NetBSD Problem Report #55684
From stegozor@sdf.org Sun Sep 27 17:55:44 2020
Return-Path: <stegozor@sdf.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 901B21A9217
for <gnats-bugs@gnats.NetBSD.org>; Sun, 27 Sep 2020 17:55:44 +0000 (UTC)
Message-Id: <202009271755.08RHtvaD027370@sdf.org>
Date: Sun, 27 Sep 2020 17:55:57 GMT
From: stegozor@gmail.com
Reply-To: stegozor@gmail.com
To: gnats-bugs@NetBSD.org
Subject: Absolute & relative directory traversal with archivers/zoo
X-Send-Pr-Version: 3.95
>Number: 55684
>Category: pkg
>Synopsis: Absolute & relative directory traversal with archivers/zoo
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Sep 27 18:00:01 +0000 2020
>Last-Modified: Tue Oct 06 20:05:00 +0000 2020
>Originator: Berki Yenigün
>Release: NetBSD 8.1_STABLE
>Organization:
stegozoratsdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org
>Environment:
System: NetBSD sdf 8.1_STABLE NetBSD 8.1_STABLE (GENERIC) #0: Wed Sep 11 03:47:45 UTC 2019 root@ol:/sdf/sys/NetBSD-8/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
While spending time on my SDF account, I noticed that
apparently some zoo archives were susceptible to both absolute and
relative directory traversals, which looks like a security issue. This
occurs when extracting these archives with both zoo and unzoo. Looking a
bit further, I found a Debian bug report which provides useful
information, please see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774453
Hope the solution won't be the same, i.e. the removal of zoo and unzoo
from pkgsrc.
>How-To-Repeat:
Download the following two zoo archives from the Debian
bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=774453;filename=traversal.zoo;msg=3
and
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=774453;filename=traversal-relative.zoo;msg=6
Then do
zoo -extract traversal.zoo && ls /tmp/moo
unzoo -x traversal.zoo && ls /tmp/moo
zoo -extract traversal-relative.zoo && ls ../moo
unzoo -x traversal-relative.zoo && ls ../moo
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: security-officer->pkg-manager
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Sun, 27 Sep 2020 18:05:09 +0000
Responsible-Changed-Why:
Over to pkgsrc
From: Benny Siegert <bsiegert@gmail.com>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, security-officer@netbsd.org,
pkgsrc-bugs@netbsd.org, gnats-admin@netbsd.org, martin@netbsd.org,
stegozor@gmail.com
Subject: Re: pkg/55684 (Absolute & relative directory traversal with
archivers/zoo)
Date: Sun, 4 Oct 2020 09:34:44 +0000 (UTC)
FWIW, Debian has removed zoo from the archive. Its upstream is dead, and
there are no patches for the traversal vulnerabilities.
From: Martin Husemann <martin@duskware.de>
To: Benny Siegert <bsiegert@gmail.com>
Cc: gnats-bugs@netbsd.org, stegozor@gmail.com
Subject: Re: pkg/55684 (Absolute & relative directory traversal with
archivers/zoo)
Date: Sun, 4 Oct 2020 12:35:45 +0200
--9amGYk9869ThD9tj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
I don't know how to *properly* deal with such broken archives, but the
patch attached below makes extraction fail for me and should fix the
traversal attack.
The problem with the original Debian patch was that it did not convert
all possible path fields in the directory structure (and the selection
which of the fields to use was done after fixup by the patch).
Instead this patch modifies the function intended for such local OS
verifications.
More eyes + more tests would be good.
Martin
--9amGYk9869ThD9tj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="patch-bsd.c"
$NetBSD$
Try to fix CVE id CAN-2005-2349
--- bsd.c.orig 2020-10-04 11:43:19.820472893 +0200
+++ bsd.c 2020-10-04 12:27:08.462546277 +0200
@@ -39,6 +39,42 @@ legal for the host system. It is used d
char *fixfname(fname)
char *fname;
{
+ /*
+ * This is a (very loose) adaption of debian's 02-traversal-directory.patch,
+ * but applied at the proper place.
+ * THIS CODE WAS WRITTEN TO SOLVE PROBLEM WITH DIRECTORY TRAVERSAL SECURITY
+ * BUG (CVE id CAN-2005-2349).
+ */
+
+ char *p;
+ size_t l;
+
+ /* remove all "../" inside filename */
+ while ((p = strstr( fname, "../" )) != NULL) {
+ l = strlen(p+3);
+ if (l == 0)
+ *p = 0;
+ else
+ memmove(p, p+3, l);
+ }
+
+ /* remove all leading '/' */
+ for (p = fname; *p == '/'; p++)
+ ;
+ l = strlen(p);
+ if (l == 0)
+ fname[0] = 0;
+ else if (p == fname+1) {
+ /* convert "/name" to "name" */
+ memmove(fname, p, l);
+ fname[l] = 0;
+ } else if (p > fname+1) {
+ /* convert "//name" to "./name" */
+ fname[0] = '.';
+ memmove(fname+1, p, l);
+ fname[l+1] = 0;
+ }
+
return fname; /* default is no-op */
}
--9amGYk9869ThD9tj--
From: Joerg Sonnenberger <joerg@bec.de>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org,
stegozor@gmail.com
Subject: Re: pkg/55684 (Absolute & relative directory traversal with
archivers/zoo)
Date: Sun, 4 Oct 2020 20:28:08 +0200
On Sun, Oct 04, 2020 at 10:40:01AM +0000, Martin Husemann wrote:
> + /* remove all "../" inside filename */
> + while ((p = strstr( fname, "../" )) != NULL) {
> + l = strlen(p+3);
> + if (l == 0)
> + *p = 0;
> + else
> + memmove(p, p+3, l);
> + }
This doesn't seem to be correct. It should remove "../" from the start
of the path and "/../" anywhere else. foo../ is a valid path name.
Joerg
From: stegozor <stegozor@gmail.com>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/55684 (Absolute & relative directory traversal with
archivers/zoo)
Date: Tue, 6 Oct 2020 23:02:58 +0300
On 4.10.2020 21:28, Joerg Sonnenberger wrote:
>
> This doesn't seem to be correct. It should remove "../" from the start
> of the path and "/../" anywhere else. foo../ is a valid path name.
>
> Joerg
I gave unzoo a whirl on my FreeBSD VM, and unlike NetBSD's unzoo, it
doesn't seem to be susceptible to directory traversal. With
traversal.zoo, it simply extracts it in the working directory instead of
putting the moo file in /tmp/ like NetBSD's unzoo and with
traversal-relative.zoo, it crashes with a segfault. (FreeBSD's zoo, on
the other hand, has the same traversal vulnerability). By the way,
should I file another PR for unzoo or can it be taken care of in this one?
I also tested with unar which is available in FreeBSD and it extracts
the files with no traversal. You can find a shell log below that shows
the results. Hope this can provide some useful additional information.
[stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
traversal-relative.zoo traversal.zoo
[stegozor@localhost ~/zoo_stuff/zoo_test]$ unzoo -x traversal.zoo
unzoo: skipped root directory path component in ''
tmp/moo -- extracted as binary
[stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
tmp traversal-relative.zoo traversal.zoo
[stegozor@localhost ~/zoo_stuff/zoo_test]$ unzoo -x traversal-relative.zoo
unzoo: skipped "../" path component in ''
Segmentation fault (core dumped)
[stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
tmp traversal.zoo
traversal-relative.zoo unzoo.core
[stegozor@localhost ~/zoo_stuff/zoo_test]$ unar traversal.zoo
traversal.zoo: 2020-10-04 20:01:04.783 unar[1175:100226] No local time
zone specified.
2020-10-04 20:01:04.783 unar[1175:100226] Using time zone with absolute
offset 0.
Zoo
/tmp/moo (4 B)... OK.
Successfully extracted to "./_tmp_moo".
[stegozor@localhost ~/zoo_stuff/zoo_test]$ unar traversal-relative.zoo
traversal-relative.zoo: 2020-10-04 20:01:31.145 unar[1176:100226] No
local time zone specified.
2020-10-04 20:01:31.146 unar[1176:100226] Using time zone with absolute
offset 0.
Zoo
../moo (4 B)... OK.
Successfully extracted to "./__Parent__".
[stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
__Parent__ tmp traversal.zoo
_tmp_moo traversal-relative.zoo unzoo.core
[stegozor@localhost ~/zoo_stuff/zoo_test]$ freebsd-version
12.2-BETA3
[stegozor@localhost ~/zoo_stuff/zoo_test]$ uname -a
FreeBSD localhost 12.2-BETA3 FreeBSD 12.2-BETA3 r366133 GENERIC amd64
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.