - Microsoft Cabinet file manipulation library - development files
 libgcab-doc - Microsoft Cabinet file manipulation library - documentation
Closes: 774580
Changes:
 gcab (0.4-2) unstable; urgency=medium
 .
   * Indicate that libgcab/gcab-enums.* is licensed using LGPL-2.0+, not
     2.1+ like the rest of the project. Thanks to Thorsten Alteholz for
     pointing out that this should be indicated explicitly!
   * Prevent path traversals; contents of cabinet files are always
     extracted below the extraction point and cannot escape it. Closes:
     #774580. This is CVE-2015-0552.
Checksums-Sha1:
 85d60d13a1d582efa153740d590afdfe93ce0f64 2184 gcab_0.4-2.dsc
 a7f27a0df4ecc6561ba123a84af37c293b034ffd 6092 gcab_0.4-2.debian.tar.xz
 4197124e292b09944b7dbf76902593c98d471851 16834 libgcab-doc_0.4-2_all.deb
Checksums-Sha256:
 0bf5abf2728b8cc2f796c132f93d5c7f517e922d45e16634d6372270b9a66307 2184 gcab_0.4-2.dsc
 7b62faa8f0871b8e30d10b22e8e002e6b5bb280f042f424a967167b686df18de 6092 gcab_0.4-2.debian.tar.xz
 66161d6a3bd50e06806eb27681fa6ca59686495167ff9e7a1c1405c9c14c7cba 16834 libgcab-doc_0.4-2_all.deb
Files:
 ac0fdfda99a8ad71b5fba0406e8f6a02 2184 utils optional gcab_0.4-2.dsc
 3be119f1fd94c9c0044fbd5eefa57f2c 6092 utils optional gcab_0.4-2.debian.tar.xz
 6f51f38d53ab99262bdfa42c1ba5df4e 16834 doc optional libgcab-doc_0.4-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUqxuGAAoJEIDTAvWIbYOcCLgP/R8sTgxlFieqlIeqe/MIMPc9
v0rqcBgI7Ze30VBUjxxZBBUk1RS/NKh4FypR7iOQtcRkY9Hamah4f3YQ7G3KraRp
FgTkyxSqADdXsoQTRAJYfLOUtPAD1BPoBs2GWxlwVXhm8N/F+q/nJPkGpiEI10Dj
ppJDD1Z/S2mE9DXsEUkcK2z53pAMsIV4h7LfjUHuAlCLJUX5o2BZf7lspLY55Vw/
B8Qe1sm1V8odQuFoiuqj5u/xhwwY5vSpJJSPz8OsXT/kr+Hf3qJ6G1uQ+VqdZVLE
YSxxRvhR5lucz4+uuVoXOwrRC3Vvbjj8BCjusVpY6D0cm7eGEIxS+mamfhAtGEa0
n3VrixklxN3+5mAiLPijYFNh85bdgwXaoqSQMualhXw13gvqf0EZKRTE567iLnv5
he3zcFmsvLIyMR3oLd9SkEN8iWuO4XjbR+mrfdqGdapaEiJYLbANA88iMT4p8Rxx
8+w6Oawp3ytO62Uyy7sLlmubqXUbdCqmebwTx9lPSg/zPyQES0nGn9PPR9+J0Yk3
rZILdejSmiEtoiEHltlONXhvTwx3qkmgrU2+RwDB9zTUwMMThTFGm5v9K42Jffb8
3tW+BfZqjN1sK9Fxk4CG71Ft57yhzdCf90Ac1dvoIfmgxoK1I7YcO3gDT89S1VfR
k16dWyJ0dRPBhBnzfmQE
=TV4d
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.