[v2.6] cabextract: directory traversal with UTF-8 symbols in filenames (CVE-2015-2060)
It was reported that cabextract is susceptible to a directory traversal vulnerability. While extracting files from an archive, it removes leading slashes from filenames but does it before possibly decoding UTF-8 and doesn’t check for invalid UTF-8. Hence an absolute filename can be shoved through by using overlong encoding for the leading slash (and setting utf8 attribute in the header). This can be exploited by a malicious archive to write files outside the current directory.
The issue was reported to Stuart Caie today and fixed in less than 4h.
References:
CONFIRM: http://seclists.org/oss-sec/2015/q1/671
CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1193952
PATCH: http://sourceforge.net/p/libmspack/code/217/
(from redmine: issue id 4099, created on 2015-04-27, closed on 2015-05-06)
- Relations:
- parent #4098 (closed)
- Changesets:
- Revision d27ae253 by Natanael Copa on 2015-05-05T08:31:51Z:
main/cabextract: security upgrade to 1.6 (CVE-2015-2060)
fixes #4099