cabextract: directory traversal with UTF-8 symbols in filenames (CVE-2015-2060)
It was reported that cabextract is susceptible to a directory traversal vulnerability. While extracting files from an archive, it removes leading slashes from filenames but does it before possibly decoding UTF-8 and doesn’t check for invalid UTF-8. Hence an absolute filename can be shoved through by using overlong encoding for the leading slash (and setting utf8 attribute in the header). This can be exploited by a malicious archive to write files outside the current directory.
The issue was reported to Stuart Caie today and fixed in less than 4h.
References:
CONFIRM: http://seclists.org/oss-sec/2015/q1/671
CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1193952
PATCH: http://sourceforge.net/p/libmspack/code/217/
(from redmine: issue id 4098, created on 2015-04-27, closed on 2015-05-06)
- Relations:
- child #4099 (closed)
- child #4100 (closed)
- child #4101 (closed)
- child #4102 (closed)