Bug 62234 (CVE-2005-2349) - VUL-0: CVE-2005-2349: directory traversal bug in zoo
Summary: VUL-0: CVE-2005-2349: directory traversal bug in zoo
Status: RESOLVED FIXED
Alias: CVE-2005-2349
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-14 20:09 UTC by Ludwig Nussel
Modified: 2019-10-31 14:34 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
archive that creates /etc/foo when extraced with zoo x (295 bytes, application/octet-stream)
2004-10-14 20:10 UTC, Ludwig Nussel 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2004-10-14 20:09:40 UTC 
"doubles" again posted something about a directory traversal bug,
this time in "unzoo". I checked our zoo program which is not unzoo
but it is vulnerable as well. The issue is therefore semi-public.

Just like with unarj it looks like one can only create new files but
not overwrite existing ones.
Comment 1 Ludwig Nussel 2004-10-14 20:10:36 UTC 
Created attachment 24998 [details]
archive that creates /etc/foo when extraced with zoo x
Comment 2 Marian Jancar 2004-10-21 18:30:26 UTC 
the intention is to create directories only under the current working direcory,
right?
Comment 3 Ludwig Nussel 2004-10-21 19:02:04 UTC 
Yes. I think it is sufficient to fix it in STABLE. amavisd seems to extract 
each file to stdout individually and is therefore not affected.
Comment 4 Marian Jancar 2004-12-02 19:56:37 UTC 
will fix for 9.3
Comment 5 Ludwig Nussel 2005-08-11 09:04:45 UTC 
did you fix it?
Comment 6 Anna Maresova 2005-08-11 18:47:07 UTC 
fixes submitted
Comment 7 Ludwig Nussel 2005-08-12 11:40:42 UTC 
Where does the patch come from, did you write it yourself? If so did you 
coordinate with upstream? 
 
Is the string you sanitize a directory or a file name? If it's a dir name it 
would probably still allow one level dir traversals if the path ends in ".." 
instead of "../".
Comment 8 Anna Maresova 2005-08-12 13:00:13 UTC 
The patch is taken from Debian. It sanitizes a dirname. Could you please create
an exploit with the few "../" and ".." on the end? The archive with the /etc/foo
can be modified to contain the ".." on the end siply by swapping the "etc" and
"..", but while not perfectly handled this is not an exploint, it can't leave
the current directory. Striping the "etc" completely probably requires changing
the CRC and I don't know how to do that.
Comment 9 Ludwig Nussel 2005-08-15 12:10:14 UTC 
I have no idea how to create crafted zoo archives. Too uncritical to waste 
much time. We'll just accept the patch then.
Comment 10 Marian Jancar 2005-08-15 14:11:06 UTC 
ok, fix submited with the check for ".."
Comment 11 Michael Schröder 2005-08-22 10:14:06 UTC 
Secteam, how about writing some patchinfos?
Comment 12 Ludwig Nussel 2005-08-22 10:58:27 UTC 
this was supposed to go into STABLE only.
Comment 13 Marian Jancar 2005-08-22 12:32:06 UTC 
sorry for the confusion, fixed
Comment 14 Ruediger Oertel 2005-09-16 11:53:00 UTC 
removed submissions for !STABLE