Bug 62234 (CVE-2005-2349)

Summary:	VUL-0: CVE-2005-2349: directory traversal bug in zoo
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Ludwig Nussel <lnussel>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	atoptsoglou, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Found By:	Other	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	archive that creates /etc/foo when extraced with zoo x

Description Ludwig Nussel 2004-10-14 20:09:40 UTC

"doubles" again posted something about a directory traversal bug,
this time in "unzoo". I checked our zoo program which is not unzoo
but it is vulnerable as well. The issue is therefore semi-public.

Just like with unarj it looks like one can only create new files but
not overwrite existing ones.

Comment 1 Ludwig Nussel 2004-10-14 20:10:36 UTC

Created attachment 24998 [details]
archive that creates /etc/foo when extraced with zoo x

Comment 2 Marian Jancar 2004-10-21 18:30:26 UTC

the intention is to create directories only under the current working direcory,
right?

Comment 3 Ludwig Nussel 2004-10-21 19:02:04 UTC

Yes. I think it is sufficient to fix it in STABLE. amavisd seems to extract 
each file to stdout individually and is therefore not affected.

Comment 4 Marian Jancar 2004-12-02 19:56:37 UTC

will fix for 9.3

Comment 5 Ludwig Nussel 2005-08-11 09:04:45 UTC

did you fix it?

Comment 6 Anna Maresova 2005-08-11 18:47:07 UTC

fixes submitted

Comment 7 Ludwig Nussel 2005-08-12 11:40:42 UTC

Where does the patch come from, did you write it yourself? If so did you 
coordinate with upstream? 
 
Is the string you sanitize a directory or a file name? If it's a dir name it 
would probably still allow one level dir traversals if the path ends in ".." 
instead of "../".

Comment 8 Anna Maresova 2005-08-12 13:00:13 UTC

The patch is taken from Debian. It sanitizes a dirname. Could you please create
an exploit with the few "../" and ".." on the end? The archive with the /etc/foo
can be modified to contain the ".." on the end siply by swapping the "etc" and
"..", but while not perfectly handled this is not an exploint, it can't leave
the current directory. Striping the "etc" completely probably requires changing
the CRC and I don't know how to do that.

Comment 9 Ludwig Nussel 2005-08-15 12:10:14 UTC

I have no idea how to create crafted zoo archives. Too uncritical to waste 
much time. We'll just accept the patch then.

Comment 10 Marian Jancar 2005-08-15 14:11:06 UTC

ok, fix submited with the check for ".."

Comment 11 Michael Schröder 2005-08-22 10:14:06 UTC

Secteam, how about writing some patchinfos?

Comment 12 Ludwig Nussel 2005-08-22 10:58:27 UTC

this was supposed to go into STABLE only.

Comment 13 Marian Jancar 2005-08-22 12:32:06 UTC

sorry for the confusion, fixed

Comment 14 Ruediger Oertel 2005-09-16 11:53:00 UTC

removed submissions for !STABLE