Bug 62537 (CVE-2004-0916)

Summary: VUL-0: CVE-2004-0916: directory traversal bug in cabextract
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Stefan Dirsch <sndirsch>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0916: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: cabextract-0.6.diff
cabextract-1.0.diff

Description Ludwig Nussel 2004-10-22 17:06:13 UTC 
We received the following report via vendor-sec.
The issue is public.

Date: Fri, 22 Oct 2004 09:01:11 +0200
From: Martin Schulze <joey@infodrom.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0916: directory traversal in cabextract

Hi,

not sure if one of you ships cabextract (to extract M$ .cab files)
as well.  The upstream developers have discovered that the program
was able to overwrite files in upper directory level.  The standard
missing "../" sanitising.  Patch attached.

This issue is already public.

--- cabextract.c        6 Mar 2001 16:27:43 -0000       1.1.1.1
+++ cabextract.c        20 Oct 2004 19:15:58 -0000      1.1.1.1.2.2
     if (*p=='/') *p='\\'; else if (*p=='\\') *p='/';
   }

+  /* search for "../" in cab filename part and change to "xx/".  This
+   * prevents any unintended directory traversal. */
+  for (p = fi->filename; *p; p++) {
+    if ((p[0] == '.') && (p[1] == '.') && (p[2] == '/')) {
+      p[0] = p[1] = 'x';
+      p += 2;
+    }
+  }
+
   if (ensure_filepath(fi->filename)) {
     fi->fh = fopen(fi->filename, "wb");
     if (fi->fh) ok = 1;

Regards,

	Joey
Comment 1 Stefan Dirsch 2004-10-22 18:08:08 UTC 
Against which cabextract version is this? I cannot find this context in 
cabextract 1.0 at all. There is something in cabextract 0.6, which looks 
similar to the context above. This needs to be investigated by the security 
team. 
 
BTW, we use cabextract 1.0 for 9.1/SLES9, 9.2 and cabextract 0.6 for 8.2 and 
9.0 (new package since 8.2).
Comment 2 Stefan Dirsch 2004-10-25 21:56:35 UTC 
The latest version is 1.1. The security issue seems to be fixed in 1.1. 
 
http://www.kyz.uklinux.net/cabextract.php 
 
[...] 
Changes since cabextract 1.0 
 
- A security vulnerability has been fixed. If the files within a cabinet file 
  include "../" in their filenames, this will be changed to "xx/", so cabinets 
  cannot access the parent directory of where you want to extract them.
Comment 3 Stefan Dirsch 2004-10-26 06:03:34 UTC 
BTW, I would like to know, why it is a security problem to extract something 
in "..". Don't I always list the content of a .cab file before extracting it 
to make sure no files are overwritten? Where is the big difference between 
overwriting some file in "." and ".." ?
Comment 4 Stefan Dirsch 2004-10-26 10:54:11 UTC 
Created attachment 25393 [details]
cabextract-0.6.diff
Comment 5 Stefan Dirsch 2004-10-26 10:54:36 UTC 
Created attachment 25394 [details]
cabextract-1.0.diff
Comment 6 Stefan Dirsch 2004-10-26 11:14:46 UTC 
submitted cabextract-1.1, which already fixes this issue (see comment #2), now 
for STABLE. It needs to be decided if a security update for older version is 
required. I already attached the patches for 0.6 and 1.0.
Comment 7 Marcus Meissner 2004-10-26 16:16:01 UTC 
you can chain multiple ".." to overwrite any file on the system belonging 
to the user ... like ../../../etc/passwd or so which is the usual problem.
Comment 8 Stefan Dirsch 2004-10-26 16:50:03 UTC 
OK. So other archive tools like tar/zip don't suffer from this problem, right? 
 
sndirsch@shannon:~/tmp> tar cvf simple.tar ../selection  
tar: Removing leading `../' from member names 
../selection 
sndirsch@shannon:~/tmp> tar tvf simple.tar  
-rw-r--r-- sndirsch/suse 22480 2004-10-26 05:54:27 selection 
sndirsch@shannon:~/tmp> zip simple.zip ../selection  
  adding: ../selection (deflated 62%) 
sndirsch@shannon:~/tmp> unzip -v simple.zip  
Archive:  simple.zip 
 Length   Method    Size  Ratio   Date   Time   CRC-32    Name 
--------  ------  ------- -----   ----   ----   ------    ---- 
   22480  Defl:N     8545  62%  10-26-04 05:54  2ede8e2e  ../selection 
--------          -------  ---                            ------- 
   22480             8545  62%                            1 file 
sndirsch@shannon:~/tmp> unzip simple.zip  
Archive:  simple.zip 
warning:  skipped "../" path component(s) in ../selection 
  inflating: selection                
sndirsch@shannon:~/tmp>
Comment 9 Marcus Meissner 2004-10-26 19:36:27 UTC 
for most of those this problem has been fixed already (but was present in the 
past) (namely "zip", "lha" and most likely "tar" too). 
  
we currently still have it open for "zoo" and "unarj".
Comment 10 Stefan Dirsch 2004-10-26 20:54:24 UTC 
Ok. The question is, will we need a security update for older distributions or 
was it sufficient to fix it for STABLE.
Comment 11 Marcus Meissner 2004-10-26 21:11:10 UTC 
i think cabextract and this issue are not of that large importance. 
 
a fix for STABLE is enough in this case.
Comment 12 Stefan Dirsch 2004-10-26 21:15:37 UTC 
> ... a fix for STABLE is enough in this case.  
which I already submitted and was checked in this morning. FIXED. :-)
Comment 13 Thomas Biege 2009-10-13 19:54:27 UTC 
CVE-2004-0916: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)