NetBSD Problem Report #55684

From stegozor@sdf.org  Sun Sep 27 17:55:44 2020
Return-Path: <stegozor@sdf.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 901B21A9217
	for <gnats-bugs@gnats.NetBSD.org>; Sun, 27 Sep 2020 17:55:44 +0000 (UTC)
Message-Id: <202009271755.08RHtvaD027370@sdf.org>
Date: Sun, 27 Sep 2020 17:55:57 GMT
From: stegozor@gmail.com
Reply-To: stegozor@gmail.com
To: gnats-bugs@NetBSD.org
Subject: Absolute & relative directory traversal with archivers/zoo
X-Send-Pr-Version: 3.95

>Number:         55684
>Category:       pkg
>Synopsis:       Absolute & relative directory traversal with archivers/zoo
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 27 18:00:01 +0000 2020
>Last-Modified:  Tue Oct 06 20:05:00 +0000 2020
>Originator:     Berki Yenig├╝n
>Release:        NetBSD 8.1_STABLE
>Organization:
stegozoratsdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org
>Environment:


System: NetBSD sdf 8.1_STABLE NetBSD 8.1_STABLE (GENERIC) #0: Wed Sep 11 03:47:45 UTC 2019 root@ol:/sdf/sys/NetBSD-8/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
While spending time on my SDF account, I noticed that 
apparently some zoo archives were susceptible to both absolute and
relative directory traversals, which looks like a security issue. This 
occurs when extracting these archives with both zoo and unzoo. Looking a 
bit further, I found a Debian bug report which provides useful
information, please see 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774453

Hope the solution won't be the same, i.e. the removal of zoo and unzoo 
from pkgsrc.
>How-To-Repeat:
Download the following two zoo archives from the Debian
bug report: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=774453;filename=traversal.zoo;msg=3
and 
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=774453;filename=traversal-relative.zoo;msg=6 

Then do 
zoo -extract traversal.zoo && ls /tmp/moo
unzoo -x traversal.zoo && ls /tmp/moo
zoo -extract traversal-relative.zoo && ls ../moo
unzoo -x traversal-relative.zoo && ls ../moo

>Fix:


>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: security-officer->pkg-manager
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Sun, 27 Sep 2020 18:05:09 +0000
Responsible-Changed-Why:
Over to pkgsrc


From: Benny Siegert <bsiegert@gmail.com>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, security-officer@netbsd.org, 
    pkgsrc-bugs@netbsd.org, gnats-admin@netbsd.org, martin@netbsd.org, 
    stegozor@gmail.com
Subject: Re: pkg/55684 (Absolute & relative directory traversal with
 archivers/zoo)
Date: Sun, 4 Oct 2020 09:34:44 +0000 (UTC)

 FWIW, Debian has removed zoo from the archive. Its upstream is dead, and 
 there are no patches for the traversal vulnerabilities.

From: Martin Husemann <martin@duskware.de>
To: Benny Siegert <bsiegert@gmail.com>
Cc: gnats-bugs@netbsd.org, stegozor@gmail.com
Subject: Re: pkg/55684 (Absolute & relative directory traversal with
 archivers/zoo)
Date: Sun, 4 Oct 2020 12:35:45 +0200

 --9amGYk9869ThD9tj
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline

 I don't know how to *properly* deal with such broken archives, but the
 patch attached below makes extraction fail for me and should fix the
 traversal attack.

 The problem with the original Debian patch was that it did not convert
 all possible path fields in the directory structure (and the selection
 which of the fields to use was done after fixup by the patch).
 Instead this patch modifies the function intended for such local OS
 verifications.

 More eyes + more tests would be good.

 Martin

 --9amGYk9869ThD9tj
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="patch-bsd.c"

 $NetBSD$

 Try to fix CVE id CAN-2005-2349

 --- bsd.c.orig	2020-10-04 11:43:19.820472893 +0200
 +++ bsd.c	2020-10-04 12:27:08.462546277 +0200
 @@ -39,6 +39,42 @@ legal for the host system.  It is used d
  char *fixfname(fname)
  char *fname;
  {
 +  /*
 +   * This is a (very loose) adaption of debian's 02-traversal-directory.patch,
 +   * but applied at the proper place.
 +   * THIS CODE WAS WRITTEN TO SOLVE PROBLEM WITH DIRECTORY TRAVERSAL SECURITY
 +   * BUG (CVE id CAN-2005-2349).
 +   */
 +
 +   char *p;
 +   size_t l;
 +
 +   /* remove all "../" inside filename */
 +   while ((p = strstr( fname, "../" )) != NULL) {
 +      l = strlen(p+3);
 +      if (l == 0)
 +        *p = 0;
 +      else
 +         memmove(p, p+3, l);
 +   }
 +
 +   /* remove all leading '/' */
 +   for (p = fname; *p == '/'; p++)
 +      ;
 +   l = strlen(p);
 +   if (l == 0)
 +      fname[0] = 0;
 +   else if (p == fname+1) {
 +      /* convert "/name" to "name" */
 +      memmove(fname, p, l);
 +      fname[l] = 0;
 +   } else if (p > fname+1) {
 +      /* convert "//name" to "./name" */
 +      fname[0] = '.';
 +      memmove(fname+1, p, l);
 +      fname[l+1] = 0;
 +   }
 +
     return fname; /* default is no-op */
  }


 --9amGYk9869ThD9tj--

From: Joerg Sonnenberger <joerg@bec.de>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org,
	stegozor@gmail.com
Subject: Re: pkg/55684 (Absolute & relative directory traversal with
 archivers/zoo)
Date: Sun, 4 Oct 2020 20:28:08 +0200

 On Sun, Oct 04, 2020 at 10:40:01AM +0000, Martin Husemann wrote:
 >  +   /* remove all "../" inside filename */
 >  +   while ((p = strstr( fname, "../" )) != NULL) {
 >  +      l = strlen(p+3);
 >  +      if (l == 0)
 >  +        *p = 0;
 >  +      else
 >  +         memmove(p, p+3, l);
 >  +   }

 This doesn't seem to be correct. It should remove "../" from the start
 of the path and "/../" anywhere else. foo../ is a valid path name.

 Joerg

From: stegozor <stegozor@gmail.com>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/55684 (Absolute & relative directory traversal with
 archivers/zoo)
Date: Tue, 6 Oct 2020 23:02:58 +0300

 On 4.10.2020 21:28, Joerg Sonnenberger wrote:
 > 
 > This doesn't seem to be correct. It should remove "../" from the start
 > of the path and "/../" anywhere else. foo../ is a valid path name.
 > 
 > Joerg

 I gave unzoo a whirl on my FreeBSD VM, and unlike NetBSD's unzoo, it
 doesn't seem to be susceptible to directory traversal. With
 traversal.zoo, it simply extracts it in the working directory instead of
 putting the moo file in /tmp/ like NetBSD's unzoo and with
 traversal-relative.zoo, it crashes with a segfault. (FreeBSD's zoo, on
 the other hand, has the same traversal vulnerability). By the way,
 should I file another PR for unzoo or can it be taken care of in this one?

 I also tested with unar which is available in FreeBSD and it extracts
 the files with no traversal. You can find a shell log below that shows
 the results. Hope this can provide some useful additional information.

 [stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
 traversal-relative.zoo	traversal.zoo
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ unzoo -x traversal.zoo
 unzoo: skipped root directory path component in ''
 tmp/moo 	-- extracted as binary
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
 tmp			traversal-relative.zoo	traversal.zoo
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ unzoo -x traversal-relative.zoo
 unzoo: skipped "../" path component in ''
 Segmentation fault (core dumped)
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
 tmp			traversal.zoo
 traversal-relative.zoo	unzoo.core
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ unar traversal.zoo
 traversal.zoo: 2020-10-04 20:01:04.783 unar[1175:100226] No local time
 zone specified.
 2020-10-04 20:01:04.783 unar[1175:100226] Using time zone with absolute
 offset 0.
 Zoo
   /tmp/moo  (4 B)... OK.
 Successfully extracted to "./_tmp_moo".
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ unar traversal-relative.zoo
 traversal-relative.zoo: 2020-10-04 20:01:31.145 unar[1176:100226] No
 local time zone specified.
 2020-10-04 20:01:31.146 unar[1176:100226] Using time zone with absolute
 offset 0.
 Zoo
   ../moo  (4 B)... OK.
 Successfully extracted to "./__Parent__".
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ ls
 __Parent__		tmp			traversal.zoo
 _tmp_moo		traversal-relative.zoo	unzoo.core
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ freebsd-version
 12.2-BETA3
 [stegozor@localhost ~/zoo_stuff/zoo_test]$ uname -a
 FreeBSD localhost 12.2-BETA3 FreeBSD 12.2-BETA3 r366133 GENERIC  amd64

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.